The branch, master has been updated
via 272c57cdba6ae6c162ab90634bad9740c2af8b38 (commit)
via 86baee8d4e81b9ee80dc3ed3692c91f138740a99 (commit)
via 2af8ff42e91bfb03ce05a11a0dce7a85ac32cecd (commit)
via 8b53799f0da2992b41c1895a8e9f7db10fd2a82f (commit)
via 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit)
via 862e3ca2a7c7fe56c76bb515367db0dce2a79d53 (commit)
via 41145feb12e1fe2f7af54c1ccb89a714c39bfb12 (commit)
via d128f806057e752db082272fd5e5c2f7244821b9 (commit)
via 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 (commit)
via 782b8b46be4f06c695ab713eeefbd75970358e2f (commit)
via bf60ec82e948450ae18b9e66c48d27da55ebe860 (commit)
via f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 (commit)
via d2e0e09e0d402555a6223f0b683fdbfa97821a63 (commit)
via b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e (commit)
via 05ca00e0a20d0eb4848d69bf7a1365df5bba872d (commit)
via 48e909660032ddcbc13172830761e363e7a64d72 (commit)
via be0f47a93141e2950ad400b8d22a2a98512825c2 (commit)
via cd205cc55a46e3dc0f8883966f5c854f842e1000 (commit)
via 7dc6cea06522b2d4af50934c983f3967540a4918 (commit)
via 6028221d97efa2a7d56a61ab4c5750d1b2343619 (commit)
via 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 (commit)
via 25ac7de38c125d8067f42bab24212891389ac1e3 (commit)
via fa30188dde357426d339d0d7e29a3969f88d188a (commit)
via 00add5c43f594f80dab6304a5bb35d2e50540d2d (commit)
via c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c (commit)
via 533e10213590e7ccd83b98a5cd19ba1c3be119dd (commit)
via ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b (commit)
via 7f266483b827fb05a4be11663003418c2ef1c878 (commit)
via 5bcd95a42c8ba924d389eafee4d7be80bd4039a3 (commit)
via 6d548f7d449b7d4b796949d10a503484f63eaf82 (commit)
from 7b1c0187cfae8bd02d1fe1233aea57cef46b348f (commit)
- Log -----------------------------------------------------------------
commit 272c57cdba6ae6c162ab90634bad9740c2af8b38
Author: Michal Čihař <mcihar(a)novell.com>
Date: Fri Aug 20 13:56:28 2010 +0200
Change back to master after merging to STABLE/TESTING.
commit 86baee8d4e81b9ee80dc3ed3692c91f138740a99
Author: Michal Čihař <mcihar(a)novell.com>
Date: Fri Aug 20 13:53:01 2010 +0200
Do not apply TESTING/STABLE update to 2.11 branch.
commit 2af8ff42e91bfb03ce05a11a0dce7a85ac32cecd
Merge: 862e3ca2a7c7fe56c76bb515367db0dce2a79d53 8b53799f0da2992b41c1895a8e9f7db10fd2a82f
Author: Michal Čihař <mcihar(a)novell.com>
Date: Fri Aug 20 13:42:38 2010 +0200
Merge branch 'QA_3_3'
commit 862e3ca2a7c7fe56c76bb515367db0dce2a79d53
Merge: 7b1c0187cfae8bd02d1fe1233aea57cef46b348f 41145feb12e1fe2f7af54c1ccb89a714c39bfb12
Author: Michal Čihař <mcihar(a)novell.com>
Date: Fri Aug 20 13:40:37 2010 +0200
Merge branch 'QA_3_3'
Conflicts:
libraries/core.lib.php
server_databases.php
server_privileges.php
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 3 +++
db_search.php | 2 +-
db_sql.php | 2 +-
error.php | 10 +++++++---
libraries/common.lib.php | 2 +-
libraries/core.lib.php | 7 ++++---
libraries/database_interface.lib.php | 4 ++++
libraries/db_info.inc.php | 3 ++-
libraries/dbi/mysql.dbi.lib.php | 2 ++
libraries/dbi/mysqli.dbi.lib.php | 2 ++
libraries/sanitizing.lib.php | 17 +++++++++++++++--
libraries/sqlparser.lib.php | 2 +-
scripts/create-release.sh | 17 +++++++++++------
server_databases.php | 22 ++++++++++++++++++----
server_privileges.php | 30 +++++++++++++++---------------
sql.php | 14 +++++++-------
tbl_sql.php | 2 +-
17 files changed, 95 insertions(+), 46 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3a1d00b..0188759 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -119,6 +119,9 @@ $Id$
- bug #3044189 [doc] Cleared documentation for hide_db.
- bug #3042495 [core] Move PMA_sendHeaderLocation to core.lib.php.
+3.3.5.1 (2010-10-20)
+- [core] Fixed various XSS issues, see PMASA-2010-5 for more details.
