libraries/common.inc.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Misc stuff and REQUIRED by ALL the scripts.
   5  * MUST be included by every script
   6  *
   7  * Among other things, it contains the advanced authentication work.
   8  *
   9  * Order of sections for common.inc.php:
  10  *
  11  * the authentication libraries must be before the connection to db
  12  *
  13  * ... so the required order is:
  14  *
  15  * LABEL_variables_init
  16  *  - initialize some variables always needed
  17  * LABEL_parsing_config_file
  18  *  - parsing of the configuration file
  19  * LABEL_loading_language_file
  20  *  - loading language file
  21  * LABEL_setup_servers
  22  *  - check and setup configured servers
  23  * LABEL_theme_setup
  24  *  - setting up themes
  25  *
  26  * - load of MySQL extension (if necessary)
  27  * - loading of an authentication library
  28  * - db connection
  29  * - authentication work
  30  *
  31  * @package PhpMyAdmin
  32  */
  33 declare(strict_types=1);
  34
  35 use PhpMyAdmin\Config;
  36 use PhpMyAdmin\Core;
  37 use PhpMyAdmin\DatabaseInterface;
  38 use PhpMyAdmin\Di\Migration;
  39 use PhpMyAdmin\ErrorHandler;
  40 use PhpMyAdmin\LanguageManager;
  41 use PhpMyAdmin\Logging;
  42 use PhpMyAdmin\Message;
  43 use PhpMyAdmin\Response;
  44 use PhpMyAdmin\Session;
  45 use PhpMyAdmin\ThemeManager;
  46 use PhpMyAdmin\Tracker;
  47 use PhpMyAdmin\Util;
  48 use Symfony\Component\Config\FileLocator;
  49 use Symfony\Component\DependencyInjection\ContainerBuilder;
  50 use Symfony\Component\DependencyInjection\Loader\YamlFileLoader;
  51
  52 /**
  53  * block attempts to directly run this script
  54  */
  55 if (getcwd() == dirname(__FILE__)) {
  56     die('Attack stopped');
  57 }
  58
  59 /**
  60  * Minimum PHP version; can't call Core::fatalError() which uses a
  61  * PHP 5 function, so cannot easily localize this message.
  62  */
  63 if (version_compare(PHP_VERSION, '7.1.3', 'lt')) {
  64     die(
  65         'PHP 7.1.3+ is required. <br> Currently installed version is: '
  66         . phpversion()
  67     );
  68 }
  69
  70 /**
  71  * for verification in all procedural scripts under libraries
  72  */
  73 define('PHPMYADMIN', true);
  74
  75 /**
  76  * Load vendor configuration.
  77  */
  78 require_once ROOT_PATH . 'libraries/vendor_config.php';
  79
  80 /**
  81  * Activate autoloader
  82  */
  83 if (! @is_readable(AUTOLOAD_FILE)) {
  84     die(
  85         'File <tt>' . AUTOLOAD_FILE . '</tt> missing or not readable. <br>'
  86         . 'Most likely you did not run Composer to '
  87         . '<a href="https://docs.phpmyadmin.net/en/latest/setup.html#installing-from-git">install library files</a>.'
  88     );
  89 }
  90 require_once AUTOLOAD_FILE;
  91
  92 $containerBuilder = new ContainerBuilder();
  93 $loader = new YamlFileLoader($containerBuilder, new FileLocator(__DIR__));
  94 $loader->load('../services.yml');
  95 $loader->load('../services_controllers.yml');
  96 /** @var Migration $diMigration */
  97 $diMigration = $containerBuilder->get('di_migration');
  98
  99 /**
 100  * Load gettext functions.
 101  */
 102 PhpMyAdmin\MoTranslator\Loader::loadFunctions();
 103
 104 /** @var ErrorHandler $GLOBALS['error_handler'] */
 105 $GLOBALS['error_handler'] = $containerBuilder->get('error_handler');
 106
 107 /**
 108  * Warning about missing PHP extensions.
 109  */
 110 Core::checkExtensions();
 111
 112 /**
 113  * Configure required PHP settings.
