Git August 2010

git@phpmyadmin.net

4 participants
161 discussions

[Phpmyadmin-git] [SCM] phpMyAdmin branch, QA_3_3, updated. RELEASE_3_3_5_1-25-g9036ac0

by Marc Delisle

The branch, QA_3_3 has been updated via 9036ac09e3b5a835550ef62ebb1e1ba202728710 (commit) from 8b53799f0da2992b41c1895a8e9f7db10fd2a82f (commit) - Log ----------------------------------------------------------------- commit 9036ac09e3b5a835550ef62ebb1e1ba202728710 Author: Marc Delisle <marc(a)infomarc.info> Date: Fri Aug 20 13:03:13 2010 -0400 3.3.7-dev ----------------------------------------------------------------------- Summary of changes: ChangeLog | 2 ++ Documentation.html | 4 ++-- README | 2 +- libraries/Config.class.php | 2 +- translators.html | 4 ++-- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 81670e9..a21d0fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/… $ +3.3.7.0 (not yet released) + 3.3.6.0 (not yet released) - bug #3033063 [core] Navi gets wrong db name - bug #3031705 [core] Fix generating condition for real numbers by comparing diff --git a/Documentation.html b/Documentation.html index bfe5bb7..95e940f 100644 --- a/Documentation.html +++ b/Documentation.html @@ -10,7 +10,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.6-dev - Documentation</title> + <title>phpMyAdmin 3.3.7-dev - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -18,7 +18,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.6-dev + 3.3.7-dev Documentation </h1> </div> diff --git a/README b/README index 8be673e..bdcdd66 100644 --- a/README +++ b/README @@ -5,7 +5,7 @@ phpMyAdmin - Readme A set of PHP-scripts to manage MySQL over the web. - Version 3.3.6-dev + Version 3.3.7-dev ----------------- http://www.phpmyadmin.net/ diff --git a/libraries/Config.class.php b/libraries/Config.class.php index a6b1d8c..6ac9aca 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -92,7 +92,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '3.3.6-dev'); + $this->set('PMA_VERSION', '3.3.7-dev'); /** * @deprecated */ diff --git a/translators.html b/translators.html index d78b68b..707b400 100644 --- a/translators.html +++ b/translators.html @@ -11,7 +11,7 @@ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.6-dev - Official translators</title> + <title>phpMyAdmin 3.3.7-dev - Official translators</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -19,7 +19,7 @@ <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.6-dev + 3.3.7-dev official translators list </h1> </div> hooks/post-receive -- phpMyAdmin

14 years

[Phpmyadmin-git] [SCM] phpMyAdmin branch, MAINT_3_3_6, created. RELEASE_3_3_5_1-25-g1e7bc7d

by Marc Delisle

The branch, MAINT_3_3_6 has been created at 1e7bc7d691fa8abcdde87a70ed6cef6f30cbe107 (commit) - Log ----------------------------------------------------------------- commit 1e7bc7d691fa8abcdde87a70ed6cef6f30cbe107 Author: Marc Delisle <marc(a)infomarc.info> Date: Fri Aug 20 12:59:21 2010 -0400 3.3.6-rc1 ----------------------------------------------------------------------- hooks/post-receive -- phpMyAdmin

14 years

[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_3_5_1-7133-g7be8236

by Marc Delisle

The branch, master has been updated via 7be82362080f862de054c85646fb54b3bf6402b9 (commit) from 22eaa592cad82c1aef5a2476ebbe55403d627dc6 (commit) - Log ----------------------------------------------------------------- commit 7be82362080f862de054c85646fb54b3bf6402b9 Author: Marc Delisle <marc(a)infomarc.info> Date: Fri Aug 20 08:46:59 2010 -0400 comment was no longer accurate ----------------------------------------------------------------------- Summary of changes: libraries/tbl_links.inc.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libraries/tbl_links.inc.php b/libraries/tbl_links.inc.php index 445cf66..22789f3 100644 --- a/libraries/tbl_links.inc.php +++ b/libraries/tbl_links.inc.php @@ -80,7 +80,7 @@ $tabs['export']['args']['single_table'] = 'true'; $tabs['export']['text'] = __('Export'); /** - * Don't display "Import", "Operations" and "Empty" + * Don't display "Import" and "Operations" * for views and information_schema */ if (! $tbl_is_view && ! (isset($db_is_information_schema) && $db_is_information_schema)) { hooks/post-receive -- phpMyAdmin

14 years, 1 month

[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_3_5_1-7132-g22eaa59

by Marc Delisle

The branch, master has been updated via 22eaa592cad82c1aef5a2476ebbe55403d627dc6 (commit) from 272c57cdba6ae6c162ab90634bad9740c2af8b38 (commit) - Log ----------------------------------------------------------------- commit 22eaa592cad82c1aef5a2476ebbe55403d627dc6 Author: Marc Delisle <marc(a)infomarc.info> Date: Fri Aug 20 08:43:09 2010 -0400 unused code ----------------------------------------------------------------------- Summary of changes: libraries/common.lib.php | 1 - libraries/sqlparser.lib.php | 15 --------------- 2 files changed, 0 insertions(+), 16 deletions(-) diff --git a/libraries/common.lib.php b/libraries/common.lib.php index 4b1d8d9..23b3eee 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -327,7 +327,6 @@ function PMA_formatSql($parsed_sql, $unparsed_sql = '') $formatted_sql = PMA_SQP_formatHtml($parsed_sql, 'color'); break; case 'text': - //$formatted_sql = PMA_SQP_formatText($parsed_sql); $formatted_sql = PMA_SQP_formatHtml($parsed_sql, 'text'); break; default: diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 3e74ca7..463b73a 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2662,21 +2662,6 @@ if (! defined('PMA_MINIMUM_COMMON')) { return $formatted_sql; } // end of the "PMA_SQP_formatNone()" function - - /** - * Gets SQL queries in text format - * - * @todo WRITE THIS! - * @param array The SQL queries list - * - * @return string The SQL queries in text format - * - * @access public - */ - function PMA_SQP_formatText($arr) - { - return PMA_SQP_formatNone($arr); - } // end of the "PMA_SQP_formatText()" function } // end if: minimal common.lib needed? ?> hooks/post-receive -- phpMyAdmin

