Nemcio/adminer
1
0
Fork 0
mirror of https://github.com/vrana/adminer.git synced 2026-02-13 10:07:42 +01:00
Code Issues Packages Projects Releases Activity

Avoid denial-of-service via version check (GHSA-q4f2-39gr-45jh, regression from 4.6.2)

Browse Source
This commit is contained in:
Jakub Vrana
2026-02-08 13:26:56 +01:00
parent e4ac9d611e
commit 21d3a31503
5 changed files with 12 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
plugins/version-github.php
View File

@@ -11,13 +11,12 @@ class AdminerVersionGithub extends Adminer\Plugin {
function head($dark = null) {
?>
<script <?php echo Adminer\nonce(); ?>>
verifyVersion = (current, url, token) => {
verifyVersion = current => {
// dummy value to prevent repeated verifications after AJAX failure
cookie('adminer_version=0', 1);
ajax('https://api.github.com/repos/vrana/adminer/releases/latest', request => {
const response = JSON.parse(request.responseText);
const version = response.tag_name.replace(/^v/, '');
// we don't save to adminer.version because the response is not signed; also GitHub can handle our volume of requests
// we don't display the version here because we don't have version_compare(); design.inc.php will display it on the next load
cookie('adminer_version=' + version, 1);
}, null, null);