libraries/common.inc.php

   1 <?php
   2 /**
   3  * Misc stuff and REQUIRED by ALL the scripts.
   4  * MUST be included by every script
   5  *
   6  * Among other things, it contains the advanced authentication work.
   7  *
   8  * Order of sections for common.inc.php:
   9  *
  10  * the authentication libraries must be before the connection to db
  11  *
  12  * ... so the required order is:
  13  *
  14  * LABEL_variables_init
  15  *  - initialize some variables always needed
  16  * LABEL_parsing_config_file
  17  *  - parsing of the configuration file
  18  * LABEL_loading_language_file
  19  *  - loading language file
  20  * LABEL_setup_servers
  21  *  - check and setup configured servers
  22  * LABEL_theme_setup
  23  *  - setting up themes
  24  *
  25  * - load of MySQL extension (if necessary)
  26  * - loading of an authentication library
  27  * - db connection
  28  * - authentication work
  29  */
  30
  31 declare(strict_types=1);
  32
  33 use PhpMyAdmin\Config;
  34 use PhpMyAdmin\Core;
  35 use PhpMyAdmin\DatabaseInterface;
  36 use PhpMyAdmin\ErrorHandler;
  37 use PhpMyAdmin\LanguageManager;
  38 use PhpMyAdmin\Logging;
  39 use PhpMyAdmin\Message;
  40 use PhpMyAdmin\MoTranslator\Loader;
  41 use PhpMyAdmin\Plugins;
  42 use PhpMyAdmin\Profiling;
  43 use PhpMyAdmin\Response;
  44 use PhpMyAdmin\Routing;
  45 use PhpMyAdmin\Session;
  46 use PhpMyAdmin\SqlParser\Lexer;
  47 use PhpMyAdmin\ThemeManager;
  48 use PhpMyAdmin\Tracker;
  49
  50 global $containerBuilder, $errorHandler, $config, $server, $dbi;
  51 global $lang, $cfg, $isConfigLoading, $auth_plugin, $route, $theme;
  52 global $urlParams, $goto, $back, $db, $table, $sql_query, $token_mismatch;
  53
  54 /**
  55  * block attempts to directly run this script
  56  */
  57 if (getcwd() == __DIR__) {
  58     die('Attack stopped');
  59 }
  60
  61 /**
  62  * Minimum PHP version; can't call Core::fatalError() which uses a
  63  * PHP 5 function, so cannot easily localize this message.
  64  */
  65 if (PHP_VERSION_ID < 70205) {
  66     die(
  67         '<p>PHP 7.2.5+ is required.</p>'
  68         . '<p>Currently installed version is: ' . PHP_VERSION . '</p>'
  69     );
  70 }
  71
  72 // phpcs:disable PSR1.Files.SideEffects
  73 /**
  74  * for verification in all procedural scripts under libraries
  75  */
  76 define('PHPMYADMIN', true);
  77 // phpcs:enable
  78
  79 /**
  80  * Load vendor configuration.
  81  */
  82 require_once ROOT_PATH . 'libraries/vendor_config.php';
  83
  84 /**
  85  * Activate autoloader
  86  */
  87 if (! @is_readable(AUTOLOAD_FILE)) {
  88     die(
  89         '<p>File <samp>' . AUTOLOAD_FILE . '</samp> missing or not readable.</p>'
  90         . '<p>Most likely you did not run Composer to '
  91         . '<a href="https://docs.phpmyadmin.net/en/latest/setup.html#installing-from-git">'
  92         . 'install library files</a>.</p>'
  93     );
  94 }
  95
  96 require_once AUTOLOAD_FILE;
  97
  98 /**
  99  * (TCPDF workaround)
 100  * Avoid referring to nonexistent files (causes warnings when open_basedir is used)
 101  * This is defined to avoid the tcpdf code to search for a directory outside of open_basedir
 102  * See: https://github.com/phpmyadmin/phpmyadmin/issues/16709
 103  * This value if not used but is usefull, no header logic is used for PDF exports
 104  */
 105 if (! defined('K_PATH_IMAGES')) {
 106     // phpcs:disable PSR1.Files.SideEffects
 107     define('K_PATH_IMAGES', ROOT_PATH);
 108     // phpcs:enable
 109 }
 110
 111 $route = Routing::getCurrentRoute();
 112
 113 if ($route === '/import-status') {
 114     // phpcs:disable PSR1.Files.SideEffects
 115     define('PMA_MINIMUM_COMMON', true);
 116     // phpcs:enable
 117 }
 118
 119 $containerBuilder = Core::getContainerBuilder();
 120
 121 /**
 122  * Load gettext functions.
 123  */
 124 Loader::loadFunctions();
 125
 126 /** @var ErrorHandler $errorHandler */
 127 $errorHandler = $containerBuilder->get('error_handler');
 128
 129 /**
 130  * Warning about missing PHP extensions.
 131  */
 132 Core::checkExtensions();
 133
 134 /**
 135  * Configure required PHP settings.
 136  */
 137 Core::configure();
 138
 139 /* start procedural code                       label_start_procedural         */
 140
 141 Core::cleanupPathInfo();
 142
 143 /* parsing configuration file                  LABEL_parsing_config_file      */
 144
 145 /** @var bool $isConfigLoading Indication for the error handler */
 146 $isConfigLoading = false;
 147
 148 /**
 149  * Force reading of config file, because we removed sensitive values
 150  * in the previous iteration.