14 years, 1 month

[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_3_5_1-7131-g272c57c

by Michal Čihař

The branch, master has been updated via 272c57cdba6ae6c162ab90634bad9740c2af8b38 (commit) via 86baee8d4e81b9ee80dc3ed3692c91f138740a99 (commit) via 2af8ff42e91bfb03ce05a11a0dce7a85ac32cecd (commit) via 8b53799f0da2992b41c1895a8e9f7db10fd2a82f (commit) via 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit) via 862e3ca2a7c7fe56c76bb515367db0dce2a79d53 (commit) via 41145feb12e1fe2f7af54c1ccb89a714c39bfb12 (commit) via d128f806057e752db082272fd5e5c2f7244821b9 (commit) via 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 (commit) via 782b8b46be4f06c695ab713eeefbd75970358e2f (commit) via bf60ec82e948450ae18b9e66c48d27da55ebe860 (commit) via f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 (commit) via d2e0e09e0d402555a6223f0b683fdbfa97821a63 (commit) via b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e (commit) via 05ca00e0a20d0eb4848d69bf7a1365df5bba872d (commit) via 48e909660032ddcbc13172830761e363e7a64d72 (commit) via be0f47a93141e2950ad400b8d22a2a98512825c2 (commit) via cd205cc55a46e3dc0f8883966f5c854f842e1000 (commit) via 7dc6cea06522b2d4af50934c983f3967540a4918 (commit) via 6028221d97efa2a7d56a61ab4c5750d1b2343619 (commit) via 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 (commit) via 25ac7de38c125d8067f42bab24212891389ac1e3 (commit) via fa30188dde357426d339d0d7e29a3969f88d188a (commit) via 00add5c43f594f80dab6304a5bb35d2e50540d2d (commit) via c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c (commit) via 533e10213590e7ccd83b98a5cd19ba1c3be119dd (commit) via ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b (commit) via 7f266483b827fb05a4be11663003418c2ef1c878 (commit) via 5bcd95a42c8ba924d389eafee4d7be80bd4039a3 (commit) via 6d548f7d449b7d4b796949d10a503484f63eaf82 (commit) from 7b1c0187cfae8bd02d1fe1233aea57cef46b348f (commit) - Log ----------------------------------------------------------------- commit 272c57cdba6ae6c162ab90634bad9740c2af8b38 Author: Michal Čihař <mcihar(a)novell.com> Date: Fri Aug 20 13:56:28 2010 +0200 Change back to master after merging to STABLE/TESTING. commit 86baee8d4e81b9ee80dc3ed3692c91f138740a99 Author: Michal Čihař <mcihar(a)novell.com> Date: Fri Aug 20 13:53:01 2010 +0200 Do not apply TESTING/STABLE update to 2.11 branch. commit 2af8ff42e91bfb03ce05a11a0dce7a85ac32cecd Merge: 862e3ca2a7c7fe56c76bb515367db0dce2a79d53 8b53799f0da2992b41c1895a8e9f7db10fd2a82f Author: Michal Čihař <mcihar(a)novell.com> Date: Fri Aug 20 13:42:38 2010 +0200 Merge branch 'QA_3_3' commit 862e3ca2a7c7fe56c76bb515367db0dce2a79d53 Merge: 7b1c0187cfae8bd02d1fe1233aea57cef46b348f 41145feb12e1fe2f7af54c1ccb89a714c39bfb12 Author: Michal Čihař <mcihar(a)novell.com> Date: Fri Aug 20 13:40:37 2010 +0200 Merge branch 'QA_3_3' Conflicts: libraries/core.lib.php server_databases.php server_privileges.php ----------------------------------------------------------------------- Summary of changes: ChangeLog | 3 +++ db_search.php | 2 +- db_sql.php | 2 +- error.php | 10 +++++++--- libraries/common.lib.php | 2 +- libraries/core.lib.php | 7 ++++--- libraries/database_interface.lib.php | 4 ++++ libraries/db_info.inc.php | 3 ++- libraries/dbi/mysql.dbi.lib.php | 2 ++ libraries/dbi/mysqli.dbi.lib.php | 2 ++ libraries/sanitizing.lib.php | 17 +++++++++++++++-- libraries/sqlparser.lib.php | 2 +- scripts/create-release.sh | 17 +++++++++++------ server_databases.php | 22 ++++++++++++++++++---- server_privileges.php | 30 +++++++++++++++--------------- sql.php | 14 +++++++------- tbl_sql.php | 2 +- 17 files changed, 95 insertions(+), 46 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3a1d00b..0188759 100644 --- a/ChangeLog +++ b/ChangeLog @@ -119,6 +119,9 @@ $Id$ - bug #3044189 [doc] Cleared documentation for hide_db. - bug #3042495 [core] Move PMA_sendHeaderLocation to core.lib.php. +3.3.5.1 (2010-10-20) +- [core] Fixed various XSS issues, see PMASA-2010-5 for more details. + 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of databases, thanks to Stéphane Pontier - shadow_walker diff --git a/db_search.php b/db_search.php index 0b68ba3..854cba8 100644 --- a/db_search.php +++ b/db_search.php @@ -336,7 +336,7 @@ $alter_select = <tr><td align="right"> <?php echo __('Inside column:'); ?></td> <td><input type="text" name="field_str" size="60" - value="<?php echo ! empty($field_str) ? $field_str : ''; ?>" /></td> + value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td> </tr> </table> </fieldset> diff --git a/db_sql.php b/db_sql.php index 986fb34..50db7bd 100644 --- a/db_sql.php +++ b/db_sql.php @@ -36,7 +36,7 @@ if ($num_tables == 0 && empty($db_query_force)) { /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer diff --git a/error.php b/error.php index 117d070..b1d47e2 100644 --- a/error.php +++ b/error.php @@ -75,10 +75,14 @@ header('Content-Type: text/html; charset=' . $charset); <body> <h1>phpMyAdmin - <?php echo $type; ?></h1> <p><?php -if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { - echo PMA_sanitize(stripslashes($_REQUEST['error'])); +if (!empty($_REQUEST['error'])) { + if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + echo PMA_sanitize(stripslashes($_REQUEST['error'])); + } else { + echo PMA_sanitize($_REQUEST['error']); + } } else { - echo PMA_sanitize($_REQUEST['error']); + echo 'No error message!'; } ?></p> </body> diff --git a/libraries/common.lib.php b/libraries/common.lib.php index a1c3c7b..4b1d8d9 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -566,7 +566,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '', $formatted_sql = ''; } else { if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) { - $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]'; + $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]'; } else { $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); } diff --git a/libraries/core.lib.php b/libraries/core.lib.php index 2355651..8bfc035 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -525,22 +525,23 @@ function PMA_getenv($var_name) { function PMA_sendHeaderLocation($uri) { if (PMA_IS_IIS && strlen($uri) > 600) { + require_once './libraries/js_escape.lib.php'; echo '<html><head><title>- - -</title>' . "\n"; echo '<meta http-equiv="expires" content="0">' . "\n"; echo '<meta http-equiv="Pragma" content="no-cache">' . "\n"; echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n"; - echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n"; + echo '<meta http-equiv="Refresh" content="0;url=' . htmlspecialchars($uri) . '">' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n"; + echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n"; echo '//]]>' . "\n"; echo '</script>' . "\n"; echo '</head>' . "\n"; echo '<body>' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'document.write(\'<p><a href="' . $uri . '">' . __('Go') . '</a></p>\');' . "\n"; + echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . __('Go') . '</a></p>\');' . "\n"; echo '//]]>' . "\n"; echo '</script></body></html>' . "\n"; diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index 8eba111..c1a97b4 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -195,6 +195,10 @@ function PMA_usort_comparison_callback($a, $b) } else { $sorter = 'strcasecmp'; } + /* No sorting when key is not present */ + if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) { + return 0; + } // produces f.e.: // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"]) return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]); diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php index 969af04..c51b247 100644 --- a/libraries/db_info.inc.php +++ b/libraries/db_info.inc.php @@ -211,7 +211,8 @@ if (! isset($sot_ready)) { ); // Make sure the sort type is implemented - if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) { + if (isset($sortable_name_mappings[$_REQUEST['sort']])) { + $sort = $sortable_name_mappings[$_REQUEST['sort']]; if ($_REQUEST['sort_order'] == 'DESC') { $sort_order = 'DESC'; } diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index fdd83f8..5af59bd 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -344,6 +344,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + // Some errors messages cannot be obtained by mysql_error() if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . __('The server is not responding') . ' ' . __('(or the local MySQL server\'s socket is not correctly configured)'); diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index b5915df..9e836eb 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -400,6 +400,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . __('The server is not responding') . ' ' . __('(or the local MySQL server\'s socket is not correctly configured)'); } else { diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index c9b79a7..eb8696d 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -8,17 +8,26 @@ /** * Sanitizes $message, taking into account our special codes - * for formatting + * for formatting. + * + * If you want to include result in element attribute, you should escape it. + * + * Examples: + * + * <p><?php echo PMA_sanitize($foo); ?