 114  */
 115 Core::configure();
 116
 117 /******************************************************************************/
 118 /* start procedural code                       label_start_procedural         */
 119
 120 Core::cleanupPathInfo();
 121
 122 /******************************************************************************/
 123 /* parsing configuration file                  LABEL_parsing_config_file      */
 124
 125 /**
 126  * @global Config $GLOBALS['PMA_Config']
 127  * force reading of config file, because we removed sensitive values
 128  * in the previous iteration
 129  */
 130 $GLOBALS['PMA_Config'] = $containerBuilder->get('config');
 131 //$containerBuilder->set('config', $GLOBALS['PMA_Config']);
 132
 133 /**
 134  * include session handling after the globals, to prevent overwriting
 135  */
 136 if (! defined('PMA_NO_SESSION')) {
 137     Session::setUp($GLOBALS['PMA_Config'], $GLOBALS['error_handler']);
 138 }
 139
 140 /**
 141  * init some variables LABEL_variables_init
 142  */
 143
 144 /**
 145  * holds parameters to be passed to next page
 146  * @global array $GLOBALS['url_params']
 147  */
 148 $diMigration->setGlobal('url_params', []);
 149
 150 /**
 151  * holds page that should be displayed
 152  * @global string $GLOBALS['goto']
 153  */
 154 $diMigration->setGlobal('goto', '');
 155 // Security fix: disallow accessing serious server files via "?goto="
 156 if (isset($_REQUEST['goto']) && Core::checkPageValidity($_REQUEST['goto'])) {
 157     $diMigration->setGlobal('goto', $_REQUEST['goto']);
 158     $diMigration->setGlobal('url_params', ['goto' => $_REQUEST['goto']]);
 159 } else {
 160     $GLOBALS['PMA_Config']->removeCookie('goto');
 161     unset($_REQUEST['goto'], $_GET['goto'], $_POST['goto']);
 162 }
 163
 164 /**
 165  * returning page
 166  * @global string $GLOBALS['back']
 167  */
 168 if (isset($_REQUEST['back']) && Core::checkPageValidity($_REQUEST['back'])) {
 169     $diMigration->setGlobal('back', $_REQUEST['back']);
 170 } else {
 171     $GLOBALS['PMA_Config']->removeCookie('back');
 172     unset($_REQUEST['back'], $_GET['back'], $_POST['back']);
 173 }
 174
 175 /**
 176  * Check whether user supplied token is valid, if not remove any possibly
 177  * dangerous stuff from request.
 178  *
 179  * remember that some objects in the session with session_start and __wakeup()
 180  * could access this variables before we reach this point
 181  * f.e. PhpMyAdmin\Config: fontsize
 182  *
 183  * Check for token mismatch only if the Request method is POST
 184  * GET Requests would never have token and therefore checking
 185  * mis-match does not make sense
 186  *
 187  * @todo variables should be handled by their respective owners (objects)
 188  * f.e. lang, server in PhpMyAdmin\Config
 189  */
 190
 191 $token_mismatch = true;
 192 $token_provided = false;
 193
 194 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 195     if (Core::isValid($_POST['token'])) {
 196         $token_provided = true;
 197         $token_mismatch = ! @hash_equals($_SESSION[' PMA_token '], $_POST['token']);
 198     }
 199
 200     if ($token_mismatch) {
 201         /* Warn in case the mismatch is result of failed setting of session cookie */
 202         if (isset($_POST['set_session']) && $_POST['set_session'] != session_id()) {
 203             trigger_error(
 204                 __(
 205                     'Failed to set session cookie. Maybe you are using '
 206                     . 'HTTP instead of HTTPS to access phpMyAdmin.'
 207                 ),
 208                 E_USER_ERROR
 209             );
 210         }
 211         /**
 212          * We don't allow any POST operation parameters if the token is mismatched
 213          * or is not provided
 214          */
 215         $whitelist = ['ajax_request'];
 216         PhpMyAdmin\Sanitize::removeRequestVars($whitelist);
 217     }
 218 }
 219
 220
 221 /**
 222  * current selected database
 223  * @global string $GLOBALS['db']
 224  */
 225 Core::setGlobalDbOrTable('db');
 226
 227 /**
 228  * current selected table
 229  * @global string $GLOBALS['table']
 230  */
 231 Core::setGlobalDbOrTable('table');
 232
 233 /**
 234  * Store currently selected recent table.