+
3.3.5.0 (2010-07-26)
- patch #2932113 [information_schema] Slow export when having lots of
databases, thanks to Stéphane Pontier - shadow_walker
diff --git a/db_search.php b/db_search.php
index 0b68ba3..854cba8 100644
--- a/db_search.php
+++ b/db_search.php
@@ -336,7 +336,7 @@ $alter_select =
<tr><td align="right">
<?php echo __('Inside column:'); ?></td>
<td><input type="text" name="field_str" size="60"
- value="<?php echo ! empty($field_str) ? $field_str : ''; ?>" /></td>
+ value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td>
</tr>
</table>
</fieldset>
diff --git a/db_sql.php b/db_sql.php
index 986fb34..50db7bd 100644
--- a/db_sql.php
+++ b/db_sql.php
@@ -36,7 +36,7 @@ if ($num_tables == 0 && empty($db_query_force)) {
/**
* Query box, bookmark, insert data from textfile
*/
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
/**
* Displays the footer
diff --git a/error.php b/error.php
index 117d070..b1d47e2 100644
--- a/error.php
+++ b/error.php
@@ -75,10 +75,14 @@ header('Content-Type: text/html; charset=' . $charset);
<body>
<h1>phpMyAdmin - <?php echo $type; ?></h1>
<p><?php
-if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
- echo PMA_sanitize(stripslashes($_REQUEST['error']));
+if (!empty($_REQUEST['error'])) {
+ if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
+ echo PMA_sanitize(stripslashes($_REQUEST['error']));
+ } else {
+ echo PMA_sanitize($_REQUEST['error']);
+ }
} else {
- echo PMA_sanitize($_REQUEST['error']);
+ echo 'No error message!';
}
?></p>
</body>
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index a1c3c7b..4b1d8d9 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -566,7 +566,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '',
$formatted_sql = '';
} else {
if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) {
- $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]';
+ $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]';
} else {
$formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query);
}
diff --git a/libraries/core.lib.php b/libraries/core.lib.php
index 2355651..8bfc035 100644
--- a/libraries/core.lib.php
+++ b/libraries/core.lib.php
@@ -525,22 +525,23 @@ function PMA_getenv($var_name) {
function PMA_sendHeaderLocation($uri)
{
if (PMA_IS_IIS && strlen($uri) > 600) {
+ require_once './libraries/js_escape.lib.php';
echo '<html><head><title>- - -</title>' . "\n";
echo '<meta http-equiv="expires" content="0">' . "\n";
echo '<meta http-equiv="Pragma" content="no-cache">' . "\n";
echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n";
- echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n";
+ echo '<meta http-equiv="Refresh" content="0;url=' . htmlspecialchars($uri) . '">' . "\n";
echo '<script type="text/javascript">' . "\n";
echo '//<![CDATA[' . "\n";
- echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n";
+ echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n";
echo '//]]>' . "\n";
echo '</script>' . "\n";
echo '</head>' . "\n";
echo '<body>' . "\n";
echo '<script type="text/javascript">' . "\n";
echo '//<![CDATA[' . "\n";
- echo 'document.write(\'<p><a href="' . $uri . '">' . __('Go') . '</a></p>\');' . "\n";
+ echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . __('Go') . '</a></p>\');' . "\n";
echo '//]]>' . "\n";
echo '</script></body></html>' . "\n";
diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php
index 8eba111..c1a97b4 100644
--- a/libraries/database_interface.lib.php
+++ b/libraries/database_interface.lib.php
@@ -195,6 +195,10 @@ function PMA_usort_comparison_callback($a, $b)
} else {
$sorter = 'strcasecmp';
}
+ /* No sorting when key is not present */
+ if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) {
+ return 0;
+ }
// produces f.e.:
// return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]);
diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php
index 969af04..c51b247 100644
--- a/libraries/db_info.inc.php
+++ b/libraries/db_info.inc.php
@@ -211,7 +211,8 @@ if (! isset($sot_ready)) {
);
// Make sure the sort type is implemented
- if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) {
+ if (isset($sortable_name_mappings[$_REQUEST['sort']])) {
+ $sort = $sortable_name_mappings[$_REQUEST['sort']];
if ($_REQUEST['sort_order'] == 'DESC') {
$sort_order = 'DESC';
}
diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php
index fdd83f8..5af59bd 100644
--- a/libraries/dbi/mysql.dbi.lib.php
+++ b/libraries/dbi/mysql.dbi.lib.php
@@ -344,6 +344,8 @@ function PMA_DBI_getError($link = null)
$error_message = PMA_DBI_convert_message($error_message);
}
+ $error_message = htmlspecialchars($error_message);
+
// Some errors messages cannot be obtained by mysql_error()
if ($error_number == 2002) {
$error = '#' . ((string) $error_number) . ' - ' . __('The server is not responding') . ' ' . __('(or the local MySQL server\'s socket is not correctly configured)');
diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php
index b5915df..9e836eb 100644
--- a/libraries/dbi/mysqli.dbi.lib.php
+++ b/libraries/dbi/mysqli.dbi.lib.php
@@ -400,6 +400,8 @@ function PMA_DBI_getError($link = null)
$error_message = PMA_DBI_convert_message($error_message);
}
+ $error_message = htmlspecialchars($error_message);
+
if ($error_number == 2002) {
$error = '#' . ((string) $error_number) . ' - ' . __('The server is not responding') . ' ' . __('(or the local MySQL server\'s socket is not correctly configured)');
} else {
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index c9b79a7..eb8696d 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -8,17 +8,26 @@
/**
* Sanitizes $message, taking into account our special codes
- * for formatting
+ * for formatting.