></p> + * + * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a> * * @uses preg_replace() * @uses strtr() * @param string the message + * @param boolean whether to escape html in result * * @return string the sanitized message * * @access public */ -function PMA_sanitize($message) +function PMA_sanitize($message, $escape = false) { $replace_pairs = array( '<' => '<', @@ -66,6 +75,10 @@ function PMA_sanitize($message) $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); } + if ($escape) { + $message = htmlspecialchars($message); + } + return $message; } ?> diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 5509db1..3e74ca7 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2574,7 +2574,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { } $after .= "\n"; */ - $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after; + $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after; } // end for /* End possibly unclosed documentation link */ if ($close_docu_link) { diff --git a/scripts/create-release.sh b/scripts/create-release.sh index fd73f2e..35ac3dd 100755 --- a/scripts/create-release.sh +++ b/scripts/create-release.sh @@ -221,13 +221,18 @@ if [ $# -gt 0 ] ; then tagname=RELEASE_`echo $version | tr . _ | tr '[:lower:]' '[:upper:]' | tr -d -` echo "* Tagging release as $tagname" git tag -a -m "Released $version" $tagname $branch - if echo $version | grep '[a-z_-]' ; then - mark_as_release $branch TESTING + if echo $version | grep -q '^2\.11\.' ; then + echo '* 2.11 branch, no STABLE/TESTING update' else - # We update both branches here - # As it does not make sense to have older testing than stable - mark_as_release $branch TESTING - mark_as_release $branch STABLE + if echo $version | grep '[a-z_-]' ; then + mark_as_release $branch TESTING + else + # We update both branches here + # As it does not make sense to have older testing than stable + mark_as_release $branch TESTING + mark_as_release $branch STABLE + fi + git checkout master fi echo " Dont forget to push tags using: git push --tags" ;; diff --git a/server_databases.php b/server_databases.php index 7aeee67..d054aca 100644 --- a/server_databases.php +++ b/server_databases.php @@ -19,7 +19,21 @@ require './libraries/replication.inc.php'; if (empty($_REQUEST['sort_by'])) { $sort_by = 'SCHEMA_NAME'; } else { - $sort_by = PMA_sanitize($_REQUEST['sort_by']); + $sort_by_whitelist = array( + 'SCHEMA_NAME', + 'DEFAULT_COLLATION_NAME', + 'SCHEMA_TABLES', + 'SCHEMA_TABLE_ROWS', + 'SCHEMA_DATA_LENGTH', + 'SCHEMA_INDEX_LENGTH', + 'SCHEMA_LENGTH', + 'SCHEMA_DATA_FREE' + ); + if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) { + $sort_by = $_REQUEST['sort_by']; + } else { + $sort_by = 'SCHEMA_NAME'; + } } if (isset($_REQUEST['sort_order']) @@ -339,11 +353,11 @@ if ($databases_count > 0) { unset($column_order, $stat_name, $stat, $databases, $table_columns); if ($is_superuser || $cfg['AllowUserDropDatabase']) { - $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats; + $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats)); echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . __('With selected:') . '" />' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . __('Check All') . '</a> / ' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . __('Uncheck All') . '</a>' . "\n" . '<i>' . __('With selected:') . '</i>' . "\n"; PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', __('Drop'), 'b_deltbl.png'); diff --git a/server_privileges.php b/server_privileges.php index cd5afe7..33483d2 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1182,7 +1182,7 @@ if (!empty($update_privs)) { } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success(__('You have updated the privileges for %s.')); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } @@ -1206,7 +1206,7 @@ if (isset($_REQUEST['revokeall'])) { } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success(__('You have revoked the privileges for %s')); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); if (! isset($tablename)) { unset($dbname); } else { @@ -1242,7 +1242,7 @@ if (isset($_REQUEST['change_pw'])) { PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = PMA_Message::success(__('The password for %s was changed successfully.')); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } } @@ -1647,8 +1647,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($dbname)) { echo ' <i><a href="server_privileges.php?' - . $GLOBALS['url_query'] . '&username=' . urlencode($username) - . '&hostname=' . urlencode($hostname) . '&dbname=&tablename=">\'' + . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username)) + . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n"; $url_dbname = urlencode(str_replace(array('\_', '\%'), array('_', '%'), $dbname)); @@ -1656,8 +1656,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo ' - ' . ($dbname_is_wildcard ? __('Databases') : __('Database') ); if (isset($tablename)) { echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] - . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname) - . '&dbname=' . $url_dbname . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; + . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname)) + . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; echo ' - ' . __('Table') . ' <i>' . htmlspecialchars($tablename) . '</i>'; } else { echo ' <i>' . htmlspecialchars($dbname) . '</i>'; @@ -1891,16 +1891,16 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs } echo '</td>' . "\n" . ' <td>'; - printf($link_edit, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_edit, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '</td>' . "\n" . ' <td>'; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { - printf($link_revoke, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_revoke, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); } echo '</td>' . "\n" @@ -1980,7 +1980,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($tablename)) { echo ' [ ' . __('Table') . ' <a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] - . '&db=' . $url_dbname . '&table=' . urlencode($tablename) + . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename)) . '&reload=1">' . htmlspecialchars($tablename) . ': ' . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable']) . "</a> ]\n"; @@ -2207,7 +2207,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs // Offer to create a new user for the current database echo '<fieldset id="fieldset_add_user">' . "\n" - . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . $checkprivs .'">' . "\n" + . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . htmlspecialchars($checkprivs) .'">' . "\n" . PMA_getIcon('b_usradd.png') . ' ' . __('Add a new User') . '</a>' . "\n" . '</fieldset>' . "\n"; diff --git a/sql.php b/sql.php index a98b9d4..a3ae0cf 100644 --- a/sql.php +++ b/sql.php @@ -173,14 +173,14 @@ if ($do_confirm) { .PMA_generate_common_hidden_inputs($db, $table); ?> <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" /> - <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" /> + <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" /> <input type="hidden" name="goto" value="<?php echo $goto; ?>" /> - <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" /> - <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" /> - <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" /> - <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" /> - <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" /> - <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" /> + <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" /> + <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" /> + <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" /> + <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" /> + <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" /> + <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" /> <?php echo '<fieldset class="confirmation">' . "\n" .' <legend>' . __('Do you really want to ') . '</legend>' diff --git a/tbl_sql.php b/tbl_sql.php index e72dce3..aa0af4d 100644 --- a/tbl_sql.php +++ b/tbl_sql.php @@ -37,7 +37,7 @@ require_once './libraries/tbl_links.inc.php'; /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer hooks/post-receive -- phpMyAdmin