 235  * Affect $GLOBALS['db'] and $GLOBALS['table']
 236  */
 237 if (isset($_REQUEST['selected_recent_table']) && Core::isValid($_REQUEST['selected_recent_table'])) {
 238     $recent_table = json_decode($_REQUEST['selected_recent_table'], true);
 239
 240     $diMigration->setGlobal(
 241         'db',
 242         (array_key_exists('db', $recent_table) && is_string($recent_table['db'])) ? $recent_table['db'] : ''
 243     );
 244     $diMigration->setGlobal(
 245         'url_params',
 246         ['db' => $containerBuilder->getParameter('db')] + $containerBuilder->getParameter('url_params')
 247     );
 248
 249     $diMigration->setGlobal(
 250         'table',
 251         (array_key_exists('table', $recent_table) && is_string($recent_table['table'])) ? $recent_table['table'] : ''
 252     );
 253     $diMigration->setGlobal(
 254         'url_params',
 255         ['table' => $containerBuilder->getParameter('table')] + $containerBuilder->getParameter('url_params')
 256     );
 257 }
 258
 259 /**
 260  * SQL query to be executed
 261  * @global string $GLOBALS['sql_query']
 262  */
 263 $diMigration->setGlobal('sql_query', '');
 264 if (Core::isValid($_POST['sql_query'])) {
 265     $diMigration->setGlobal('sql_query', $_POST['sql_query']);
 266 }
 267
 268 //$_REQUEST['set_theme'] // checked later in this file LABEL_theme_setup
 269 //$_REQUEST['server']; // checked later in this file
 270 //$_REQUEST['lang'];   // checked by LABEL_loading_language_file
 271
 272 /******************************************************************************/
 273 /* loading language file                       LABEL_loading_language_file    */
 274
 275 /**
 276  * lang detection is done here
 277  */
 278 $language = LanguageManager::getInstance()->selectLanguage();
 279 $language->activate();
 280
 281 /**
 282  * check for errors occurred while loading configuration
 283  * this check is done here after loading language files to present errors in locale
 284  */
 285 $GLOBALS['PMA_Config']->checkPermissions();
 286 $GLOBALS['PMA_Config']->checkErrors();
 287
 288 /* Check server configuration */
 289 Core::checkConfiguration();
 290
 291 /* Check request for possible attacks */
 292 Core::checkRequest();
 293
 294 /******************************************************************************/
 295 /* setup servers                                       LABEL_setup_servers    */
 296
 297 $GLOBALS['PMA_Config']->checkServers();
 298
 299 /**
 300  * current server
 301  * @global integer $GLOBALS['server']
 302  */
 303 $diMigration->setGlobal('server', $GLOBALS['PMA_Config']->selectServer());
 304 $diMigration->setGlobal('url_params', ['server' => $containerBuilder->getParameter('server')] + $containerBuilder->getParameter('url_params'));
 305
 306 /**
 307  * BC - enable backward compatibility
 308  * exports all configuration settings into $GLOBALS ($GLOBALS['cfg'])
 309  */
 310 $GLOBALS['PMA_Config']->enableBc();
 311
 312 /******************************************************************************/
 313 /* setup themes                                          LABEL_theme_setup    */
 314
 315 ThemeManager::initializeTheme();
 316
 317 $GLOBALS['dbi'] = null;
 318
 319 if (! defined('PMA_MINIMUM_COMMON')) {
 320     /**
 321      * save some settings in cookies
 322      * @todo should be done in PhpMyAdmin\Config
 323      */
 324     $GLOBALS['PMA_Config']->setCookie('pma_lang', $GLOBALS['lang']);
 325
 326     ThemeManager::getInstance()->setThemeCookie();
 327
 328     $containerBuilder->set(DatabaseInterface::class, DatabaseInterface::load());
 329     $containerBuilder->setAlias('dbi', DatabaseInterface::class);
 330
 331     if (! empty($cfg['Server'])) {
 332         // get LoginCookieValidity from preferences cache
 333         // no generic solution for loading preferences from cache as some settings
 334         // need to be kept for processing in
 335         // PhpMyAdmin\Config::loadUserPreferences()
 336         $cache_key = 'server_' . $GLOBALS['server'];
 337         if (isset($_SESSION['cache'][$cache_key]['userprefs']['LoginCookieValidity'])
 338         ) {
 339             $value
 340                 = $_SESSION['cache'][$cache_key]['userprefs']['LoginCookieValidity'];
 341             $GLOBALS['PMA_Config']->set('LoginCookieValidity', $value);
 342             $GLOBALS['cfg']['LoginCookieValidity'] = $value;
 343             unset($value);
 344         }
 345         unset($cache_key);
 346
 347         // Gets the authentication library that fits the $cfg['Server'] settings
 348         // and run authentication
 349
 350         /**
 351          * the required auth type plugin
 352          */
 353         $auth_class = 'PhpMyAdmin\\Plugins\\Auth\\Authentication' . ucfirst(strtolower($cfg['Server']['auth_type']));
 354         if (! @class_exists($auth_class)) {
 355             Core::fatalError(
 356                 __('Invalid authentication method set in configuration:')
 357                 . ' ' . $cfg['Server']['auth_type']
 358             );
 359         }
 360         if (isset($_POST['pma_password']) && strlen($_POST['pma_password']) > 256) {
 361             $_POST['pma_password'] = substr($_POST['pma_password'], 0, 256);
 362         }
 363         $auth_plugin = new $auth_class();
 364
 365         $auth_plugin->authenticate();
 366
 367         // Try to connect MySQL with the control user profile (will be used to
 368         // get the privileges list for the current user but the true user link
 369         // must be open after this one so it would be default one for all the
 370         // scripts)
 371         $controllink = false;
 372         if ($cfg['Server']['controluser'] != '') {
 373             $controllink = $GLOBALS['dbi']->connect(
 374                 DatabaseInterface::CONNECT_CONTROL
 375             );
 376         }
 377
 378         // Connects to the server (validates user's login)
 379         /** @var DatabaseInterface $userlink */
 380         $userlink = $GLOBALS['dbi']->connect(DatabaseInterface::CONNECT_USER);
 381
 382         if ($userlink === false) {
 383             $auth_plugin->showFailure('mysql-denied');
 384         }
 385
 386         if (! $controllink) {
 387             /*
 388              * Open separate connection for control queries, this is needed
 389              * to avoid problems with table locking used in main connection
 390              * and phpMyAdmin issuing queries to configuration storage, which
 391              * is not locked by that time.
