June 2016 - Git - lists.phpmyadmin.net

[phpmyadmin/phpmyadmin] f7d1c1: Changelog entries for security release
by Isaac Bennetch 23 Jun '16

23 Jun '16

Branch: refs/heads/master Home: https://github.com/phpmyadmin/phpmyadmin Commit: f7d1c1f46382e7e6464fd92529d4410e635805f1 https://github.com/phpmyadmin/phpmyadmin/commit/f7d1c1f46382e7e6464fd92529d… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M ChangeLog Log Message: ----------- Changelog entries for security release Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 4f57305eab809a8ecfe613e38b2b5d3a4b190505 https://github.com/phpmyadmin/phpmyadmin/commit/4f57305eab809a8ecfe613e38b2… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.php Log Message: ----------- Release 4.6.3 Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: f2db92434b71973a1281dfbaec8837e51e602c77 https://github.com/phpmyadmin/phpmyadmin/commit/f2db92434b71973a1281dfbaec8… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M examples/openid.php M import.php M js/ajax.js M js/console.js M js/functions.js M js/get_image.js.php M js/get_scripts.js.php M js/tbl_chart.js M libraries/Config.php M libraries/DbQbe.php M libraries/Header.php M libraries/SavedSearches.php M libraries/Tracker.php M libraries/Util.php M libraries/config/FormDisplay.php M libraries/config/Validator.php M libraries/controllers/table/TableSearchController.php M libraries/core.lib.php M libraries/operations.lib.php M libraries/plugins/export/ExportSql.php M libraries/plugins/transformations/abs/DateFormatTransformationsPlugin.php M libraries/plugins/transformations/abs/DownloadTransformationsPlugin.php M libraries/plugins/transformations/abs/ImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/InlineTransformationsPlugin.php M libraries/plugins/transformations/abs/LongToIPv4TransformationsPlugin.php M libraries/plugins/transformations/abs/PreApPendTransformationsPlugin.php M libraries/plugins/transformations/abs/SubstringTransformationsPlugin.php M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php M libraries/server_privileges.lib.php M libraries/transformations.lib.php M setup/config.php M setup/frames/index.inc.php M setup/validate.php M templates/columns_definitions/transformation.phtml M templates/server/binlog/log_selector.phtml M templates/server/databases/table_row.phtml M templates/table/search/rows_zoom.phtml M templates/table/structure/display_partitions.phtml M templates/table/structure/display_table_stats.phtml M test/classes/plugin/transformations/TransformationPluginsTest.php M test/libraries/PMA_transformation_test.php A test/libraries/core/PMA_cleanupPathInfo_test.php M test/libraries/core/PMA_warnMissingExtension_test.php Log Message: ----------- Fix merge conflicts Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 58534ce2fc4f964c78dfe83ff5f21e05793c3a4f https://github.com/phpmyadmin/phpmyadmin/commit/58534ce2fc4f964c78dfe83ff5f… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.php Log Message: ----------- Prepare for 4.6.4-dev Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 292c0a1ff9ccc0b89d6496f9f3bd446bc30cd91a https://github.com/phpmyadmin/phpmyadmin/commit/292c0a1ff9ccc0b89d6496f9f3b… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M ChangeLog Log Message: ----------- Fix merge conflicts Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Compare: https://github.com/phpmyadmin/phpmyadmin/compare/c3f7aa8190b4...292c0a1ff9cc

1 0

[phpmyadmin/scripts] eeefa6: Contributing instructions moved to .github folder
by Michal Čihař 23 Jun '16

23 Jun '16

Branch: refs/heads/master Home: https://github.com/phpmyadmin/scripts Commit: eeefa6e75cfdc196a1c6c4ef962872ff14dab3c7 https://github.com/phpmyadmin/scripts/commit/eeefa6e75cfdc196a1c6c4ef962872… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M hooks/commits.php Log Message: ----------- Contributing instructions moved to .github folder Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 272e2ed0f3e46553bac1d2a6f82c73f86f155b6b https://github.com/phpmyadmin/scripts/commit/272e2ed0f3e46553bac1d2a6f82c73… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M demo/php/config-common.inc.php Log Message: ----------- Disable phpinfo on the demo server Nobody really knows reason for enabling it in past and it's probably not that useful for demo purposes. Signed-off-by: Michal Čihař <michal(a)cihar.com> Compare: https://github.com/phpmyadmin/scripts/compare/b54b7c1d0666...272e2ed0f3e4

1 0

[phpmyadmin/phpmyadmin]
by ibennetch 23 Jun '16

23 Jun '16

Branch: refs/tags/RELEASE_4_0_10_16 Home: https://github.com/phpmyadmin/phpmyadmin