14 years, 1 month

[Phpmyadmin-git] [SCM] phpMyAdmin branch, TESTING, updated. RELEASE_3_3_5_1-9-gfbfc4d6

by Michal Čihař

The branch, TESTING has been updated via fbfc4d6e6d1be2314ed1d3e13142b1bb861fbfab (commit) via 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit) via d128f806057e752db082272fd5e5c2f7244821b9 (commit) via 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 (commit) via 782b8b46be4f06c695ab713eeefbd75970358e2f (commit) via bf60ec82e948450ae18b9e66c48d27da55ebe860 (commit) via f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 (commit) via d2e0e09e0d402555a6223f0b683fdbfa97821a63 (commit) via b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e (commit) via 05ca00e0a20d0eb4848d69bf7a1365df5bba872d (commit) via 48e909660032ddcbc13172830761e363e7a64d72 (commit) via be0f47a93141e2950ad400b8d22a2a98512825c2 (commit) via cd205cc55a46e3dc0f8883966f5c854f842e1000 (commit) via 7dc6cea06522b2d4af50934c983f3967540a4918 (commit) via 6028221d97efa2a7d56a61ab4c5750d1b2343619 (commit) via 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 (commit) via 25ac7de38c125d8067f42bab24212891389ac1e3 (commit) via fa30188dde357426d339d0d7e29a3969f88d188a (commit) via 00add5c43f594f80dab6304a5bb35d2e50540d2d (commit) via c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c (commit) via 533e10213590e7ccd83b98a5cd19ba1c3be119dd (commit) via ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b (commit) via 7f266483b827fb05a4be11663003418c2ef1c878 (commit) via 5bcd95a42c8ba924d389eafee4d7be80bd4039a3 (commit) via 6d548f7d449b7d4b796949d10a503484f63eaf82 (commit) from b40458875721cefa2ee16241e7a657463452999d (commit) - Log ----------------------------------------------------------------- commit fbfc4d6e6d1be2314ed1d3e13142b1bb861fbfab Merge: b40458875721cefa2ee16241e7a657463452999d 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c Author: Michal Čihař <mcihar(a)novell.com> Date: Fri Aug 20 13:55:43 2010 +0200 Merge branch 'MAINT_3_3_5' into TESTING ----------------------------------------------------------------------- Summary of changes: ChangeLog | 3 +++ Documentation.html | 4 ++-- README | 4 ++-- db_search.php | 2 +- db_sql.php | 2 +- error.php | 10 +++++++--- libraries/Config.class.php | 2 +- libraries/common.lib.php | 9 +++++---- libraries/database_interface.lib.php | 4 ++++ libraries/db_info.inc.php | 3 ++- libraries/dbi/mysql.dbi.lib.php | 2 ++ libraries/dbi/mysqli.dbi.lib.php | 2 ++ libraries/sanitizing.lib.php | 17 +++++++++++++++-- libraries/sqlparser.lib.php | 2 +- server_databases.php | 22 ++++++++++++++++++---- server_privileges.php | 30 +++++++++++++++--------------- sql.php | 14 +++++++------- tbl_sql.php | 2 +- translators.html | 4 ++-- 19 files changed, 91 insertions(+), 47 deletions(-) diff --git a/ChangeLog b/ChangeLog index 53adf96..4183ff5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/… $ +3.3.5.1 (2010-10-20) +- [core] Fixed various XSS issues, see PMASA-2010-5 for more details. + 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of databases, thanks to Stéphane Pontier - shadow_walker diff --git a/Documentation.html b/Documentation.html index 100b9ae..289d02a 100644 --- a/Documentation.html +++ b/Documentation.html @@ -10,7 +10,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.5 - Documentation</title> + <title>phpMyAdmin 3.3.5.1 - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -18,7 +18,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.5 + 3.3.5.1 Documentation </h1> </div> diff --git a/README b/README index 279f66f..072d0d9 100644 --- a/README +++ b/README @@ -5,8 +5,8 @@ phpMyAdmin - Readme A set of PHP-scripts to manage MySQL over the web. - Version 3.3.5 - ------------- + Version 3.3.5.1 + --------------- http://www.phpmyadmin.net/ Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com> diff --git a/db_search.php b/db_search.php index 751675d..455aa61 100644 --- a/db_search.php +++ b/db_search.php @@ -355,7 +355,7 @@ $alter_select = <tr><td align="right"> <?php echo $GLOBALS['strSearchInField']; ?></td> <td><input type="text" name="field_str" size="60" - value="<?php echo ! empty($field_str) ? $field_str : ''; ?>" /></td> + value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td> </tr> </table> </fieldset> diff --git a/db_sql.php b/db_sql.php index 2ac198b..420561e 100644 --- a/db_sql.php +++ b/db_sql.php @@ -37,7 +37,7 @@ if ($num_tables == 0 && empty($db_query_force)) { /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer diff --git a/error.php b/error.php index 674d08e..7e86ffb 100644 --- a/error.php +++ b/error.php @@ -76,10 +76,14 @@ header('Content-Type: text/html; charset=' . $charset); <body> <h1>phpMyAdmin - <?php echo $type; ?></h1> <p><?php -if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { - echo PMA_sanitize(stripslashes($_REQUEST['error'])); +if (!empty($_REQUEST['error'])) { + if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + echo PMA_sanitize(stripslashes($_REQUEST['error'])); + } else { + echo PMA_sanitize($_REQUEST['error']); + } } else { - echo PMA_sanitize($_REQUEST['error']); + echo 'No error message!'; } ?></p> </body> diff --git a/libraries/Config.class.php b/libraries/Config.class.php index e73de8b..0ac18b2 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -92,7 +92,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '3.3.5'); + $this->set('PMA_VERSION', '3.3.5.1'); /** * @deprecated */ diff --git a/libraries/common.lib.php b/libraries/common.lib.php index c62d518..4a9c789 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -575,7 +575,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '', $formatted_sql = ''; } else { if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) { - $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]'; + $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]'; } else { $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); } @@ -705,22 +705,23 @@ function PMA_mysqlDie($error_message = '', $the_query = '', function PMA_sendHeaderLocation($uri) { if (PMA_IS_IIS && strlen($uri) > 600) { + require_once './libraries/js_escape.lib.php'; echo '<html><head><title>- - -</title>' . "\n"; echo '<meta http-equiv="expires" content="0">' . "\n"; echo '<meta http-equiv="Pragma" content="no-cache">' . "\n"; echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n"; - echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n"; + echo '<meta http-equiv="Refresh" content="0;url=' . htmlspecialchars($uri) . '">' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n"; + echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n"; echo '//]]>' . "\n"; echo '</script>' . "\n"; echo '</head>' . "\n"; echo '<body>' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'document.write(\'<p><a href="' . $uri . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; + echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; echo '//]]>' . "\n"; echo '</script></body></html>' . "\n"; diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index a7d9e72..3c0408d 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -205,6 +205,10 @@ function PMA_usort_comparison_callback($a, $b) } else { $sorter = 'strcasecmp'; } + /* No sorting when key is not present */ + if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) { + return 0; + } // produces f.e.: // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"]) return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]); diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php index 4f59baa..1e5b401 100644 --- a/libraries/db_info.inc.php +++ b/libraries/db_info.inc.php @@ -213,7 +213,8 @@ if (! isset($sot_ready)) { ); // Make sure the sort type is implemented - if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) { + if (isset($sortable_name_mappings[$_REQUEST['sort']])) { + $sort = $sortable_name_mappings[$_REQUEST['sort']]; if ($_REQUEST['sort_order'] == 'DESC') { $sort_order = 'DESC'; } diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index 2754588..4750ee2 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -348,6 +348,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + // Some errors messages cannot be obtained by mysql_error() if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index 913bce6..52f7601 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -406,6 +406,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; } else { diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index 2b54bf1..d17fc50 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -9,17 +9,26 @@ /** * Sanitizes $message, taking into account our special codes - * for formatting + * for formatting. + * + * If you want to include result in element attribute, you should escape it. + * + * Examples: + * + * <p><?php echo PMA_sanitize($foo); ?></p> + * + * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a> * * @uses preg_replace() * @uses strtr() * @param string the message + * @param boolean whether to escape html in result * * @return string the sanitized message * * @access public */ -function PMA_sanitize($message) +function PMA_sanitize($message, $escape = false) { $replace_pairs = array( '<' => '<', @@ -67,6 +76,10 @@ function PMA_sanitize($message) $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); } + if ($escape) { + $message = htmlspecialchars($message); + } + return $message; } ?> diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 53f239a..f844e23 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2456,7 +2456,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { } $after .= "\n"; */ - $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after; + $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after; } // end for if ($mode=='color') { $str .= '</span>'; diff --git a/server_databases.php b/server_databases.php index 47037cc..5e6d0ec 100644 --- a/server_databases.php +++ b/server_databases.php @@ -22,7 +22,21 @@ require './libraries/replication.inc.php'; if (empty($_REQUEST['sort_by'])) { $sort_by = 'SCHEMA_NAME'; } else { - $sort_by = PMA_sanitize($_REQUEST['sort_by']); + $sort_by_whitelist = array( + 'SCHEMA_NAME', + 'DEFAULT_COLLATION_NAME', + 'SCHEMA_TABLES', + 'SCHEMA_TABLE_ROWS', + 'SCHEMA_DATA_LENGTH', + 'SCHEMA_INDEX_LENGTH', + 'SCHEMA_LENGTH', + 'SCHEMA_DATA_FREE' + ); + if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) { + $sort_by = $_REQUEST['sort_by']; + } else { + $sort_by = 'SCHEMA_NAME'; + } } if (isset($_REQUEST['sort_order']) @@ -342,11 +356,11 @@ if ($databases_count > 0) { unset($column_order, $stat_name, $stat, $databases, $table_columns); if ($is_superuser || $cfg['AllowUserDropDatabase']) { - $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats; + $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats)); echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . $strWithChecked . '" />' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strCheckAll . '</a> / ' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strUncheckAll . '</a>' . "\n" . '<i>' . $strWithChecked . '</i>' . "\n"; PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', $strDrop, 'b_deltbl.png'); diff --git a/server_privileges.php b/server_privileges.php index fd2796f..d43896b 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1151,7 +1151,7 @@ if (!empty($update_privs)) { } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success('strUpdatePrivMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } @@ -1175,7 +1175,7 @@ if (isset($_REQUEST['revokeall'])) { } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success('strRevokeMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); if (! isset($tablename)) { unset($dbname); } else { @@ -1211,7 +1211,7 @@ if (isset($_REQUEST['change_pw'])) { PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = PMA_Message::success('strPasswordChanged'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } } @@ -1590,8 +1590,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($dbname)) { echo ' <i><a href="server_privileges.php?' - . $GLOBALS['url_query'] . '&username=' . urlencode($username) - . '&hostname=' . urlencode($hostname) . '&dbname=&tablename=">\'' + . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username)) + . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n"; $url_dbname = urlencode(str_replace(array('\_', '\%'), array('_', '%'), $dbname)); @@ -1599,8 +1599,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] ); if (isset($tablename)) { echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] - . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname) - . '&dbname=' . $url_dbname . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; + . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname)) + . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>'; } else { echo ' <i>' . htmlspecialchars($dbname) . '</i>'; @@ -1834,16 +1834,16 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs } echo '</td>' . "\n" . ' <td>'; - printf($link_edit, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_edit, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '</td>' . "\n" . ' <td>'; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { - printf($link_revoke, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_revoke, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); } echo '</td>' . "\n" @@ -1923,7 +1923,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($tablename)) { echo ' [ ' . $GLOBALS['strTable'] . ' <a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] - . '&db=' . $url_dbname . '&table=' . urlencode($tablename) + . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename)) . '&reload=1">' . htmlspecialchars($tablename) . ': ' . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable']) . "</a> ]\n"; @@ -2150,7 +2150,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs // Offer to create a new user for the current database echo '<fieldset id="fieldset_add_user">' . "\n" - . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . $checkprivs .'">' . "\n" + . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . htmlspecialchars($checkprivs) .'">' . "\n" . PMA_getIcon('b_usradd.png') . ' ' . $GLOBALS['strAddUser'] . '</a>' . "\n" . '</fieldset>' . "\n"; diff --git a/sql.php b/sql.php index 4898860..15b1beb 100644 --- a/sql.php +++ b/sql.php @@ -175,14 +175,14 @@ if ($do_confirm) { .PMA_generate_common_hidden_inputs($db, $table); ?> <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" /> - <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" /> + <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" /> <input type="hidden" name="goto" value="<?php echo $goto; ?>" /> - <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" /> - <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" /> - <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" /> - <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" /> - <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" /> - <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" /> + <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" /> + <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" /> + <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" /> + <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" /> + <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" /> + <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" /> <?php echo '<fieldset class="confirmation">' . "\n" .' <legend>' . $strDoYouReally . '</legend>' diff --git a/tbl_sql.php b/tbl_sql.php index 5565d92..f3c3aac 100644 --- a/tbl_sql.php +++ b/tbl_sql.php @@ -38,7 +38,7 @@ require_once './libraries/tbl_links.inc.php'; /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer diff --git a/translators.html b/translators.html index d847a9e..eb8c6ff 100644 --- a/translators.html +++ b/translators.html @@ -11,7 +11,7 @@ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.5 - Official translators</title> + <title>phpMyAdmin 3.3.5.1 - Official translators</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -19,7 +19,7 @@ <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.5 + 3.3.5.1 official translators list </h1> </div> hooks/post-receive -- phpMyAdmin

