Hi,
In this bug:
http://sourceforge.net/tracker/index.php?func=detail&aid=1709463&group_id=2…
there are many fields involved and we get a false alarm "possible deep
recursion attack". Do we really need to protect from 1000 recursions
overall? I think that protecting from 1000 recursions for each
superglobal would be correct.
Proposed patch which resets the recursive counter:
Index: common.lib.php
===================================================================
--- common.lib.php (revision 10333)
+++ common.lib.php (working copy)
@@ -269,9 +269,12 @@
* @param array $array array to walk
* @param string $function function to call for every array element
*/
-function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also
= false)
+function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also
= false, $reset_static = false)
{
static $recursive_counter = 0;
+ if ($reset_static) {
+ $recursive_counter = 0;
+ }
if (++$recursive_counter > 1000) {
die('possible deep recursion attack');
}
@@ -2604,10 +2607,10 @@
// remove quotes added by php
if (get_magic_quotes_gpc()) {
- PMA_arrayWalkRecursive($_GET, 'stripslashes', true);
- PMA_arrayWalkRecursive($_POST, 'stripslashes', true);
- PMA_arrayWalkRecursive($_COOKIE, 'stripslashes', true);
- PMA_arrayWalkRecursive($_REQUEST, 'stripslashes', true);
+ PMA_arrayWalkRecursive($_GET, 'stripslashes', true, true);
+ PMA_arrayWalkRecursive($_POST, 'stripslashes', true, true);
+ PMA_arrayWalkRecursive($_COOKIE, 'stripslashes', true, true);
+ PMA_arrayWalkRecursive($_REQUEST, 'stripslashes', true, true);
}
/**
* In some cases, this one is not set
Conta Fechada
--------------------------------------------
Nossa Conta.scr: Nao Tem Virus!
Norton AntiVirus Procura Progressiva
Mais detalhes: www.symantec.com
_ __ __ _ _ _
_ __ | |__ _ __ | \/ |_ _ / \ __| |_ __ ___ (_)_ __
| "_ \| "_ \| "_ \| |\/| | | | | / _ \ / _` | "_ ` _ \| | "_ \
| |_) | | | | |_) | | | | |_| |/ ___ \ (_| | | | | | | | | | |
| .__/|_| |_| .__/|_| |_|\__, /_/ \_\__,_|_| |_| |_|_|_| |_|
|_| |_| |___/ 2.10.1-rc1
http://www.phpmyadmin.net
phpMyAdmin 2.10.1-rc1 - April 14, 2007
======================================
A PHP application to administrate MySQL over the Web
----------------------------------------------------
Announcement
------------
The phpMyAdmin Project announces the immediate availability
of the first release candidate for phpMyAdmin 2.10.1.
phpMyAdmin is a web administration tool for MySQL databases, intended to
handle a whole database server as well as a single database. Over the
years, it has become the most popular Web GUI for MySQL.
Fixes:
* - bug #1541147 [js] '#' in database names not correctly
handled by queywindow.js
* - bug #1671403 [parser] using "client" as table name
* - bug #1672379 [core] Call to undefined function PMA_removeCookie()
* - bug [core] undefined variable in
libraries/tbl_replace_fields.inc.php
* - bug [gui] query window icon did not work,
thanks to Juergen Wind - windkiel
* . [general] use PMA_getenv('PHP_SELF')
* - bug #1676033 [core] pow(int,int) causes overflow
* - bug #1680952 [core] undefined function PMA_getUvaCondition()
* - bug #1596328 [export] drop support for POSTGRESQL compatibility
mode
* - bug #1609443 [privileges] Grant all priv. on wildcard name
* - bug #1567317 [sqp] Syntax highlighter: extra spaces
* - bug #1239401 [sqp] table dot numeric field name
* - bug #1672789 [sqp] Undefined offset: 4 in sqlparser.lib.php #1674
* - bug #1682044 [export] Export file even if file not selected
* - bug #1664212 querywindow loses url encoded characters
* - replaced ctype_digit() with is_numeric()
* + [config] clean cookies on phpMyAdmin upgrade
* - bug #1674972 [export] no export with %afm%
* - bug #1667887 HTML maxlength
* - bug #1679055 #1050 - Table 'table name' already exists
* - patch #1681620 [interface] support reordering of
cfg['ColumnTypes'],
thanks to Leonard den Ottolander
* - bug #1690718 Can't edit if BLOB and no PK
* - bug #1672636 [export] PDF export too wide
* + [lang] brazilian-portuguese update, thanks to Airon Luis Pereira
* - patch #1698964 javascript typo, thanks to Corey Hollaway
Detailed list of changes is usually available under
http://www.phpmyadmin.net/ChangeLog.txt but at present time,
please refer to the ChangeLog in the distribution kit for
the most up to date information.
Availability
------------
This software is available under the GNU General Public License V2.0.
You can get the newest version at http://www.phpmyadmin.net/
Available file formats are: .zip, .tar.gz and .tar.bz2.
