Fix remote execution in SQLite query (discovered by 庞申杰(千霄))

vrana · Feb 6, 2016 · e5352cc · e5352cc
1 parent 0bb5a52
commit e5352cc
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 58 deletions.
diff --git a/adminer/lang/cs.inc.php b/adminer/lang/cs.inc.php
@@ -49,6 +49,7 @@
 	'Query executed OK, %d row(s) affected.' => array('Příkaz proběhl v pořádku, byl změněn %d záznam.', 'Příkaz proběhl v pořádku, byly změněny %d záznamy.', 'Příkaz proběhl v pořádku, bylo změněno %d záznamů.'),
 	'No commands to execute.' => 'Žádné příkazy k vykonání.',
 	'Error in query' => 'Chyba v dotazu',
+	'ATTACH queries are not supported.' => 'Dotazy ATTACH nejsou podporované.',
 	'Execute' => 'Provést',
 	'Stop on error' => 'Zastavit při chybě',
 	'Show only errors' => 'Zobrazit pouze chyby',

diff --git a/adminer/lang/xx.inc.php b/adminer/lang/xx.inc.php
@@ -49,6 +49,7 @@
 	'Query executed OK, %d row(s) affected.' => array('Xx.', 'Xx.'),
 	'No commands to execute.' => 'Xx.',
 	'Error in query' => 'Xx',
+	'ATTACH queries are not supported.' => 'Xx.',
 	'Execute' => 'Xx',
 	'Stop on error' => 'Xx',
 	'Show only errors' => 'Xx',

diff --git a/adminer/sql.inc.php b/adminer/sql.inc.php
@@ -94,71 +94,81 @@
 						$q = substr($query, 0, $pos);
 						$commands++;
 						$print = "<pre id='sql-$commands'><code class='jush-$jush'>" . shorten_utf8(trim($q), 1000) . "</code></pre>\n";
-						if (!$_POST["only_errors"]) {
+						if ($jush == "sqlite" && preg_match("~^$space*ATTACH\b~i", $q, $match)) {
+							// PHP doesn't support setting SQLITE_LIMIT_ATTACHED
 							echo $print;
-							ob_flush();
-							flush(); // can take a long time - show the running query
-						}
-						$start = microtime(true);
-						//! don't allow changing of character_set_results, convert encoding of displayed query
-						if ($connection->multi_query($q) && is_object($connection2) && preg_match("~^$space*USE\\b~isU", $q)) {
-							$connection2->query($q);
-						}
+							echo "<p class='error'>" . lang('ATTACH queries are not supported.') . "\n";
+							$errors[] = " <a href='#sql-$commands'>$commands</a>";
+							if ($_POST["error_stops"]) {
+								break;
+							}
+						} else {
+							if (!$_POST["only_errors"]) {
+								echo $print;
+								ob_flush();
+								flush(); // can take a long time - show the running query
+							}
+							$start = microtime(true);
+							//! don't allow changing of character_set_results, convert encoding of displayed query
+							if ($connection->multi_query($q) && is_object($connection2) && preg_match("~^$space*USE\\b~isU", $q)) {
+								$connection2->query($q);
+							}
 
-						do {
-							$result = $connection->store_result();
-							$time = " <span class='time'>(" . format_time($start) . ")</span>"
-								. (strlen($q) < 1000 ? " <a href='" . h(ME) . "sql=" . urlencode(trim($q)) . "'>" . lang('Edit') . "</a>" : "") // 1000 - maximum length of encoded URL in IE is 2083 characters
-							;
-
-							if ($connection->error) {
-								echo ($_POST["only_errors"] ? $print : "");
-								echo "<p class='error'>" . lang('Error in query') . ($connection->errno ? " ($connection->errno)" : "") . ": " . error() . "\n";
-								$errors[] = " <a href='#sql-$commands'>$commands</a>";
-								if ($_POST["error_stops"]) {
-									break 2;
-								}
+							do {
+								$result = $connection->store_result();
+								$time = " <span class='time'>(" . format_time($start) . ")</span>"
+									. (strlen($q) < 1000 ? " <a href='" . h(ME) . "sql=" . urlencode(trim($q)) . "'>" . lang('Edit') . "</a>" : "") // 1000 - maximum length of encoded URL in IE is 2083 characters
+								;
+
+								if ($connection->error) {
+									echo ($_POST["only_errors"] ? $print : "");
+									echo "<p class='error'>" . lang('Error in query') . ($connection->errno ? " ($connection->errno)" : "") . ": " . error() . "\n";
+									$errors[] = " <a href='#sql-$commands'>$commands</a>";
+									if ($_POST["error_stops"]) {
+										break 2;
+									}
 