14 years, 1 month

[Phpmyadmin-git] [SCM] phpMyAdmin branch, STABLE, updated. RELEASE_3_3_5_1-5-g092ab35

by Michal Čihař

The branch, STABLE has been updated via 092ab350dba15cef61a771338f89e18ae8e019ad (commit) via 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit) via d128f806057e752db082272fd5e5c2f7244821b9 (commit) via 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 (commit) via 782b8b46be4f06c695ab713eeefbd75970358e2f (commit) via bf60ec82e948450ae18b9e66c48d27da55ebe860 (commit) via f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 (commit) via d2e0e09e0d402555a6223f0b683fdbfa97821a63 (commit) via b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e (commit) via 05ca00e0a20d0eb4848d69bf7a1365df5bba872d (commit) via 48e909660032ddcbc13172830761e363e7a64d72 (commit) via be0f47a93141e2950ad400b8d22a2a98512825c2 (commit) via cd205cc55a46e3dc0f8883966f5c854f842e1000 (commit) via 7dc6cea06522b2d4af50934c983f3967540a4918 (commit) via 6028221d97efa2a7d56a61ab4c5750d1b2343619 (commit) via 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 (commit) via 25ac7de38c125d8067f42bab24212891389ac1e3 (commit) via fa30188dde357426d339d0d7e29a3969f88d188a (commit) via 00add5c43f594f80dab6304a5bb35d2e50540d2d (commit) via c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c (commit) via 533e10213590e7ccd83b98a5cd19ba1c3be119dd (commit) via ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b (commit) via 7f266483b827fb05a4be11663003418c2ef1c878 (commit) via 5bcd95a42c8ba924d389eafee4d7be80bd4039a3 (commit) via 6d548f7d449b7d4b796949d10a503484f63eaf82 (commit) from c6c09344ea3dc027ae91c736e41cce52ded06a76 (commit) - Log ----------------------------------------------------------------- commit 092ab350dba15cef61a771338f89e18ae8e019ad Merge: c6c09344ea3dc027ae91c736e41cce52ded06a76 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c Author: Michal Čihař <mcihar(a)novell.com> Date: Fri Aug 20 13:55:43 2010 +0200 Merge branch 'MAINT_3_3_5' into STABLE ----------------------------------------------------------------------- Summary of changes: ChangeLog | 3 +++ Documentation.html | 4 ++-- README | 4 ++-- db_search.php | 2 +- db_sql.php | 2 +- error.php | 10 +++++++--- libraries/Config.class.php | 2 +- libraries/common.lib.php | 9 +++++---- libraries/database_interface.lib.php | 4 ++++ libraries/db_info.inc.php | 3 ++- libraries/dbi/mysql.dbi.lib.php | 2 ++ libraries/dbi/mysqli.dbi.lib.php | 2 ++ libraries/sanitizing.lib.php | 17 +++++++++++++++-- libraries/sqlparser.lib.php | 2 +- server_databases.php | 22 ++++++++++++++++++---- server_privileges.php | 30 +++++++++++++++--------------- sql.php | 14 +++++++------- tbl_sql.php | 2 +- translators.html | 4 ++-- 19 files changed, 91 insertions(+), 47 deletions(-) diff --git a/ChangeLog b/ChangeLog index 53adf96..4183ff5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/… $ +3.3.5.1 (2010-10-20) +- [core] Fixed various XSS issues, see PMASA-2010-5 for more details. + 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of databases, thanks to Stéphane Pontier - shadow_walker diff --git a/Documentation.html b/Documentation.html index 100b9ae..289d02a 100644 --- a/Documentation.html +++ b/Documentation.html @@ -10,7 +10,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.5 - Documentation</title> + <title>phpMyAdmin 3.3.5.1 - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -18,7 +18,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.5 + 3.3.5.1 Documentation </h1> </div> diff --git a/README b/README index 279f66f..072d0d9 100644 --- a/README +++ b/README @@ -5,8 +5,8 @@ phpMyAdmin - Readme A set of PHP-scripts to manage MySQL over the web. - Version 3.3.5 - ------------- + Version 3.3.5.1 + --------------- http://www.phpmyadmin.net/ Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com> diff --git a/db_search.php b/db_search.php index 751675d..455aa61 100644 --- a/db_search.php +++ b/db_search.php @@ -355,7 +355,7 @@ $alter_select = <tr><td align="right"> <?php echo $GLOBALS['strSearchInField']; ?></td> <td><input type="text" name="field_str" size="60" - value="<?php echo ! empty($field_str) ? $field_str : ''; ?>" /></td> + value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td> </tr> </table> </fieldset> diff --git a/db_sql.php b/db_sql.php index 2ac198b..420561e 100644 --- a/db_sql.php +++ b/db_sql.php @@ -37,7 +37,7 @@ if ($num_tables == 0 && empty($db_query_force)) { /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer diff --git a/error.php b/error.php index 674d08e..7e86ffb 100644 --- a/error.php +++ b/error.php @@ -76,10 +76,14 @@ header('Content-Type: text/html; charset=' . $charset); <body> <h1>phpMyAdmin - <?php echo $type; ?></h1> <p><?php -if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { - echo PMA_sanitize(stripslashes($_REQUEST['error'])); +if (!empty($_REQUEST['error'])) { + if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + echo PMA_sanitize(stripslashes($_REQUEST['error'])); + } else { + echo PMA_sanitize($_REQUEST['error']); + } } else { - echo PMA_sanitize($_REQUEST['error']); + echo 'No error message!'; } ?></p> </body> diff --git a/libraries/Config.class.php b/libraries/Config.class.php index e73de8b..0ac18b2 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -92,7 +92,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '3.3.5'); + $this->set('PMA_VERSION', '3.3.5.1'); /** * @deprecated */ diff --git a/libraries/common.lib.php b/libraries/common.lib.php index c62d518..4a9c789 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -575,7 +575,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '', $formatted_sql = ''; } else { if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) { - $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]'; + $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]'; } else { $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); } @@ -705,22 +705,23 @@ function PMA_mysqlDie($error_message = '', $the_query = '', function PMA_sendHeaderLocation($uri) { if (PMA_IS_IIS && strlen($uri) > 600) { + require_once './libraries/js_escape.lib.php'; echo '<html><head><title>- - -</title>' . "\n"; echo '<meta http-equiv="expires" content="0">' . "\n"; echo '<meta http-equiv="Pragma" content="no-cache">' . "\n"; echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n"; - echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n"; + echo '<meta http-equiv="Refresh" content="0;url=' . htmlspecialchars($uri) . '">' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n"; + echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n"; echo '//]]>' . "\n"; echo '</script>' . "\n"; echo '</head>' . "\n"; echo '<body>' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'document.write(\'<p><a href="' . $uri . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; + echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; echo '//]]>' . "\n"; echo '</script></body></html>' . "\n"; diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index a7d9e72..3c0408d 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -205,6 +205,10 @@ function PMA_usort_comparison_callback($a, $b) } else { $sorter = 'strcasecmp'; } + /* No sorting when key is not present */ + if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) { + return 0; + } // produces f.e.: // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"]) return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]); diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php index 4f59baa..1e5b401 100644 --- a/libraries/db_info.inc.php +++ b/libraries/db_info.inc.php @@ -213,7 +213,8 @@ if (! isset($sot_ready)) { ); // Make sure the sort type is implemented - if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) { + if (isset($sortable_name_mappings[$_REQUEST['sort']])) { + $sort = $sortable_name_mappings[$_REQUEST['sort']]; if ($_REQUEST['sort_order'] == 'DESC') { $sort_order = 'DESC'; } diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index 2754588..4750ee2 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -348,6 +348,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + // Some errors messages cannot be obtained by mysql_error() if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index 913bce6..52f7601 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -406,6 +406,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; } else { diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index 2b54bf1..d17fc50 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -9,17 +9,26 @@ /** * Sanitizes $message, taking into account our special codes - * for formatting + * for formatting. + * + * If you want to include result in element attribute, you should escape it. + * + * Examples: + * + * <p><?php echo PMA_sanitize($foo); ?></p> + * + * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a> * * @uses preg_replace() * @uses strtr() * @param string the message + * @param boolean whether to escape html in result * * @return string the sanitized message * * @access public */ -function PMA_sanitize($message) +function PMA_sanitize($message, $escape = false) { $replace_pairs = array( '<' => '<', @@ -67,6 +76,10 @@ function PMA_sanitize($message) $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); } + if ($escape) { + $message = htmlspecialchars($message); + } + return $message; } ?> diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 53f239a..f844e23 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2456,7 +2456,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { } $after .= "\n"; */ - $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after; + $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after; } // end for if ($mode=='color') { $str .= '</span>'; diff --git a/server_databases.php b/server_databases.php index 47037cc..5e6d0ec 100644 --- a/server_databases.php +++ b/server_databases.php @@ -22,7 +22,21 @@ require './libraries/replication.inc.php'; if (empty($_REQUEST['sort_by'])) { $sort_by = 'SCHEMA_NAME'; } else { - $sort_by = PMA_sanitize($_REQUEST['sort_by']); + $sort_by_whitelist = array( + 'SCHEMA_NAME', + 'DEFAULT_COLLATION_NAME', + 'SCHEMA_TABLES', + 'SCHEMA_TABLE_ROWS', + 'SCHEMA_DATA_LENGTH', + 'SCHEMA_INDEX_LENGTH', + 'SCHEMA_LENGTH', + 'SCHEMA_DATA_FREE' + ); + if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) { + $sort_by = $_REQUEST['sort_by']; + } else { + $sort_by = 'SCHEMA_NAME'; + } } if (isset($_REQUEST['sort_order']) @@ -342,11 +356,11 @@ if ($databases_count > 0) { unset($column_order, $stat_name, $stat, $databases, $table_columns); if ($is_superuser || $cfg['AllowUserDropDatabase']) { - $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats; + $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats)); echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . $strWithChecked . '" />' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strCheckAll . '</a> / ' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strUncheckAll . '</a>' . "\n" . '<i>' . $strWithChecked . '</i>' . "\n"; PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', $strDrop, 'b_deltbl.png'); diff --git a/server_privileges.php b/server_privileges.php index fd2796f..d43896b 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1151,7 +1151,7 @@ if (!empty($update_privs)) { } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success('strUpdatePrivMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } @@ -1175,7 +1175,7 @@ if (isset($_REQUEST['revokeall'])) { } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success('strRevokeMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); if (! isset($tablename)) { unset($dbname); } else { @@ -1211,7 +1211,7 @@ if (isset($_REQUEST['change_pw'])) { PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = PMA_Message::success('strPasswordChanged'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } } @@ -1590,8 +1590,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($dbname)) { echo ' <i><a href="server_privileges.php?' - . $GLOBALS['url_query'] . '&username=' . urlencode($username) - . '&hostname=' . urlencode($hostname) . '&dbname=&tablename=">\'' + . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username)) + . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n"; $url_dbname = urlencode(str_replace(array('\_', '\%'), array('_', '%'), $dbname)); @@ -1599,8 +1599,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] ); if (isset($tablename)) { echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] - . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname) - . '&dbname=' . $url_dbname . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; + . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname)) + . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>'; } else { echo ' <i>' . htmlspecialchars($dbname) . '</i>'; @@ -1834,16 +1834,16 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs } echo '</td>' . "\n" . ' <td>'; - printf($link_edit, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_edit, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '</td>' . "\n" . ' <td>'; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { - printf($link_revoke, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_revoke, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); } echo '</td>' . "\n" @@ -1923,7 +1923,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($tablename)) { echo ' [ ' . $GLOBALS['strTable'] . ' <a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] - . '&db=' . $url_dbname . '&table=' . urlencode($tablename) + . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename)) . '&reload=1">' . htmlspecialchars($tablename) . ': ' . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable']) . "</a> ]\n"; @@ -2150,7 +2150,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs // Offer to create a new user for the current database echo '<fieldset id="fieldset_add_user">' . "\n" - . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . $checkprivs .'">' . "\n" + . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . htmlspecialchars($checkprivs) .'">' . "\n" . PMA_getIcon('b_usradd.png') . ' ' . $GLOBALS['strAddUser'] . '</a>' . "\n" . '</fieldset>' . "\n"; diff --git a/sql.php b/sql.php index 4898860..15b1beb 100644 --- a/sql.php +++ b/sql.php @@ -175,14 +175,14 @@ if ($do_confirm) { .PMA_generate_common_hidden_inputs($db, $table); ?> <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" /> - <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" /> + <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" /> <input type="hidden" name="goto" value="<?php echo $goto; ?>" /> - <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" /> - <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" /> - <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" /> - <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" /> - <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" /> - <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" /> + <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" /> + <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" /> + <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" /> + <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" /> + <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" /> + <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" /> <?php echo '<fieldset class="confirmation">' . "\n" .' <legend>' . $strDoYouReally . '</legend>' diff --git a/tbl_sql.php b/tbl_sql.php index 5565d92..f3c3aac 100644 --- a/tbl_sql.php +++ b/tbl_sql.php @@ -38,7 +38,7 @@ require_once './libraries/tbl_links.inc.php'; /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer diff --git a/translators.html b/translators.html index d847a9e..eb8c6ff 100644 --- a/translators.html +++ b/translators.html @@ -11,7 +11,7 @@ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.5 - Official translators</title> + <title>phpMyAdmin 3.3.5.1 - Official translators</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -19,7 +19,7 @@ <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.5 + 3.3.5.1 official translators list </h1> </div> hooks/post-receive -- phpMyAdmin