 392              */
 393             $controllink = $GLOBALS['dbi']->connect(
 394                 DatabaseInterface::CONNECT_USER,
 395                 null,
 396                 DatabaseInterface::CONNECT_CONTROL
 397             );
 398         }
 399
 400         $auth_plugin->rememberCredentials();
 401
 402         $auth_plugin->checkTwoFactor();
 403
 404         /* Log success */
 405         Logging::logUser($cfg['Server']['user']);
 406
 407         if ($GLOBALS['dbi']->getVersion() < $cfg['MysqlMinVersion']['internal']) {
 408             Core::fatalError(
 409                 __('You should upgrade to %s %s or later.'),
 410                 [
 411                     'MySQL',
 412                     $cfg['MysqlMinVersion']['human'],
 413                 ]
 414             );
 415         }
 416
 417         // Sets the default delimiter (if specified).
 418         if (! empty($_REQUEST['sql_delimiter'])) {
 419             PhpMyAdmin\SqlParser\Lexer::$DEFAULT_DELIMITER = $_REQUEST['sql_delimiter'];
 420         }
 421
 422         // TODO: Set SQL modes too.
 423     } else { // end server connecting
 424         $response = Response::getInstance();
 425         $response->getHeader()->disableMenuAndConsole();
 426         $response->getFooter()->setMinimal();
 427     }
 428
 429     /**
 430      * check if profiling was requested and remember it
 431      * (note: when $cfg['ServerDefault'] = 0, constant is not defined)
 432      */
 433     if (isset($_REQUEST['profiling'])
 434         && Util::profilingSupported()
 435     ) {
 436         $_SESSION['profiling'] = true;
 437     } elseif (isset($_REQUEST['profiling_form'])) {
 438         // the checkbox was unchecked
 439         unset($_SESSION['profiling']);
 440     }
 441
 442     /**
 443      * Inclusion of profiling scripts is needed on various
 444      * pages like sql, tbl_sql, db_sql, tbl_select
 445      */
 446     $response = Response::getInstance();
 447     if (isset($_SESSION['profiling'])) {
 448         $scripts  = $response->getHeader()->getScripts();
 449         $scripts->addFile('chart.js');
 450         $scripts->addFile('vendor/jqplot/jquery.jqplot.js');
 451         $scripts->addFile('vendor/jqplot/plugins/jqplot.pieRenderer.js');
 452         $scripts->addFile('vendor/jqplot/plugins/jqplot.highlighter.js');
 453         $scripts->addFile('vendor/jquery/jquery.tablesorter.js');
 454     }
 455
 456     /*
 457      * There is no point in even attempting to process
 458      * an ajax request if there is a token mismatch
 459      */
 460     if ($response->isAjax() && $_SERVER['REQUEST_METHOD'] == 'POST' && $token_mismatch) {
 461         $response->setRequestStatus(false);
 462         $response->addJSON(
 463             'message',
 464             Message::error(__('Error: Token mismatch'))
 465         );
 466         exit;
 467     }
 468
 469     $containerBuilder->set('response', Response::getInstance());
 470 }
 471
 472 // load user preferences
 473 $GLOBALS['PMA_Config']->loadUserPreferences();
 474
 475 $containerBuilder->set('theme_manager', ThemeManager::getInstance());
 476
 477 /* Tell tracker that it can actually work */
 478 Tracker::enable();
 479
 480 if (! defined('PMA_MINIMUM_COMMON')
 481     && ! empty($GLOBALS['server'])
 482     && isset($GLOBALS['cfg']['ZeroConf'])
 483     && $GLOBALS['cfg']['ZeroConf'] == true
 484 ) {
 485     $GLOBALS['dbi']->postConnectControl();
 486 }