bug #4595 [security] Path traversal can lead to leakage of line count

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
phpmyadmin · Nov 20, 2014 · b99b6b6 · b99b6b6
1 parent 9364e2e
commit b99b6b6
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -14,6 +14,7 @@ phpMyAdmin - ChangeLog
 - bug #4602 Exporting selected rows exports all rows of the query
 - bug #4444 No insert statement produced in SQL export for queries with alias
 - bug #4596 [security] XSS through exception stack
+- bug #4595 [security] Path traversal can lead to leakage of line count
 
 4.2.11.0 (2014-10-31)
 - bug       ReferenceError: Table_onover is not defined

diff --git a/libraries/error_report.lib.php b/libraries/error_report.lib.php
@@ -177,6 +177,19 @@ function PMA_countLines($filename)
         return $LINE_COUNT[$filename];
     }
 
+    // ensure that the file is inside the phpMyAdmin folder
+    $depath = 1;
+    foreach (explode('/', $filename) as $part) {
+        if ($part == '..') {
+            $depath--;
+        } elseif ($part != '.') {
+            $depath++;
+        }
+        if ($depath < 0) {
+            return 0;
+        }
+    }
+
     $linecount = 0;
     $handle = fopen('./js/' . $filename, 'r');
     while (!feof($handle)) {