14 years, 1 month

[Phpmyadmin-git] [SCM] phpMyAdmin branch, QA_3_3, updated. RELEASE_3_3_5_1-24-g8b53799

by Michal Čihař

The branch, QA_3_3 has been updated via 8b53799f0da2992b41c1895a8e9f7db10fd2a82f (commit) via 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit) via 41145feb12e1fe2f7af54c1ccb89a714c39bfb12 (commit) via d128f806057e752db082272fd5e5c2f7244821b9 (commit) via 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 (commit) via 782b8b46be4f06c695ab713eeefbd75970358e2f (commit) via bf60ec82e948450ae18b9e66c48d27da55ebe860 (commit) via f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 (commit) via d2e0e09e0d402555a6223f0b683fdbfa97821a63 (commit) via b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e (commit) via 05ca00e0a20d0eb4848d69bf7a1365df5bba872d (commit) via 48e909660032ddcbc13172830761e363e7a64d72 (commit) via be0f47a93141e2950ad400b8d22a2a98512825c2 (commit) via cd205cc55a46e3dc0f8883966f5c854f842e1000 (commit) via 7dc6cea06522b2d4af50934c983f3967540a4918 (commit) via 6028221d97efa2a7d56a61ab4c5750d1b2343619 (commit) via 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 (commit) via 25ac7de38c125d8067f42bab24212891389ac1e3 (commit) via fa30188dde357426d339d0d7e29a3969f88d188a (commit) via 00add5c43f594f80dab6304a5bb35d2e50540d2d (commit) via c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c (commit) via 533e10213590e7ccd83b98a5cd19ba1c3be119dd (commit) via ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b (commit) via 7f266483b827fb05a4be11663003418c2ef1c878 (commit) via 5bcd95a42c8ba924d389eafee4d7be80bd4039a3 (commit) via 6d548f7d449b7d4b796949d10a503484f63eaf82 (commit) from 893abac3e516b3f6143925a5f24c8bc463639167 (commit) - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: ChangeLog | 3 +++ db_search.php | 2 +- db_sql.php | 2 +- error.php | 10 +++++++--- libraries/common.lib.php | 2 +- libraries/core.lib.php | 7 ++++--- libraries/database_interface.lib.php | 4 ++++ libraries/db_info.inc.php | 3 ++- libraries/dbi/mysql.dbi.lib.php | 2 ++ libraries/dbi/mysqli.dbi.lib.php | 2 ++ libraries/sanitizing.lib.php | 17 +++++++++++++++-- libraries/sqlparser.lib.php | 2 +- server_databases.php | 22 ++++++++++++++++++---- server_privileges.php | 30 +++++++++++++++--------------- sql.php | 14 +++++++------- tbl_sql.php | 2 +- 16 files changed, 84 insertions(+), 40 deletions(-) diff --git a/ChangeLog b/ChangeLog index f53c063..81670e9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #3044189 [doc] Cleared documentation for hide_db. - bug #3042495 [core] Move PMA_sendHeaderLocation to core.lib.php. +3.3.5.1 (2010-10-20) +- [core] Fixed various XSS issues, see PMASA-2010-5 for more details. + 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of databases, thanks to Stéphane Pontier - shadow_walker diff --git a/db_search.php b/db_search.php index 751675d..455aa61 100644 --- a/db_search.php +++ b/db_search.php @@ -355,7 +355,7 @@ $alter_select = <tr><td align="right"> <?php echo $GLOBALS['strSearchInField']; ?></td> <td><input type="text" name="field_str" size="60" - value="<?php echo ! empty($field_str) ? $field_str : ''; ?>" /></td> + value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td> </tr> </table> </fieldset> diff --git a/db_sql.php b/db_sql.php index 2ac198b..420561e 100644 --- a/db_sql.php +++ b/db_sql.php @@ -37,7 +37,7 @@ if ($num_tables == 0 && empty($db_query_force)) { /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer diff --git a/error.php b/error.php index 674d08e..7e86ffb 100644 --- a/error.php +++ b/error.php @@ -76,10 +76,14 @@ header('Content-Type: text/html; charset=' . $charset); <body> <h1>phpMyAdmin - <?php echo $type; ?></h1> <p><?php -if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { - echo PMA_sanitize(stripslashes($_REQUEST['error'])); +if (!empty($_REQUEST['error'])) { + if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + echo PMA_sanitize(stripslashes($_REQUEST['error'])); + } else { + echo PMA_sanitize($_REQUEST['error']); + } } else { - echo PMA_sanitize($_REQUEST['error']); + echo 'No error message!'; } ?></p> </body> diff --git a/libraries/common.lib.php b/libraries/common.lib.php index 1a62769..d5b38cc 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -575,7 +575,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '', $formatted_sql = ''; } else { if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) { - $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]'; + $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]'; } else { $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); } diff --git a/libraries/core.lib.php b/libraries/core.lib.php index 3e6cc00..f7f9da4 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -614,22 +614,23 @@ function PMA_setCookie($cookie, $value, $default = null, $validity = null, $http function PMA_sendHeaderLocation($uri) { if (PMA_IS_IIS && strlen($uri) > 600) { + require_once './libraries/js_escape.lib.php'; echo '<html><head><title>- - -</title>' . "\n"; echo '<meta http-equiv="expires" content="0">' . "\n"; echo '<meta http-equiv="Pragma" content="no-cache">' . "\n"; echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n"; - echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n"; + echo '<meta http-equiv="Refresh" content="0;url=' . htmlspecialchars($uri) . '">' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n"; + echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n"; echo '//]]>' . "\n"; echo '</script>' . "\n"; echo '</head>' . "\n"; echo '<body>' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'document.write(\'<p><a href="' . $uri . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; + echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; echo '//]]>' . "\n"; echo '</script></body></html>' . "\n"; diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index 501c34d..300a925 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -205,6 +205,10 @@ function PMA_usort_comparison_callback($a, $b) } else { $sorter = 'strcasecmp'; } + /* No sorting when key is not present */ + if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) { + return 0; + } // produces f.e.: // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"]) return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]); diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php index 4f59baa..1e5b401 100644 --- a/libraries/db_info.inc.php +++ b/libraries/db_info.inc.php @@ -213,7 +213,8 @@ if (! isset($sot_ready)) { ); // Make sure the sort type is implemented - if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) { + if (isset($sortable_name_mappings[$_REQUEST['sort']])) { + $sort = $sortable_name_mappings[$_REQUEST['sort']]; if ($_REQUEST['sort_order'] == 'DESC') { $sort_order = 'DESC'; } diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index 2754588..4750ee2 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -348,6 +348,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + // Some errors messages cannot be obtained by mysql_error() if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index f3bcf26..9672385 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -405,6 +405,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; } else { diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index 2b54bf1..d17fc50 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -9,17 +9,26 @@ /** * Sanitizes $message, taking into account our special codes - * for formatting + * for formatting. + * + * If you want to include result in element attribute, you should escape it. + * + * Examples: + * + * <p><?php echo PMA_sanitize($foo); ?></p> + * + * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a> * * @uses preg_replace() * @uses strtr() * @param string the message + * @param boolean whether to escape html in result * * @return string the sanitized message * * @access public */ -function PMA_sanitize($message) +function PMA_sanitize($message, $escape = false) { $replace_pairs = array( '<' => '<', @@ -67,6 +76,10 @@ function PMA_sanitize($message) $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); } + if ($escape) { + $message = htmlspecialchars($message); + } + return $message; } ?> diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 53f239a..f844e23 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2456,7 +2456,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { } $after .= "\n"; */ - $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after; + $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after; } // end for if ($mode=='color') { $str .= '</span>'; diff --git a/server_databases.php b/server_databases.php index 47037cc..5e6d0ec 100644 --- a/server_databases.php +++ b/server_databases.php @@ -22,7 +22,21 @@ require './libraries/replication.inc.php'; if (empty($_REQUEST['sort_by'])) { $sort_by = 'SCHEMA_NAME'; } else { - $sort_by = PMA_sanitize($_REQUEST['sort_by']); + $sort_by_whitelist = array( + 'SCHEMA_NAME', + 'DEFAULT_COLLATION_NAME', + 'SCHEMA_TABLES', + 'SCHEMA_TABLE_ROWS', + 'SCHEMA_DATA_LENGTH', + 'SCHEMA_INDEX_LENGTH', + 'SCHEMA_LENGTH', + 'SCHEMA_DATA_FREE' + ); + if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) { + $sort_by = $_REQUEST['sort_by']; + } else { + $sort_by = 'SCHEMA_NAME'; + } } if (isset($_REQUEST['sort_order']) @@ -342,11 +356,11 @@ if ($databases_count > 0) { unset($column_order, $stat_name, $stat, $databases, $table_columns); if ($is_superuser || $cfg['AllowUserDropDatabase']) { - $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats; + $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats)); echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . $strWithChecked . '" />' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strCheckAll . '</a> / ' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strUncheckAll . '</a>' . "\n" . '<i>' . $strWithChecked . '</i>' . "\n"; PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', $strDrop, 'b_deltbl.png'); diff --git a/server_privileges.php b/server_privileges.php index 3f14c3f..44e9be7 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1153,7 +1153,7 @@ if (!empty($update_privs)) { } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success('strUpdatePrivMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } @@ -1177,7 +1177,7 @@ if (isset($_REQUEST['revokeall'])) { } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success('strRevokeMessage'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); if (! isset($tablename)) { unset($dbname); } else { @@ -1213,7 +1213,7 @@ if (isset($_REQUEST['change_pw'])) { PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = PMA_Message::success('strPasswordChanged'); - $message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); + $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } } @@ -1595,8 +1595,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($dbname)) { echo ' <i><a href="server_privileges.php?' - . $GLOBALS['url_query'] . '&username=' . urlencode($username) - . '&hostname=' . urlencode($hostname) . '&dbname=&tablename=">\'' + . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username)) + . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n"; $url_dbname = urlencode(str_replace(array('\_', '\%'), array('_', '%'), $dbname)); @@ -1604,8 +1604,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] ); if (isset($tablename)) { echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] - . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname) - . '&dbname=' . $url_dbname . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; + . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname)) + . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>'; } else { echo ' <i>' . htmlspecialchars($dbname) . '</i>'; @@ -1839,16 +1839,16 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs } echo '</td>' . "\n" . ' <td>'; - printf($link_edit, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_edit, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '</td>' . "\n" . ' <td>'; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { - printf($link_revoke, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_revoke, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); } echo '</td>' . "\n" @@ -1928,7 +1928,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($tablename)) { echo ' [ ' . $GLOBALS['strTable'] . ' <a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] - . '&db=' . $url_dbname . '&table=' . urlencode($tablename) + . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename)) . '&reload=1">' . htmlspecialchars($tablename) . ': ' . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable']) . "</a> ]\n"; @@ -2155,7 +2155,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs // Offer to create a new user for the current database echo '<fieldset id="fieldset_add_user">' . "\n" - . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . $checkprivs .'">' . "\n" + . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . htmlspecialchars($checkprivs) .'">' . "\n" . PMA_getIcon('b_usradd.png') . ' ' . $GLOBALS['strAddUser'] . '</a>' . "\n" . '</fieldset>' . "\n"; diff --git a/sql.php b/sql.php index 4dbfee2..b728184 100644 --- a/sql.php +++ b/sql.php @@ -175,14 +175,14 @@ if ($do_confirm) { .PMA_generate_common_hidden_inputs($db, $table); ?> <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" /> - <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" /> + <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" /> <input type="hidden" name="goto" value="<?php echo $goto; ?>" /> - <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" /> - <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" /> - <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" /> - <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" /> - <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" /> - <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" /> + <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" /> + <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" /> + <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" /> + <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" /> + <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" /> + <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" /> <?php echo '<fieldset class="confirmation">' . "\n" .' <legend>' . $strDoYouReally . '</legend>' diff --git a/tbl_sql.php b/tbl_sql.php index 5565d92..f3c3aac 100644 --- a/tbl_sql.php +++ b/tbl_sql.php @@ -38,7 +38,7 @@ require_once './libraries/tbl_links.inc.php'; /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer hooks/post-receive -- phpMyAdmin