1 0

[phpmyadmin/phpmyadmin]
by ibennetch 23 Jun '16

23 Jun '16

Branch: refs/tags/RELEASE_4_6_3 Home: https://github.com/phpmyadmin/phpmyadmin

1 0

[phpmyadmin/phpmyadmin]
by ibennetch 23 Jun '16

23 Jun '16

Branch: refs/tags/RELEASE_4_4_15_7 Home: https://github.com/phpmyadmin/phpmyadmin

1 0

[phpmyadmin/phpmyadmin] d76496: Setup script did not properly use input type passw...
by Michal Čihař 23 Jun '16

23 Jun '16

Branch: refs/heads/master Home: https://github.com/phpmyadmin/phpmyadmin Commit: d76496ba1d11de13ba1f982a462e014f9d923b29 https://github.com/phpmyadmin/phpmyadmin/commit/d76496ba1d11de13ba1f982a462… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-14 (Tue, 14 Jun 2016) Changed paths: M ChangeLog M libraries/config/FormDisplay.php Log Message: ----------- Setup script did not properly use input type password in all cases Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 72213573182896bd6a6e5af5ba1881dd87c4a20b https://github.com/phpmyadmin/phpmyadmin/commit/72213573182896bd6a6e5af5ba1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M templates/table/structure/display_table_stats.phtml Log Message: ----------- Fix XSS on table structure Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 03f73d48369703e0d3584699b08e24891c3295b8 https://github.com/phpmyadmin/phpmyadmin/commit/03f73d48369703e0d3584699b08… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M libraries/server_privileges.lib.php Log Message: ----------- Fix XSS on server privileges Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 55db1256c5d6e27c2d9fbd78e9c6f9fc11fe8571 https://github.com/phpmyadmin/phpmyadmin/commit/55db1256c5d6e27c2d9fbd78e9c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M ChangeLog M libraries/config/FormDisplay.php Log Message: ----------- Merge pull request #48 from phpmyadmin/security-45 Fix issue #45 input types in setup script Commit: 19eef4eebb528dcce0ec922947f9ee9da3b2a2b8 https://github.com/phpmyadmin/phpmyadmin/commit/19eef4eebb528dcce0ec922947f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M test/libraries/PMA_user_preferences_test.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 5633b1d57b23ddaa5a9a976a323c90c18d9be03d https://github.com/phpmyadmin/phpmyadmin/commit/5633b1d57b23ddaa5a9a976a323… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M setup/frames/index.inc.php Log Message: ----------- Use javascript for redirection to https The current approach is broken since whitelisting is active in url.php and also allows potential bbcode injection. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 4767f24ea4c1e3822ce71a636c341e8ad8d07aa6 https://github.com/phpmyadmin/phpmyadmin/commit/4767f24ea4c1e3822ce71a636c3… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M js/get_scripts.js.php Log Message: ----------- Limit number of included scripts in get_scripts.js.php This avoids potential DOS, the limit is same as we use for generating the URLs. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 27caf5b46bd0890e576fea7bd7b166a0639fdf68 https://github.com/phpmyadmin/phpmyadmin/commit/27caf5b46bd0890e576fea7bd7b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-16 (Thu, 16 Jun 2016) Changed paths: M libraries/Config.php M libraries/core.lib.php A test/libraries/core/PMA_cleanupPathInfo_test.php Log Message: ----------- Improve detection of script name In case PHP_SELF was not set by server, we used REQUEST_URI, which might embed PATH_INFO as well. However we really need to know the path without it, so let's strip it as well. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 6c5d5ffc7fac2cbf8d4d7eac5c983c84db588c3d https://github.com/phpmyadmin/phpmyadmin/commit/6c5d5ffc7fac2cbf8d4d7eac5c9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M ChangeLog M gis_data_editor.php M libraries/Index.php M libraries/gis/GISVisualization.php M libraries/rte/rte_list.lib.php M libraries/server_privileges.lib.php M po/fr.po M server_status_processes.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: b0180f18c828706af3a6800f0fb01a536d3ef8c7 https://github.com/phpmyadmin/phpmyadmin/commit/b0180f18c828706af3a6800f0fb… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/FormDisplay.php Log Message: ----------- Properly convert POST parameters We can get array instead of single parameter, so handle this gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: ef1493d9b4b5c89ff3ff9965068f3ebf5a3059bc https://github.com/phpmyadmin/phpmyadmin/commit/ef1493d9b4b5c89ff3ff9965068… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/Util.php M libraries/config/FormDisplay.php Log Message: ----------- Move request conversion to generic code Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 96e0aa35653ec0c66084a7e9343465e16c1f769b https://github.com/phpmyadmin/phpmyadmin/commit/96e0aa35653ec0c66084a7e9343… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/validate.php Log Message: ----------- Fix error reporting on invalid request data Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: cd229d718e8cb4bc8ba32446beaa82d27727b6f0 https://github.com/phpmyadmin/phpmyadmin/commit/cd229d718e8cb4bc8ba32446bea… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/Validator.php Log Message: ----------- Validate input of validator We can not trust the input here, so we can expect anything and deal with missing parameters or invalid values. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 331c560fbfa0e7d2dce674b5e88e983c5f2a451d https://github.com/phpmyadmin/phpmyadmin/commit/331c560fbfa0e7d2dce674b5e88… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/config.php M setup/frames/index.inc.php Log Message: ----------- Improve error handling in setup in case config dir is not present We do not show these options in UI, but the scripts should handle it gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1d2e2be925a5f6af70117f81892ad601e3dc161b https://github.com/phpmyadmin/phpmyadmin/commit/1d2e2be925a5f6af70117f81892… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/DatabaseInterface.php M libraries/Error.php M templates/list/item.phtml Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 00b9be9c4afa98d1a37f2b74c75f8c67ccf251d4 https://github.com/phpmyadmin/phpmyadmin/commit/00b9be9c4afa98d1a37f2b74c75… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M test/classes/ErrorTest.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 27664605b945b13e1d2b71adea822ace2099cc96 https://github.com/phpmyadmin/phpmyadmin/commit/27664605b945b13e1d2b71adea8… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Improve error handling in OpenID example - properly check parameter types - catch all exceptions (eg. network error) Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1363ce574974ad6971f552a30b6b05f48dc80392 https://github.com/phpmyadmin/phpmyadmin/commit/1363ce574974ad6971f552a30b6… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M db_central_columns.php M libraries/Config.php M libraries/Util.php M libraries/display_import.lib.php M libraries/js_escape.lib.php M libraries/navigation/NavigationTree.php M setup/lib/form_processing.lib.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 94cf3864254ffaf3a69e97d8fc454888368b94ab https://github.com/phpmyadmin/phpmyadmin/commit/94cf3864254ffaf3a69e97d8fc4… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Escape error messages from OpenID Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 418aeea3d83b0b6021bac311d849570acfc6e48c https://github.com/phpmyadmin/phpmyadmin/commit/418aeea3d83b0b6021bac311d84… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Add error handling to constructing openid message Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 0815af37f483f329f0c0565d68821fea9c47b5f5 https://github.com/phpmyadmin/phpmyadmin/commit/0815af37f483f329f0c0565d688… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M templates/table/structure/display_partitions.phtml Log Message: ----------- Add missing escaping to partition listing Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 8716855b309dbe65d7b9a5d681b80579b225b322 https://github.com/phpmyadmin/phpmyadmin/commit/8716855b309dbe65d7b9a5d681b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M templates/server/databases/table_row.phtml Log Message: ----------- Properly escape translated string Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d648ade18d6cbb796a93261491c121f078df2d88 https://github.com/phpmyadmin/phpmyadmin/commit/d648ade18d6cbb796a93261491c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M templates/server/binlog/log_selector.phtml Log Message: ----------- Escape binary log name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: be3ecbb4cca3fbe20e3b3aa4e049902d18b60865 https://github.com/phpmyadmin/phpmyadmin/commit/be3ecbb4cca3fbe20e3b3aa4e04… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/plugins/transformations/abs/DateFormatTransformationsPlugin.php M libraries/plugins/transformations/abs/DownloadTransformationsPlugin.php M libraries/plugins/transformations/abs/ImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/InlineTransformationsPlugin.php M libraries/plugins/transformations/abs/LongToIPv4TransformationsPlugin.php M libraries/plugins/transformations/abs/PreApPendTransformationsPlugin.php M libraries/plugins/transformations/abs/SubstringTransformationsPlugin.php M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php M libraries/transformations.lib.php M test/classes/plugin/transformations/TransformationPluginsTest.php M test/libraries/PMA_transformation_test.php Log Message: ----------- Simplify and cleanup transformation plugins Remove PMA_transformation_global_html_replace which makes the code only more confusing. Also add escaping to browse transformations. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 791bdafcdd441883f2bf2721356afeaf8146ab70 https://github.com/phpmyadmin/phpmyadmin/commit/791bdafcdd441883f2bf2721356… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M ChangeLog M examples/openid.php M js/get_scripts.js.php M libraries/Config.php M libraries/Util.php M libraries/config/FormDisplay.php M libraries/config/Validator.php M libraries/core.lib.php M libraries/plugins/transformations/abs/DateFormatTransformationsPlugin.php M libraries/plugins/transformations/abs/DownloadTransformationsPlugin.php M libraries/plugins/transformations/abs/ImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/InlineTransformationsPlugin.php M libraries/plugins/transformations/abs/LongToIPv4TransformationsPlugin.php M libraries/plugins/transformations/abs/PreApPendTransformationsPlugin.php M libraries/plugins/transformations/abs/SubstringTransformationsPlugin.php M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php M libraries/server_privileges.lib.php M libraries/transformations.lib.php M setup/config.php M setup/frames/index.inc.php M setup/validate.php M templates/server/binlog/log_selector.phtml M templates/server/databases/table_row.phtml M templates/table/structure/display_partitions.phtml M templates/table/structure/display_table_stats.phtml M test/classes/plugin/transformations/TransformationPluginsTest.php M test/libraries/PMA_transformation_test.php A test/libraries/core/PMA_cleanupPathInfo_test.php Log Message: ----------- Merge branch 'QA_4_6-security' into master-security Commit: 1e5716cb96d46efc305381ae0da08e73fe340f05 https://github.com/phpmyadmin/phpmyadmin/commit/1e5716cb96d46efc305381ae0da… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.php Log Message: ----------- Add referrer CSP and <meta> tag This avoids leaking Referer header in modern browsers. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 79661610f6f65443e0ec1e382a7240437f28436c https://github.com/phpmyadmin/phpmyadmin/commit/79661610f6f65443e0ec1e382a7… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/get_image.js.php Log Message: ----------- Escape attributes when showing images in javascript Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 895a131d2eb7e447757a35d5731c7d647823ea8b https://github.com/phpmyadmin/phpmyadmin/commit/895a131d2eb7e447757a35d5731… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/ajax.js Log Message: ----------- Escape HTML when rendering AJAX error Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 364732e309cccb3fb56c938ed8d8bc0e04a3ca98 https://github.com/phpmyadmin/phpmyadmin/commit/364732e309cccb3fb56c938ed8d… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/console.js Log Message: ----------- Escape error message from server Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 80cd2f448cfd18e6149a26a6819d99f47d87f158 https://github.com/phpmyadmin/phpmyadmin/commit/80cd2f448cfd18e6149a26a6819… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M ChangeLog M libraries/export.lib.php M setup/frames/servers.inc.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: b73175ed12f12aa11cc955c17ad93646b018eab6 https://github.com/phpmyadmin/phpmyadmin/commit/b73175ed12f12aa11cc955c17ad… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M ChangeLog M export.php M libraries/export.lib.php M setup/frames/servers.inc.php M view_operations.php Log Message: ----------- Merge branch 'master' into master-security Commit: 22b19b5d695fad7393875628f6fe1d4ba071f951 https://github.com/phpmyadmin/phpmyadmin/commit/22b19b5d695fad7393875628f6f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/ajax.js M js/console.js M js/get_image.js.php M libraries/Header.php Log Message: ----------- Merge branch 'QA_4_6-security' into master-security Commit: 2f4950828ec241e8cbdcf13090c2582a6fa620cb https://github.com/phpmyadmin/phpmyadmin/commit/2f4950828ec241e8cbdcf13090c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.php Log Message: ----------- Update referrer <meta> to match current standards Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: f77612dfe7b55ea676f351a4d545d7ac22fc0f8e https://github.com/phpmyadmin/phpmyadmin/commit/f77612dfe7b55ea676f351a4d54… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Log Message: ----------- Merge branch 'QA_4_6-security' into master-security Commit: 4bcc606225f15bac0b07780e74f667f6ac283da7 https://github.com/phpmyadmin/phpmyadmin/commit/4bcc606225f15bac0b07780e74f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/controllers/table/TableSearchController.php Log Message: ----------- Always use delimiter not present in search expression This avoids need to figure out correct escaping in case delimiter is present in the expression. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1cc7466db3a05e95fe57a6702f41773e6829d54b https://github.com/phpmyadmin/phpmyadmin/commit/1cc7466db3a05e95fe57a6702f4… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M import.php M libraries/Tracker.php M libraries/plugins/export/ExportSql.php M templates/columns_definitions/transformation.phtml M test/libraries/core/PMA_warnMissingExtension_test.php Log Message: ----------- Quote delimiter before using preg_replace Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c8abc5fab6caa1a7d203dd944e3cad8842fbeea9 https://github.com/phpmyadmin/phpmyadmin/commit/c8abc5fab6caa1a7d203dd944e3… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Table.php M libraries/Template.php M po/zh_CN.po Log Message: ----------- Merge branch 'master' into master-security Commit: 