 151  *
 152  * @var Config $config
 153  */
 154 $config = $containerBuilder->get('config');
 155
 156 register_shutdown_function([Config::class, 'fatalErrorHandler']);
 157
 158 /**
 159  * include session handling after the globals, to prevent overwriting
 160  */
 161 if (! defined('PMA_NO_SESSION')) {
 162     Session::setUp($config, $errorHandler);
 163 }
 164
 165 /**
 166  * init some variables LABEL_variables_init
 167  */
 168
 169 /**
 170  * holds parameters to be passed to next page
 171  *
 172  * @global array $urlParams
 173  */
 174 $urlParams = [];
 175 $containerBuilder->setParameter('url_params', $urlParams);
 176
 177 Core::setGotoAndBackGlobals($containerBuilder, $config);
 178
 179 Core::checkTokenRequestParam();
 180
 181 Core::setDatabaseAndTableFromRequest($containerBuilder);
 182
 183 /**
 184  * SQL query to be executed
 185  *
 186  * @global string $sql_query
 187  */
 188 $sql_query = '';
 189 if (Core::isValid($_POST['sql_query'])) {
 190     $sql_query = $_POST['sql_query'];
 191 }
 192
 193 $containerBuilder->setParameter('sql_query', $sql_query);
 194
 195 //$_REQUEST['set_theme'] // checked later in this file LABEL_theme_setup
 196 //$_REQUEST['server']; // checked later in this file
 197 //$_REQUEST['lang'];   // checked by LABEL_loading_language_file
 198
 199 /* loading language file                       LABEL_loading_language_file    */
 200
 201 /**
 202  * lang detection is done here
 203  */
 204 $language = LanguageManager::getInstance()->selectLanguage();
 205 $language->activate();
 206
 207 /**
 208  * check for errors occurred while loading configuration
 209  * this check is done here after loading language files to present errors in locale
 210  */
 211 $config->checkPermissions();
 212 $config->checkErrors();
 213
 214 /* Check server configuration */
 215 Core::checkConfiguration();
 216
 217 /* Check request for possible attacks */
 218 Core::checkRequest();
 219
 220 /* setup servers                                       LABEL_setup_servers    */
 221
 222 $config->checkServers();
 223
 224 /**
 225  * current server
 226  *
 227  * @global integer $server
 228  */
 229 $server = $config->selectServer();
 230 $urlParams['server'] = $server;
 231 $containerBuilder->setParameter('server', $server);
 232 $containerBuilder->setParameter('url_params', $urlParams);
 233
 234 /**
 235  * BC - enable backward compatibility
 236  * exports all configuration settings into globals ($cfg global)
 237  */
 238 $config->enableBc();
 239
 240 /* setup themes                                          LABEL_theme_setup    */
 241
 242 $theme = ThemeManager::initializeTheme();
 243
 244 /** @var DatabaseInterface $dbi */
 245 $dbi = null;
 246
 247 if (defined('PMA_MINIMUM_COMMON')) {
 248     $config->loadUserPreferences();
 249     $containerBuilder->set('theme_manager', ThemeManager::getInstance());
 250     Tracker::enable();
 251
 252     return;
 253 }
 254
 255 /**
 256  * save some settings in cookies
 257  *
 258  * @todo should be done in PhpMyAdmin\Config
 259  */
 260 $config->setCookie('pma_lang', (string) $lang);
 261
 262 ThemeManager::getInstance()->setThemeCookie();
 263
 264 $dbi = DatabaseInterface::load();
 265 $containerBuilder->set(DatabaseInterface::class, $dbi);
 266 $containerBuilder->setAlias('dbi', DatabaseInterface::class);
 267
 268 if (! empty($cfg['Server'])) {
 269     $config->getLoginCookieValidityFromCache($server);
 270
 271     $auth_plugin = Plugins::getAuthPlugin();
 272     $auth_plugin->authenticate();
 273
 274     Core::connectToDatabaseServer($dbi, $auth_plugin);
 275
 276     $auth_plugin->rememberCredentials();
 277
 278     $auth_plugin->checkTwoFactor();
 279
 280     /* Log success */
 281     Logging::logUser($cfg['Server']['user']);
 282
 283     if ($dbi->getVersion() < $cfg['MysqlMinVersion']['internal']) {
 284         Core::fatalError(
 285             __('You should upgrade to %s %s or later.'),
 286             [
 287                 'MySQL',
 288                 $cfg['MysqlMinVersion']['human'],
 289             ]
 290         );
 291     }
 292
 293     // Sets the default delimiter (if specified).
 294     if (! empty($_REQUEST['sql_delimiter'])) {
 295         Lexer::$DEFAULT_DELIMITER = $_REQUEST['sql_delimiter'];
 296     }
 297
 298     // TODO: Set SQL modes too.
 299 } else { // end server connecting
 300     $response = Response::getInstance();
 301     $response->getHeader()->disableMenuAndConsole();
 302     $response->getFooter()->setMinimal();
 303 }
 304
 305 $response = Response::getInstance();
 306
 307 /**
 308  * There is no point in even attempting to process
 309  * an ajax request if there is a token mismatch
 310  */
 311 if ($response->isAjax() && $_SERVER['REQUEST_METHOD'] === 'POST' && $token_mismatch) {
 312     $response->setRequestStatus(false);
 313     $response->addJSON(
 314         'message',
 315         Message::error(__('Error: Token mismatch'))
 316     );
 317     exit;
 318 }
 319
 320 Profiling::check($dbi, $response);
 321
 322 $containerBuilder->set('response', Response::getInstance());
 323
 324 // load user preferences
 325 $config->loadUserPreferences();
 326
 327 $containerBuilder->set('theme_manager', ThemeManager::getInstance());
 328
 329 /* Tell tracker that it can actually work */
 330 Tracker::enable();
 331
 332 if (! empty($server) && isset($cfg['ZeroConf']) && $cfg['ZeroConf'] === true) {
 333     $dbi->postConnectControl();
 334 }