+ *
+ * If you want to include result in element attribute, you should escape it.
+ *
+ * Examples:
+ *
+ * <p><?php echo PMA_sanitize($foo); ?></p>
+ *
+ * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
*
* @uses preg_replace()
* @uses strtr()
* @param string the message
+ * @param boolean whether to escape html in result
*
* @return string the sanitized message
*
* @access public
*/
-function PMA_sanitize($message)
+function PMA_sanitize($message, $escape = false)
{
$replace_pairs = array(
'<' => '<',
@@ -66,6 +75,10 @@ function PMA_sanitize($message)
$message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
}
+ if ($escape) {
+ $message = htmlspecialchars($message);
+ }
+
return $message;
}
?>
diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php
index 5509db1..3e74ca7 100644
--- a/libraries/sqlparser.lib.php
+++ b/libraries/sqlparser.lib.php
@@ -2574,7 +2574,7 @@ if (! defined('PMA_MINIMUM_COMMON')) {
}
$after .= "\n";
*/
- $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after;
+ $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after;
} // end for
/* End possibly unclosed documentation link */
if ($close_docu_link) {
diff --git a/scripts/create-release.sh b/scripts/create-release.sh
index fd73f2e..35ac3dd 100755
--- a/scripts/create-release.sh
+++ b/scripts/create-release.sh
@@ -221,13 +221,18 @@ if [ $# -gt 0 ] ; then
tagname=RELEASE_`echo $version | tr . _ | tr '[:lower:]' '[:upper:]' | tr -d -`
echo "* Tagging release as $tagname"
git tag -a -m "Released $version" $tagname $branch
- if echo $version | grep '[a-z_-]' ; then
- mark_as_release $branch TESTING
+ if echo $version | grep -q '^2\.11\.' ; then
+ echo '* 2.11 branch, no STABLE/TESTING update'
else
- # We update both branches here
- # As it does not make sense to have older testing than stable
- mark_as_release $branch TESTING
- mark_as_release $branch STABLE
+ if echo $version | grep '[a-z_-]' ; then
+ mark_as_release $branch TESTING
+ else
+ # We update both branches here
+ # As it does not make sense to have older testing than stable
+ mark_as_release $branch TESTING
+ mark_as_release $branch STABLE
+ fi
+ git checkout master
fi
echo " Dont forget to push tags using: git push --tags"
;;
diff --git a/server_databases.php b/server_databases.php
index 7aeee67..d054aca 100644
--- a/server_databases.php
+++ b/server_databases.php
@@ -19,7 +19,21 @@ require './libraries/replication.inc.php';
if (empty($_REQUEST['sort_by'])) {
$sort_by = 'SCHEMA_NAME';
} else {
- $sort_by = PMA_sanitize($_REQUEST['sort_by']);
+ $sort_by_whitelist = array(
+ 'SCHEMA_NAME',
+ 'DEFAULT_COLLATION_NAME',
+ 'SCHEMA_TABLES',
+ 'SCHEMA_TABLE_ROWS',
+ 'SCHEMA_DATA_LENGTH',
+ 'SCHEMA_INDEX_LENGTH',
+ 'SCHEMA_LENGTH',
+ 'SCHEMA_DATA_FREE'
+ );
+ if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) {
+ $sort_by = $_REQUEST['sort_by'];
+ } else {
+ $sort_by = 'SCHEMA_NAME';
+ }
}
if (isset($_REQUEST['sort_order'])
@@ -339,11 +353,11 @@ if ($databases_count > 0) {
unset($column_order, $stat_name, $stat, $databases, $table_columns);
if ($is_superuser || $cfg['AllowUserDropDatabase']) {
- $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats;
+ $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats));
echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . __('With selected:') . '" />' . "\n"
- . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n"
+ . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n"
. ' ' . __('Check All') . '</a> / ' . "\n"
- . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n"
+ . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n"
. ' ' . __('Uncheck All') . '</a>' . "\n"
. '<i>' . __('With selected:') . '</i>' . "\n";
PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', __('Drop'), 'b_deltbl.png');
diff --git a/server_privileges.php b/server_privileges.php
index cd5afe7..33483d2 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1182,7 +1182,7 @@ if (!empty($update_privs)) {
}
$sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2;
$message = PMA_Message::success(__('You have updated the privileges for %s.'));
- $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+ $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
}
@@ -1206,7 +1206,7 @@ if (isset($_REQUEST['revokeall'])) {
}
$sql_query = $sql_query0 . ' ' . $sql_query1;
$message = PMA_Message::success(__('You have revoked the privileges for %s'));
- $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+ $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
if (! isset($tablename)) {
unset($dbname);
} else {
@@ -1242,7 +1242,7 @@ if (isset($_REQUEST['change_pw'])) {
PMA_DBI_try_query($local_query)
or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
$message = PMA_Message::success(__('The password for %s was changed successfully.'));
- $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+ $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
}
}
@@ -1647,8 +1647,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
if (isset($dbname)) {
echo ' <i><a href="server_privileges.php?'