14 years, 1 month

[Phpmyadmin-git] [SCM] phpMyAdmin branch, QA_2_11, updated. RELEASE_2_11_10_1-4-gc1865ca

by Michal Čihař

The branch, QA_2_11 has been updated via c1865ca7b863bd919b91313806ea47570de8347c (commit) via b1cb5590eefd2977bdb3a6e45796d5a4189e95ad (commit) via 437e00ef2eec5fbc743f652c93d90b3853dcf825 (commit) via a88dbaf305a44107ffb557e9d93512792744af84 (commit) via e7d10a6d53582abcf20455ad0051048a991023af (commit) via 2051a861f8a968dafc297650036cc7e640a18887 (commit) via 0fd0512c9b7344abad60ab9effb7b7537b2b5d08 (commit) via 4a50055d52cb1d6ba125b743b0eb422d5549b9c9 (commit) via 30c83acddb58d3bbf940b5f9ec28abf5b235f4d2 (commit) via a7c004d8d4069ca3c7d1c221f37b9cab39e36aaf (commit) via 8b7f07cd954221f276ab11e2c3d98f18deb2f551 (commit) via 1fe1aa6c0e2d85bed1343f4be21d672368e0a9c1 (commit) via 8b8ce64792bb981cefc37a19f29f28f112df1c16 (commit) via 0fe30236fac3c00ff123b9d48cc0b4b2ff6a7746 (commit) via a4a54da173440d4c5097aececef56c28c14dc52e (commit) via c69fca50ee81ff74cda860aad339d4185d32e194 (commit) via c910f4c9ec9af876675d96df3fa65d7fc4551cc6 (commit) via 08e27b89077df26a0f7f0390322bbe80e0437aa1 (commit) via 110c44a7a3117b94b065742606cc6f7bc05f8cd5 (commit) via 4951fd1c854d88e22935fd55d342fcb1670dc8e4 (commit) from 8ae41bbc0238581d5e0e692e4dc67e35ded00170 (commit) - Log ----------------------------------------------------------------- commit c1865ca7b863bd919b91313806ea47570de8347c Merge: 8ae41bbc0238581d5e0e692e4dc67e35ded00170 b1cb5590eefd2977bdb3a6e45796d5a4189e95ad Author: Michal Čihař <mcihar(a)novell.com> Date: Fri Aug 20 13:32:34 2010 +0200 Merge branch 'MAINT_2_11_10' into QA_2_11 Conflicts: ChangeLog Documentation.html README libraries/Config.class.php translators.html ----------------------------------------------------------------------- Summary of changes: ChangeLog | 5 +++++ db_sql.php | 2 +- error.php | 10 +++++++--- libraries/common.lib.php | 9 +++++---- libraries/database_interface.lib.php | 4 ++++ libraries/dbi/mysql.dbi.lib.php | 2 ++ libraries/dbi/mysqli.dbi.lib.php | 2 ++ libraries/sanitizing.lib.php | 17 +++++++++++++++-- libraries/sqlparser.lib.php | 2 +- scripts/setup.php | 1 + server_databases.php | 6 +++--- server_privileges.php | 32 ++++++++++++++++---------------- sql.php | 14 +++++++------- tbl_sql.php | 2 +- 14 files changed, 70 insertions(+), 38 deletions(-) diff --git a/ChangeLog b/ChangeLog index 34d1338..72d2cbc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,11 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA 2.11.11.0 (not yet released) - [core] Fix broken cleanup of $_GET +2.11.10.1 (2010-08-20) +- [setup] Fixed output sanitizing in setup script, see PMASA-2010-4 for + more details. +- [core] Fixed various XSS issues, see PMASA-2010-5 for more details. + 2.11.10.0 (2009-12-07) - [core] safer handling of temporary files with open_basedir (thanks to Thijs Kinkhorst) diff --git a/db_sql.php b/db_sql.php index 6c582c3..32d30e4 100644 --- a/db_sql.php +++ b/db_sql.php @@ -36,7 +36,7 @@ if ($num_tables == 0 && empty($db_query_force)) { /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer diff --git a/error.php b/error.php index e0abb44..750ac60 100644 --- a/error.php +++ b/error.php @@ -73,10 +73,14 @@ header('Content-Type: text/html; charset=' . $charset); <body> <h1>phpMyAdmin - <?php echo $type; ?></h1> <p><?php -if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { - echo PMA_sanitize(stripslashes($_REQUEST['error'])); +if (!empty($_REQUEST['error'])) { + if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + echo PMA_sanitize(stripslashes($_REQUEST['error'])); + } else { + echo PMA_sanitize($_REQUEST['error']); + } } else { - echo PMA_sanitize($_REQUEST['error']); + echo 'No error message!'; } ?></p> </body> diff --git a/libraries/common.lib.php b/libraries/common.lib.php index 626bbe3..716af94 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -473,7 +473,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '', $formatted_sql = ''; } else { if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) { - $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]'; + $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]'; } else { $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); } @@ -622,22 +622,23 @@ function PMA_convert_using($string, $mode='unquoted', $force_utf8 = false) function PMA_sendHeaderLocation($uri) { if (PMA_IS_IIS && strlen($uri) > 600) { + require_once './libraries/js_escape.lib.php'; echo '<html><head><title>- - -</title>' . "\n"; echo '<meta http-equiv="expires" content="0">' . "\n"; echo '<meta http-equiv="Pragma" content="no-cache">' . "\n"; echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n"; - echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n"; + echo '<meta http-equiv="Refresh" content="0;url=' . htmlspecialchars($uri) . '">' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n"; + echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n"; echo '//]]>' . "\n"; echo '</script>' . "\n"; echo '</head>' . "\n"; echo '<body>' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'document.write(\'<p><a href="' . $uri . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; + echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; echo '//]]>' . "\n"; echo '</script></body></html>' . "\n"; diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index 9a40c55..b7d122c 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -208,6 +208,10 @@ function PMA_usort_comparison_callback($a, $b) } else { $sorter = 'strcasecmp'; } + /* No sorting when key is not present */ + if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) { + return 0; + } // produces f.e.: // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"]) return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]); diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index 3ae84b8..b0275b1 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -300,6 +300,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + // Some errors messages cannot be obtained by mysql_error() if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index 705477e..13b3eaf 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -417,6 +417,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); } + $error_message = htmlspecialchars($error_message); + if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; } elseif (defined('PMA_MYSQL_INT_VERSION') && PMA_MYSQL_INT_VERSION >= 40100) { diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index 388ca13..3ba7224 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -7,17 +7,26 @@ /** * Sanitizes $message, taking into account our special codes - * for formatting + * for formatting. + * + * If you want to include result in element attribute, you should escape it. + * + * Examples: + * + * <p><?php echo PMA_sanitize($foo); ?></p> + * + * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a> * * @uses preg_replace() * @uses strtr() * @param string the message + * @param boolean whether to escape html in result * * @return string the sanitized message * * @access public */ -function PMA_sanitize($message) +function PMA_sanitize($message, $escape = false) { $replace_pairs = array( '<' => '<', @@ -65,6 +74,10 @@ function PMA_sanitize($message) $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); } + if ($escape) { + $message = htmlspecialchars($message); + } + return $message; } ?> diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 488cde2..753f94c 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2425,7 +2425,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { } $after .= "\n"; */ - $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after; + $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after; } // end for if ($mode=='color') { $str .= '</span>'; diff --git a/scripts/setup.php b/scripts/setup.php index 2f3d09d..49dd67b 100644 --- a/scripts/setup.php +++ b/scripts/setup.php @@ -518,6 +518,7 @@ function get_cfg_val($name, $val) { } } if ($type == 'string') { + $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); $ret .= get_cfg_val($name . "['$k']", $v); } elseif ($type == 'int') { $ret .