Fix open redirect if Adminer is accessible at //adminer.php%2F@ (than…

…ks to Prakash Sharma)
vrana · May 11, 2020 · 6a2de87 · 6a2de87
1 parent a9c1004
commit 6a2de87
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php
@@ -84,7 +84,7 @@
 
 define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost
 define("DB", $_GET["db"]); // for the sake of speed and size
-define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?'
+define("ME", str_replace(":", "%3a", preg_replace('~\?.*~', '', relative_uri())) . '?'
 	. (sid() ? SID . '&' : '')
 	. (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '')
 	. (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '')

diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
@@ -721,12 +721,19 @@ function format_time($start) {
 	return lang('%.3f s', max(0, microtime(true) - $start));
 }
 
+/** Get relative REQUEST_URI
+* @return string
+*/
+function relative_uri() {
+	return preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]);
+}
+
 /** Remove parameter from query string
 * @param string
 * @return string
 */
 function remove_from_uri($param = "") {
-	return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', "$_SERVER[REQUEST_URI]&"), 0, -1);
+	return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', relative_uri() . "&"), 0, -1);
 }
 
 /** Generate page number for pagination

diff --git a/changes.txt b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.7.7-dev:
+Fix open redirect if Adminer is accessible at //adminer.php%2F@
 
 Adminer 4.7.6 (released 2020-01-31):
 Speed up alter table form (regression from 4.4.0)