637d4eb4de4137eb7be19570828b6b93895ab723 https://github.com/phpmyadmin/phpmyadmin/commit/637d4eb4de4137eb7be19570828… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M import.php M libraries/Tracker.php M libraries/controllers/table/TableSearchController.php M libraries/plugins/export/ExportSql.php M templates/columns_definitions/transformation.phtml M test/libraries/core/PMA_warnMissingExtension_test.php Log Message: ----------- Merge branch 'QA_4_6-security' into master-security Commit: 792cd1262f012b9b13639519d414f2acaeb5e972 https://github.com/phpmyadmin/phpmyadmin/commit/792cd1262f012b9b13639519d41… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M templates/table/structure/display_partitions.phtml Log Message: ----------- Escape partition comment when displaying Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 0b7416c5f4439ed3f11c023785f2d4c49a1b09fc https://github.com/phpmyadmin/phpmyadmin/commit/0b7416c5f4439ed3f11c023785f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/server_privileges.lib.php Log Message: ----------- Escape user group when displaying Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d95a4a2f96c9b080f3364defcc1cd6ecd8bdc2be https://github.com/phpmyadmin/phpmyadmin/commit/d95a4a2f96c9b080f3364defcc1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/SavedSearches.php Log Message: ----------- Avoid undefined index in case of incomplete bookmark Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 36df83a97a7f140fdb008b727a94f882847c6a6f https://github.com/phpmyadmin/phpmyadmin/commit/36df83a97a7f140fdb008b727a9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/DbQbe.php Log Message: ----------- Escape saved search name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 960fd1fd52023047a23d069178bfff7463c2cefc https://github.com/phpmyadmin/phpmyadmin/commit/960fd1fd52023047a23d069178b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M templates/table/search/rows_zoom.phtml Log Message: ----------- Properly escape zoom search column type Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 57ae483bad33059a885366d5445b7e1f6f29860a https://github.com/phpmyadmin/phpmyadmin/commit/57ae483bad33059a885366d5445… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/functions.js Log Message: ----------- Escape database name when showing dialog Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 301e1b0f7d2506b16a9e828360db21c27f051509 https://github.com/phpmyadmin/phpmyadmin/commit/301e1b0f7d2506b16a9e828360d… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/operations.lib.php Log Message: ----------- Fix adjusting privileges for tables/databases with quote in name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 11509c5431b2b79c29b8aa12042095d9e3c8de16 https://github.com/phpmyadmin/phpmyadmin/commit/11509c5431b2b79c29b8aa12042… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/operations.lib.php Log Message: ----------- Merge branch 'QA_4_6' Commit: 4d21b5c077db50c2a54b7f569d20f463cc2651f5 https://github.com/phpmyadmin/phpmyadmin/commit/4d21b5c077db50c2a54b7f569d2… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/tbl_chart.js Log Message: ----------- Fixed rendering of chart of columns with HTML inside Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 519e634a8d13dd8739646c4cf566bde4c7092143 https://github.com/phpmyadmin/phpmyadmin/commit/519e634a8d13dd8739646c4cf56… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/Template.php M libraries/operations.lib.php M libraries/server_privileges.lib.php M po/zh_CN.po M test/libraries/PMA_server_privileges_test.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 9c8f537a231f314e9cdee037ce97b44821f14cd4 https://github.com/phpmyadmin/phpmyadmin/commit/9c8f537a231f314e9cdee037ce9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/DbQbe.php M libraries/operations.lib.php M libraries/server_privileges.lib.php M test/libraries/PMA_server_privileges_test.php Log Message: ----------- Merge branch 'master' into master-security Commit: 6ba52a72b4ad227ec99a7714c2fe4c0570863caf https://github.com/phpmyadmin/phpmyadmin/commit/6ba52a72b4ad227ec99a7714c2f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/functions.js M js/tbl_chart.js M libraries/DbQbe.php M libraries/SavedSearches.php M libraries/server_privileges.lib.php M templates/table/search/rows_zoom.phtml M templates/table/structure/display_partitions.phtml Log Message: ----------- Merge branch 'QA_4_6-security' into master-security Commit: 615212a14d7d87712202f37354acf8581987fc5a https://github.com/phpmyadmin/phpmyadmin/commit/615212a14d7d87712202f37354a… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php Log Message: ----------- Do not allow javascript: links in transformation Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c3f7aa8190b45a05bd5440174ae31d80b95a41d3 https://github.com/phpmyadmin/phpmyadmin/commit/c3f7aa8190b45a05bd5440174ae… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php Log Message: ----------- Merge branch 'QA_4_6-security' into master-security Compare: https://github.com/phpmyadmin/phpmyadmin/compare/d338a61d329a...c3f7aa8190b4