- . $GLOBALS['url_query'] . '&username=' . urlencode($username)
- . '&hostname=' . urlencode($hostname) . '&dbname=&tablename=">\''
+ . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username))
+ . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">\''
. htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname)
. '\'</a></i>' . "\n";
$url_dbname = urlencode(str_replace(array('\_', '\%'), array('_', '%'), $dbname));
@@ -1656,8 +1656,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
echo ' - ' . ($dbname_is_wildcard ? __('Databases') : __('Database') );
if (isset($tablename)) {
echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query']
- . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname)
- . '&dbname=' . $url_dbname . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>';
+ . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname))
+ . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>';
echo ' - ' . __('Table') . ' <i>' . htmlspecialchars($tablename) . '</i>';
} else {
echo ' <i>' . htmlspecialchars($dbname) . '</i>';
@@ -1891,16 +1891,16 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
}
echo '</td>' . "\n"
. ' <td>';
- printf($link_edit, urlencode($username),
- urlencode($hostname),
- urlencode((! isset($dbname)) ? $row['Db'] : $dbname),
+ printf($link_edit, htmlspecialchars(urlencode($username)),
+ urlencode(htmlspecialchars($hostname)),
+ urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
urlencode((! isset($dbname)) ? '' : $row['Table_name']));
echo '</td>' . "\n"
. ' <td>';
if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
- printf($link_revoke, urlencode($username),
- urlencode($hostname),
- urlencode((! isset($dbname)) ? $row['Db'] : $dbname),
+ printf($link_revoke, htmlspecialchars(urlencode($username)),
+ urlencode(htmlspecialchars($hostname)),
+ urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
urlencode((! isset($dbname)) ? '' : $row['Table_name']));
}
echo '</td>' . "\n"
@@ -1980,7 +1980,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
if (isset($tablename)) {
echo ' [ ' . __('Table') . ' <a href="'
. $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query']
- . '&db=' . $url_dbname . '&table=' . urlencode($tablename)
+ . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename))
. '&reload=1">' . htmlspecialchars($tablename) . ': '
. PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable'])
. "</a> ]\n";
@@ -2207,7 +2207,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
// Offer to create a new user for the current database
echo '<fieldset id="fieldset_add_user">' . "\n"
- . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . $checkprivs .'">' . "\n"
+ . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . htmlspecialchars($checkprivs) .'">' . "\n"
. PMA_getIcon('b_usradd.png')
. ' ' . __('Add a new User') . '</a>' . "\n"
. '</fieldset>' . "\n";
diff --git a/sql.php b/sql.php
index a98b9d4..a3ae0cf 100644
--- a/sql.php
+++ b/sql.php
@@ -173,14 +173,14 @@ if ($do_confirm) {
.PMA_generate_common_hidden_inputs($db, $table);
?>
<input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" />
- <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" />
+ <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" />
<input type="hidden" name="goto" value="<?php echo $goto; ?>" />
- <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" />
- <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" />
- <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" />
- <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" />
- <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" />
- <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" />
+ <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" />
+ <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" />
+ <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" />
+ <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" />
+ <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" />
+ <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" />
<?php
echo '<fieldset class="confirmation">' . "\n"
.' <legend>' . __('Do you really want to ') . '</legend>'
diff --git a/tbl_sql.php b/tbl_sql.php
index e72dce3..aa0af4d 100644
--- a/tbl_sql.php
+++ b/tbl_sql.php
@@ -37,7 +37,7 @@ require_once './libraries/tbl_links.inc.php';
/**
* Query box, bookmark, insert data from textfile
*/
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
/**
* Displays the footer
hooks/post-receive
--
phpMyAdmin