If you install phpMyAdmin on your system, it's recommended to
subscribe to the news mailing list by adding your address under
http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news
This way, you will be informed of new updates and security fixes.
It is a read only list, and traffic is not greater than a few
mail every year.
Support and Documentation
-------------------------
The documentation is included in the software package as text and
HTML file, but can also be downloaded from:
http://www.phpmyadmin.net/documentation/
The software is provided as is without any express or implied
warranty, but there is a bugs tracker page under:
http://sourceforge.net/projects/phpmyadmin/ [click on "Bugs"]
In addition, there are also a number of discussion lists
related to phpMyAdmin. A list of mailing lists with archives
is available at:
http://sourceforge.net/mail/?group_id=23067 or
http://sourceforge.net/projects/phpmyadmin/ [click on "Lists"]
Finally, an users support forum is also available under:
http://sourceforge.net/forum/forum.php?forum_id=72909
Known bugs
----------
Please subscribe to the news mailing list under
http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news
or regularly check the sourceforge bugs tracker.
Donations
---------
The project accepts donations to help improve the product. There is
a "Donations" link on http://www.phpmyadmin.net.
Description
-----------
(from http://www.phpmyadmin.net/documentation)
phpMyAdmin handles the administration of MySQL over the Web. It
can manage a whole MySQL server as well as a single database.
Currently it can:
* easily browse through databases and tables
* create, copy, rename, alter and drop databases
* create, copy, rename, alter and drop tables
* do table maintenance
* add, edit and drop fields
* execute any SQL-statement, even multiple queries
* create, alter and drop indexes
* load text files into tables
* create (*) and read dumps of tables or databases
* export (*) data to SQL, CSV, XML, Word, Excel, PDF and Latex formats
* administer multiple servers
* manage MySQL users and privileges
* check server settings and runtime information with configuration hints
* check referential integrity in MyISAM tables
* using Query-by-example (QBE), create complex queries automatically
connecting required tables
* create PDF graphics of your Database layout
* search globally in a database or a subset of it
* transform stored data into any format using a set of predefined functions,
like displaying BLOB-data as image or download-link
* support InnoDB tables and foreign keys (see FAQ 3.6)
* support mysqli, the improved MySQL extension (see FAQ 1.17)
* communicate in 50 different languages
(*) phpMyAdmin can compress (Zip, GZip -RFC 1952- or Bzip2 formats)
dumps and CSV exports if you use PHP4 >= 4.0.4 with Zlib support
(--with-zlib) and/or Bzip2 support (--with-bz2).
Authors & Copyright
-------------------
Copyright (C) 1998-2000
Tobias Ratschiller <tobias_at_ratschiller.com>
Copyright (C) 2001-2007
Marc Delisle <Marc.Delisle_at_cegepsherbrooke.qc.ca>
Olivier Müller <om_at_omnis.ch>
Robin Johnson <robbat2_at_users.sourceforge.net>
Alexander M. Turek <me_at_derrabus.de>
Michal Cihar <michal_at_cihar.com>
Garvin Hicking <me_at_supergarv.de>
Sebastian Mendel <cybot_tm_at_users.sourceforge.net>
+ many other people
(check the CREDITS section of our documentation)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to
Free Software Foundation, Inc.,
59 Temple Place, Suite 330,
Boston, MA 02111-1307 USA
Marc Delisle / 2007-04-14
should be fixed before 2.10.1rc1 release:
located @ js/functions.js on line 992
-return(getElement(e,fdocument.layers[W]));
+return(getElement(e,f.document.layers[W]));
--
Juergen
--
View this message in context: http://www.nabble.com/still-typo-in-js-function-see-patch-trk-1698964-tf357…
Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Hi,
There is something that does not look right to me.
For my test databases, in 2.10 I was seeing:
base2
base2
_other
_inno
base2x
marc
_airline
_chapter1
with this revision I see in FF 2.0.0.3 XP:
. . base2
. _other
. _inno
. base2x
. . _airline
. _chapter1
So, the "marc" prefix is gone for the "marc_airline" and "marc_chapter1"
dbs.
Hi,
I'm the Debian packager of phpMyadmin. I've quite recently taken over
the package, and while we were approaching a new release (Etch) I haven't
made extensive changes, but now Etch is out I plan to polish it up quite
a bit.
In that context I was wondering the following: we're currently packaging
from the 'all-locales.tar.gz' from the website, but I'm considering to
switch to the 'utf8-only' tarball. It's quite a bit smaller so it will
reduce the installed size for users.
Do you think using the utf8-only tarball would cause problems or is it a
safe thing to do?
Otherwise, if you as upstream authors have any comments on the Debian
packaging, I'm glad to hear it.
Thanks,
Thijs
Hi all
You might have noticed that my demo server was not working for some
time. It was caused by successful DOS attack on MySQL server which it
is using. Due to bad (or almost none) limits for this process this lead
to unavailability of whole server.
I set up much restrictive environment using vserver right now and the
demo server is up and running. After some aggressive testing today, I
feel it will handle much better possible attacks.
--
Michal Čihař | http://cihar.com | http://blog.cihar.com