1 0

[phpmyadmin/phpmyadmin] d76496: Setup script did not properly use input type passw...
by Isaac Bennetch 23 Jun '16

23 Jun '16

Branch: refs/heads/QA_4_6 Home: https://github.com/phpmyadmin/phpmyadmin Commit: d76496ba1d11de13ba1f982a462e014f9d923b29 https://github.com/phpmyadmin/phpmyadmin/commit/d76496ba1d11de13ba1f982a462… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-14 (Tue, 14 Jun 2016) Changed paths: M ChangeLog M libraries/config/FormDisplay.php Log Message: ----------- Setup script did not properly use input type password in all cases Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 72213573182896bd6a6e5af5ba1881dd87c4a20b https://github.com/phpmyadmin/phpmyadmin/commit/72213573182896bd6a6e5af5ba1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M templates/table/structure/display_table_stats.phtml Log Message: ----------- Fix XSS on table structure Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 03f73d48369703e0d3584699b08e24891c3295b8 https://github.com/phpmyadmin/phpmyadmin/commit/03f73d48369703e0d3584699b08… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M libraries/server_privileges.lib.php Log Message: ----------- Fix XSS on server privileges Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 55db1256c5d6e27c2d9fbd78e9c6f9fc11fe8571 https://github.com/phpmyadmin/phpmyadmin/commit/55db1256c5d6e27c2d9fbd78e9c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M ChangeLog M libraries/config/FormDisplay.php Log Message: ----------- Merge pull request #48 from phpmyadmin/security-45 Fix issue #45 input types in setup script Commit: 19eef4eebb528dcce0ec922947f9ee9da3b2a2b8 https://github.com/phpmyadmin/phpmyadmin/commit/19eef4eebb528dcce0ec922947f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M test/libraries/PMA_user_preferences_test.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 5633b1d57b23ddaa5a9a976a323c90c18d9be03d https://github.com/phpmyadmin/phpmyadmin/commit/5633b1d57b23ddaa5a9a976a323… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M setup/frames/index.inc.php Log Message: ----------- Use javascript for redirection to https The current approach is broken since whitelisting is active in url.php and also allows potential bbcode injection. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 4767f24ea4c1e3822ce71a636c341e8ad8d07aa6 https://github.com/phpmyadmin/phpmyadmin/commit/4767f24ea4c1e3822ce71a636c3… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M js/get_scripts.js.php Log Message: ----------- Limit number of included scripts in get_scripts.js.php This avoids potential DOS, the limit is same as we use for generating the URLs. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 27caf5b46bd0890e576fea7bd7b166a0639fdf68 https://github.com/phpmyadmin/phpmyadmin/commit/27caf5b46bd0890e576fea7bd7b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-16 (Thu, 16 Jun 2016) Changed paths: M libraries/Config.php M libraries/core.lib.php A test/libraries/core/PMA_cleanupPathInfo_test.php Log Message: ----------- Improve detection of script name In case PHP_SELF was not set by server, we used REQUEST_URI, which might embed PATH_INFO as well. However we really need to know the path without it, so let's strip it as well. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 6c5d5ffc7fac2cbf8d4d7eac5c983c84db588c3d https://github.com/phpmyadmin/phpmyadmin/commit/6c5d5ffc7fac2cbf8d4d7eac5c9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M ChangeLog M gis_data_editor.php M libraries/Index.php M libraries/gis/GISVisualization.php M libraries/rte/rte_list.lib.php M libraries/server_privileges.lib.php M po/fr.po M server_status_processes.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: b0180f18c828706af3a6800f0fb01a536d3ef8c7 https://github.com/phpmyadmin/phpmyadmin/commit/b0180f18c828706af3a6800f0fb… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/FormDisplay.php Log Message: ----------- Properly convert POST parameters We can get array instead of single parameter, so handle this gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: ef1493d9b4b5c89ff3ff9965068f3ebf5a3059bc https://github.com/phpmyadmin/phpmyadmin/commit/ef1493d9b4b5c89ff3ff9965068… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/Util.php M libraries/config/FormDisplay.php Log Message: ----------- Move request conversion to generic code Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 96e0aa35653ec0c66084a7e9343465e16c1f769b https://github.com/phpmyadmin/phpmyadmin/commit/96e0aa35653ec0c66084a7e9343… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/validate.php Log Message: ----------- Fix error reporting on invalid request data Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: cd229d718e8cb4bc8ba32446beaa82d27727b6f0 https://github.com/phpmyadmin/phpmyadmin/commit/cd229d718e8cb4bc8ba32446bea… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/Validator.php Log Message: ----------- Validate input of validator We can not trust the input here, so we can expect anything and deal with missing parameters or invalid values. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 331c560fbfa0e7d2dce674b5e88e983c5f2a451d https://github.com/phpmyadmin/phpmyadmin/commit/331c560fbfa0e7d2dce674b5e88… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/config.php M setup/frames/index.inc.php Log Message: ----------- Improve error handling in setup in case config dir is not present We do not show these options in UI, but the scripts should handle it gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1d2e2be925a5f6af70117f81892ad601e3dc161b https://github.com/phpmyadmin/phpmyadmin/commit/1d2e2be925a5f6af70117f81892… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/DatabaseInterface.php M libraries/Error.php M templates/list/item.phtml Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 00b9be9c4afa98d1a37f2b74c75f8c67ccf251d4 https://github.com/phpmyadmin/phpmyadmin/commit/00b9be9c4afa98d1a37f2b74c75… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M test/classes/ErrorTest.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 27664605b945b13e1d2b71adea822ace2099cc96 https://github.com/phpmyadmin/phpmyadmin/commit/27664605b945b13e1d2b71adea8… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Improve error handling in OpenID example - properly check parameter types - catch all exceptions (eg. network error) Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1363ce574974ad6971f552a30b6b05f48dc80392 https://github.com/phpmyadmin/phpmyadmin/commit/1363ce574974ad6971f552a30b6… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M db_central_columns.php M libraries/Config.php M libraries/Util.php M libraries/display_import.lib.php M libraries/js_escape.lib.php M libraries/navigation/NavigationTree.php M setup/lib/form_processing.lib.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 94cf3864254ffaf3a69e97d8fc454888368b94ab https://github.com/phpmyadmin/phpmyadmin/commit/94cf3864254ffaf3a69e97d8fc4… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Escape error messages from OpenID Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 418aeea3d83b0b6021bac311d849570acfc6e48c https://github.com/phpmyadmin/phpmyadmin/commit/418aeea3d83b0b6021bac311d84… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Add error handling to constructing openid message Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 0815af37f483f329f0c0565d68821fea9c47b5f5 https://github.com/phpmyadmin/phpmyadmin/commit/0815af37f483f329f0c0565d688… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M templates/table/structure/display_partitions.phtml Log Message: ----------- Add missing escaping to partition listing Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 8716855b309dbe65d7b9a5d681b80579b225b322 https://github.com/phpmyadmin/phpmyadmin/commit/8716855b309dbe65d7b9a5d681b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M templates/server/databases/table_row.phtml Log Message: ----------- Properly escape translated string Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d648ade18d6cbb796a93261491c121f078df2d88 https://github.com/phpmyadmin/phpmyadmin/commit/d648ade18d6cbb796a93261491c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M templates/server/binlog/log_selector.phtml Log Message: ----------- Escape binary log name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: be3ecbb4cca3fbe20e3b3aa4e049902d18b60865 https://github.com/phpmyadmin/phpmyadmin/commit/be3ecbb4cca3fbe20e3b3aa4e04… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/plugins/transformations/abs/DateFormatTransformationsPlugin.php M libraries/plugins/transformations/abs/DownloadTransformationsPlugin.php M libraries/plugins/transformations/abs/ImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/InlineTransformationsPlugin.php M libraries/plugins/transformations/abs/LongToIPv4TransformationsPlugin.php M libraries/plugins/transformations/abs/PreApPendTransformationsPlugin.php M libraries/plugins/transformations/abs/SubstringTransformationsPlugin.php M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php M libraries/transformations.lib.php M test/classes/plugin/transformations/TransformationPluginsTest.php M test/libraries/PMA_transformation_test.php Log Message: ----------- Simplify and cleanup transformation plugins Remove PMA_transformation_global_html_replace which makes the code only more confusing. Also add escaping to browse transformations. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1e5716cb96d46efc305381ae0da08e73fe340f05 https://github.com/phpmyadmin/phpmyadmin/commit/1e5716cb96d46efc305381ae0da… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.php Log Message: ----------- Add referrer CSP and <meta> tag This avoids leaking Referer header in modern browsers. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 79661610f6f65443e0ec1e382a7240437f28436c https://github.com/phpmyadmin/phpmyadmin/commit/79661610f6f65443e0ec1e382a7… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/get_image.js.php Log Message: ----------- Escape attributes when showing images in javascript Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 895a131d2eb7e447757a35d5731c7d647823ea8b https://github.com/phpmyadmin/phpmyadmin/commit/895a131d2eb7e447757a35d5731… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/ajax.js Log Message: ----------- Escape HTML when rendering AJAX error Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 364732e309cccb3fb56c938ed8d8bc0e04a3ca98 https://github.com/phpmyadmin/phpmyadmin/commit/364732e309cccb3fb56c938ed8d… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/console.js Log Message: ----------- Escape error message from server Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 80cd2f448cfd18e6149a26a6819d99f47d87f158 https://github.com/phpmyadmin/phpmyadmin/commit/80cd2f448cfd18e6149a26a6819… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M ChangeLog M libraries/export.lib.php M setup/frames/servers.inc.