= ' ' . PMA_var_export($v) . ',' . $crlf; diff --git a/server_databases.php b/server_databases.php index b9b8898..2b3e0a5 100644 --- a/server_databases.php +++ b/server_databases.php @@ -287,11 +287,11 @@ if ($databases_count > 0) { unset($column_order, $stat_name, $stat, $databases, $table_columns); if ($is_superuser || $cfg['AllowUserDropDatabase']) { - $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats; + $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats)); echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . $strWithChecked . '" />' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strCheckAll . '</a> / ' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strUncheckAll . '</a>' . "\n" . '<i>' . $strWithChecked . '</i>' . "\n"; PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', $strDrop, 'b_deltbl.png'); diff --git a/server_privileges.php b/server_privileges.php index 23d174b..a030c56 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -602,7 +602,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) { . $spaces . ' <option value="userdefined"' . ((!isset($GLOBALS['pred_username']) || $GLOBALS['pred_username'] == 'userdefined') ? ' selected="selected"' : '') . '>' . $GLOBALS['strUseTextField'] . ':</option>' . "\n" . $spaces . ' </select>' . "\n" . $spaces . '</span>' . "\n" - . $spaces . '<input type="text" name="username" maxlength="' . $username_length . '" title="' . $GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username']) ? '' : ' value="' . (isset($GLOBALS['new_username']) ? $GLOBALS['new_username'] : $GLOBALS['username']) . '"') . ' onchange="pred_username.value = \'userdefined\';" />' . "\n" + . $spaces . '<input type="text" name="username" maxlength="' . $username_length . '" title="' . $GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username']) ? '' : ' value="' . htmlspecialchars(isset($GLOBALS['new_username']) ? $GLOBALS['new_username'] : $GLOBALS['username']) . '"') . ' onchange="pred_username.value = \'userdefined\';" />' . "\n" . $spaces . '</div>' . "\n" . $spaces . '<div class="item">' . "\n" . $spaces . '<label for="select_pred_hostname">' . "\n" @@ -650,7 +650,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) { . $spaces . ' <option value="userdefined"' . ((isset($GLOBALS['pred_hostname']) && $GLOBALS['pred_hostname'] == 'userdefined') ? ' selected="selected"' : '') . '>' . $GLOBALS['strUseTextField'] . ':</option>' . "\n" . $spaces . ' </select>' . "\n" . $spaces . '</span>' . "\n" - . $spaces . '<input type="text" name="hostname" maxlength="' . $hostname_length . '" value="' . (isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '') . '" title="' . $GLOBALS['strHost'] . '" onchange="pred_hostname.value = \'userdefined\';" />' . "\n" + . $spaces . '<input type="text" name="hostname" maxlength="' . $hostname_length . '" value="' . htmlspecialchars(isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '') . '" title="' . $GLOBALS['strHost'] . '" onchange="pred_hostname.value = \'userdefined\';" />' . "\n" . $spaces . '</div>' . "\n" . $spaces . '<div class="item">' . "\n" . $spaces . '<label for="select_pred_password">' . "\n" @@ -757,14 +757,14 @@ if (!empty($adduser_submit) || !empty($change_copy)) { if (PMA_DBI_num_rows($res) == 1) { PMA_DBI_free_result($res); - $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . $username . '\'@\'' . $hostname . '\'[/i]'); + $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'[/i]'); $adduser = 1; } else { PMA_DBI_free_result($res); if (50002 <= PMA_MYSQL_INT_VERSION) { // MySQL 5 requires CREATE USER before any GRANT on this user can done - $create_user_real = 'CREATE USER \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\''; + $create_user_real = 'CREATE USER \'' . PMA_sqlAddslashes($username) . '\'@\'' . htmlspecialchars($hostname) . '\''; } $real_sql_query = @@ -1048,7 +1048,7 @@ if (!empty($update_privs)) { $sql_query = (isset($sql_query0) ? $sql_query0 . ' ' : '') . (isset($sql_query1) ? $sql_query1 . ' ' : '') . $sql_query2; - $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . $username . '\'@\'' . $hostname . '\''); + $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } @@ -1080,7 +1080,7 @@ if (!empty($revokeall)) { unset($sql_query1); } $sql_query = $sql_query0 . (isset($sql_query1) ? ' ' . $sql_query1 : ''); - $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . $username . '\'@\'' . $hostname . '\''); + $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); if (! isset($tablename) || ! strlen($tablename)) { unset($dbname); } else { @@ -1115,7 +1115,7 @@ if (!empty($change_pw)) { $sql_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')'); $local_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); - $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . $username . '\'@\'' . $hostname . '\''); + $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } } @@ -1588,17 +1588,17 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) { echo '<h2>' . "\n" . ($GLOBALS['cfg']['PropertiesIconic'] ? '<img class="icon" src="' . $pmaThemeImage . 'b_usredit.png" width="16" height="16" alt="" />' : '') - . $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n"; + . $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n"; if (isset($dbname) && strlen($dbname)) { if ($dbname_is_wildcard) { echo ' - ' . $GLOBALS['strDatabases']; } else { echo ' - ' . $GLOBALS['strDatabase']; } - $url_dbname = urlencode(str_replace('\_', '_', $dbname)); + $url_dbname = htmlspecialchars(urlencode(str_replace('\_', '_', $dbname))); echo ' <i><a href="' . $GLOBALS['cfg']['DefaultTabDatabase'] . '?' . $GLOBALS['url_query'] . '&db=' . $url_dbname . '&reload=1">' . htmlspecialchars($dbname) . '</a></i>' . "\n"; if (isset($tablename) && strlen($tablename)) { - echo ' - ' . $GLOBALS['strTable'] . ' <i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] . '&db=' . $url_dbname . '&table=' . urlencode($tablename) . '&reload=1">' . htmlspecialchars($tablename) . '</a></i>' . "\n"; + echo ' - ' . $GLOBALS['strTable'] . ' <i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename)) . '&reload=1">' . htmlspecialchars($tablename) . '</a></i>' . "\n"; } unset($url_dbname); } @@ -1839,16 +1839,16 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) { } echo '</td>' . "\n" . ' <td>'; - printf($link_edit, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname), + printf($link_edit, htmlspecialchars(urlencode($username)), + htmlspecialchars(urlencode($hostname)), + htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)), urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name'])); echo '</td>' . "\n" . ' <td>'; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { - printf($link_revoke, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname), + printf($link_revoke, htmlspecialchars(urlencode($username)), + htmlspecialchars(urlencode($hostname)), + htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)), urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name'])); } echo '</td>' . "\n" diff --git a/sql.php b/sql.php index 35bdab5..2a744c5 100644 --- a/sql.php +++ b/sql.php @@ -175,14 +175,14 @@ if ($do_confirm) { .PMA_generate_common_hidden_inputs($db, $table); ?> <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" /> - <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" /> + <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" /> <input type="hidden" name="goto" value="<?php echo $goto; ?>" /> - <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" /> - <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" /> - <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" /> - <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" /> - <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" /> - <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" /> + <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" /> + <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" /> + <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" /> + <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" /> + <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" /> + <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" /> <?php echo '<fieldset class="confirmation">' . "\n" .' <legend>' . $strDoYouReally . '</legend>' diff --git a/tbl_sql.php b/tbl_sql.php index f27a3b9..f9c71d8 100644 --- a/tbl_sql.php +++ b/tbl_sql.php @@ -37,7 +37,7 @@ require_once './libraries/tbl_links.inc.php'; /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';'); /** * Displays the footer hooks/post-receive -- phpMyAdmin

14 years, 1 month

[Phpmyadmin-git] [SCM] phpMyAdmin annotated tag, RELEASE_3_3_5_1, created. RELEASE_3_3_5_1

by Michal Čihař

The annotated tag, RELEASE_3_3_5_1 has been created at e6112b8db126558dcca7695b6ca04e8d46fad53e (tag) tagging 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit) replaces RELEASE_3_3_5 tagged by Michal Čihař on Fri Aug 20 13:55:43 2010 +0200 - Log ----------------------------------------------------------------- Released 3.3.5.1 Herman van Rink (1): Fix XSS on error with very long query. Marc Delisle (2): Fix XSS on delimiter in db_sql.php. Limit list of correct values for sort order. Michal Čihař (21): Fix XSS on field_str in db_search.php. Fix XSS on delimiter in tbl_sql.php. Secure handling of sort_by and sort_order in server_databases.php. Fix handling of unknown sort order. Add option to escape PMA_sanitize output. Escape html chars in form values. Document PMA_sanitize. Fix XSS on checkprivs. Fix XSS on dbname. Fix XSS on tablename and pred_tablename. Fix XSS on username. Fix XSS on hostname. Properly check validity of sort parameter. Do not assume that DefaultLang is escaped. Revert "Do not assume that DefaultLang is escaped." Fix XSS with $cfg['SQP']['fmtType'] = 'text'. Fix possible XSS on IIS redirect page. Avoid information disclossure on error. Escape error message coming from MySQL to avoid XSS on bad parameters. Changelog. Set version to 3.3.5.1. ----------------------------------------------------------------------- hooks/post-receive -- phpMyAdmin

14 years, 1 month

← Newer
1
...
8
9
10
11
12
13
14
...
17
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Git August 2010