-							} elseif (is_object($result)) {
-								$limit = $_POST["limit"];
-								$orgtables = select($result, $connection2, array(), $limit);
-								if (!$_POST["only_errors"]) {
-									echo "<form action='' method='post'>\n";
-									$num_rows = $result->num_rows;
-									echo "<p>" . ($num_rows ? ($limit && $num_rows > $limit ? lang('%d / ', $limit) : "") . lang('%d row(s)', $num_rows) : "");
-									echo $time;
-									$id = "export-$commands";
-									$export = ", <a href='#$id' onclick=\"return !toggle('$id');\">" . lang('Export') . "</a><span id='$id' class='hidden'>: "
-										. html_select("output", $adminer->dumpOutput(), $adminer_export["output"]) . " "
-										. html_select("format", $dump_format, $adminer_export["format"])
-										. "<input type='hidden' name='query' value='" . h($q) . "'>"
-										. " <input type='submit' name='export' value='" . lang('Export') . "'><input type='hidden' name='token' value='$token'></span>\n"
-									;
-									if ($connection2 && preg_match("~^($space|\\()*SELECT\\b~isU", $q) && ($explain = explain($connection2, $q))) {
-										$id = "explain-$commands";
-										echo ", <a href='#$id' onclick=\"return !toggle('$id');\">EXPLAIN</a>$export";
-										echo "<div id='$id' class='hidden'>\n";
-										select($explain, $connection2, $orgtables);
-										echo "</div>\n";
-									} else {
-										echo $export;
+								} elseif (is_object($result)) {
+									$limit = $_POST["limit"];
+									$orgtables = select($result, $connection2, array(), $limit);
+									if (!$_POST["only_errors"]) {
+										echo "<form action='' method='post'>\n";
+										$num_rows = $result->num_rows;
+										echo "<p>" . ($num_rows ? ($limit && $num_rows > $limit ? lang('%d / ', $limit) : "") . lang('%d row(s)', $num_rows) : "");
+										echo $time;
+										$id = "export-$commands";
+										$export = ", <a href='#$id' onclick=\"return !toggle('$id');\">" . lang('Export') . "</a><span id='$id' class='hidden'>: "
+											. html_select("output", $adminer->dumpOutput(), $adminer_export["output"]) . " "
+											. html_select("format", $dump_format, $adminer_export["format"])
+											. "<input type='hidden' name='query' value='" . h($q) . "'>"
+											. " <input type='submit' name='export' value='" . lang('Export') . "'><input type='hidden' name='token' value='$token'></span>\n"
+										;
+										if ($connection2 && preg_match("~^($space|\\()*SELECT\\b~isU", $q) && ($explain = explain($connection2, $q))) {
+											$id = "explain-$commands";
+											echo ", <a href='#$id' onclick=\"return !toggle('$id');\">EXPLAIN</a>$export";
+											echo "<div id='$id' class='hidden'>\n";
+											select($explain, $connection2, $orgtables);
+											echo "</div>\n";
+										} else {
+											echo $export;
+										}
+										echo "</form>\n";
 									}
-									echo "</form>\n";
-								}
 
-							} else {
-								if (preg_match("~^$space*(CREATE|DROP|ALTER)$space+(DATABASE|SCHEMA)\\b~isU", $q)) {
-									restart_session();
-									set_session("dbs", null); // clear cache
-									stop_session();
-								}
-								if (!$_POST["only_errors"]) {
-									echo "<p class='message' title='" . h($connection->info) . "'>" . lang('Query executed OK, %d row(s) affected.', $connection->affected_rows) . "$time\n";
+								} else {
+									if (preg_match("~^$space*(CREATE|DROP|ALTER)$space+(DATABASE|SCHEMA)\\b~isU", $q)) {
+										restart_session();
+										set_session("dbs", null); // clear cache
+										stop_session();
+									}
+									if (!$_POST["only_errors"]) {
+										echo "<p class='message' title='" . h($connection->info) . "'>" . lang('Query executed OK, %d row(s) affected.', $connection->affected_rows) . "$time\n";
+									}
 								}
-							}
 
-							$start = microtime(true);
-						} while ($connection->next_result());
+								$start = microtime(true);
+							} while ($connection->next_result());
+						}
 
 						$query = substr($query, $offset);
 						$offset = 0;

diff --git a/changes.txt b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.2.4-dev:
+Fix remote execution in SQLite query
 MySQL: Support PHP 7
 Bosnian translation
 Finnish translation