Dear students/developers,
Below is a small example of new code that has a vulnerability. Please lookout for places where you use ANY data that comes from the user, either through the web or through a database. In this case a table name. Luckily this has not yet been included in a release...
diff --git a/libraries/RecentTable.class.php b/libraries/RecentTable.class.php index f844bbc..bfb6081 100644 --- a/libraries/RecentTable.class.php +++ b/libraries/RecentTable.class.php @@ -142,7 +142,7 @@ class PMA_RecentTable $html = '<option value="">(' . __('Recent tables') . ') ...</option>'; if (count($this->tables)) { foreach ($this->tables as $table) { - $html .= '<option value="' . $table . '">' . $table . '</option>'; + $html .= '<option value="' . htmlspecialchars($table) . '">' . htmlspecialchars($table) . '</option>'; } } else { $html .= '<option value="">' . __('There are no recent tables') . '</option>'; @@ -158,7 +158,7 @@ class PMA_RecentTable public function getHtmlSelect() { $html = '<input type="hidden" name="goto" id="LeftDefaultTabTable" value="' . - $GLOBALS['cfg']['LeftDefaultTabTable'] . '" />'; + htmlspecialchars($GLOBALS['cfg']['LeftDefaultTabTable']) . '" />'; $html .= '<select name="table" id="recentTable">'; $html .= $this->getHtmlSelectOption(); $html .= '</select>';
Hi,
----- Original Message -----
From: Herman van Rink rink@initfour.nl
Dear students/developers,
Below is a small example of new code that has a vulnerability. Please lookout for places where you use ANY data that comes from the user, either through the web or through a database. In this case a table name. Luckily this has not yet been included in a release...
diff --git a/libraries/RecentTable.class.php b/libraries/RecentTable.class.php index f844bbc..bfb6081 100644 --- a/libraries/RecentTable.class.php +++ b/libraries/RecentTable.class.php @@ -142,7 +142,7 @@ class PMA_RecentTable $html = '<option value="">(' . __('Recent tables') . ') ...</option>'; if (count($this->tables)) { foreach ($this->tables as $table) { - $html .= '<option value="' . $table . '">' . $table . '</option>'; + $html .= '<option value="' . htmlspecialchars($table) . '">' . htmlspecialchars($table) . '</option>'; } } else { $html .= '<option value="">' . __('There are no recent tables') . '</option>'; @@ -158,7 +158,7 @@ class PMA_RecentTable public function getHtmlSelect() { $html = '<input type="hidden" name="goto" id="LeftDefaultTabTable" value="' . - $GLOBALS['cfg']['LeftDefaultTabTable'] . '" />'; + htmlspecialchars($GLOBALS['cfg']['LeftDefaultTabTable']) . '" />'; $html .= '<select name="table" id="recentTable">'; $html .= $this->getHtmlSelectOption(); $html .= '</select>';
Thanks for fixing this. I'll remember it next time.
-- Aris Feryanto
We should prepare some brief guidelines for future Summer of Code. I managed to fix a few bugs which manifested only when user was using other server than the first one - due to missing 'server' parameter or incorrect passing of 'token'.
-
Aris Feryanto -
Herman van Rink -
Piotr Przybylski