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 2f4950828ec241e8cbdcf13090c2582a6fa620cb https://github.com/phpmyadmin/phpmyadmin/commit/2f4950828ec241e8cbdcf13090c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.php Log Message: ----------- Update referrer <meta> to match current standards Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 4bcc606225f15bac0b07780e74f667f6ac283da7 https://github.com/phpmyadmin/phpmyadmin/commit/4bcc606225f15bac0b07780e74f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/controllers/table/TableSearchController.php Log Message: ----------- Always use delimiter not present in search expression This avoids need to figure out correct escaping in case delimiter is present in the expression. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1cc7466db3a05e95fe57a6702f41773e6829d54b https://github.com/phpmyadmin/phpmyadmin/commit/1cc7466db3a05e95fe57a6702f4… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M import.php M libraries/Tracker.php M libraries/plugins/export/ExportSql.php M templates/columns_definitions/transformation.phtml M test/libraries/core/PMA_warnMissingExtension_test.php Log Message: ----------- Quote delimiter before using preg_replace Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 792cd1262f012b9b13639519d414f2acaeb5e972 https://github.com/phpmyadmin/phpmyadmin/commit/792cd1262f012b9b13639519d41… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M templates/table/structure/display_partitions.phtml Log Message: ----------- Escape partition comment when displaying Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 0b7416c5f4439ed3f11c023785f2d4c49a1b09fc https://github.com/phpmyadmin/phpmyadmin/commit/0b7416c5f4439ed3f11c023785f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/server_privileges.lib.php Log Message: ----------- Escape user group when displaying Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d95a4a2f96c9b080f3364defcc1cd6ecd8bdc2be https://github.com/phpmyadmin/phpmyadmin/commit/d95a4a2f96c9b080f3364defcc1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/SavedSearches.php Log Message: ----------- Avoid undefined index in case of incomplete bookmark Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 36df83a97a7f140fdb008b727a94f882847c6a6f https://github.com/phpmyadmin/phpmyadmin/commit/36df83a97a7f140fdb008b727a9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/DbQbe.php Log Message: ----------- Escape saved search name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 960fd1fd52023047a23d069178bfff7463c2cefc https://github.com/phpmyadmin/phpmyadmin/commit/960fd1fd52023047a23d069178b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M templates/table/search/rows_zoom.phtml Log Message: ----------- Properly escape zoom search column type Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 57ae483bad33059a885366d5445b7e1f6f29860a https://github.com/phpmyadmin/phpmyadmin/commit/57ae483bad33059a885366d5445… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/functions.js Log Message: ----------- Escape database name when showing dialog Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 301e1b0f7d2506b16a9e828360db21c27f051509 https://github.com/phpmyadmin/phpmyadmin/commit/301e1b0f7d2506b16a9e828360d… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/operations.lib.php Log Message: ----------- Fix adjusting privileges for tables/databases with quote in name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 4d21b5c077db50c2a54b7f569d20f463cc2651f5 https://github.com/phpmyadmin/phpmyadmin/commit/4d21b5c077db50c2a54b7f569d2… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/tbl_chart.js Log Message: ----------- Fixed rendering of chart of columns with HTML inside Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 519e634a8d13dd8739646c4cf566bde4c7092143 https://github.com/phpmyadmin/phpmyadmin/commit/519e634a8d13dd8739646c4cf56… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/Template.php M libraries/operations.lib.php M libraries/server_privileges.lib.php M po/zh_CN.po M test/libraries/PMA_server_privileges_test.php Log Message: ----------- Merge branch 'QA_4_6' into QA_4_6-security Commit: 615212a14d7d87712202f37354acf8581987fc5a https://github.com/phpmyadmin/phpmyadmin/commit/615212a14d7d87712202f37354a… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php Log Message: ----------- Do not allow javascript: links in transformation Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: f7d1c1f46382e7e6464fd92529d4410e635805f1 https://github.com/phpmyadmin/phpmyadmin/commit/f7d1c1f46382e7e6464fd92529d… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M ChangeLog Log Message: ----------- Changelog entries for security release Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 4f57305eab809a8ecfe613e38b2b5d3a4b190505 https://github.com/phpmyadmin/phpmyadmin/commit/4f57305eab809a8ecfe613e38b2… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.php Log Message: ----------- Release 4.6.3 Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: f2db92434b71973a1281dfbaec8837e51e602c77 https://github.com/phpmyadmin/phpmyadmin/commit/f2db92434b71973a1281dfbaec8… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M examples/openid.php M import.php M js/ajax.js M js/console.js M js/functions.js M js/get_image.js.php M js/get_scripts.js.php M js/tbl_chart.js M libraries/Config.php M libraries/DbQbe.php M libraries/Header.php M libraries/SavedSearches.php M libraries/Tracker.php M libraries/Util.php M libraries/config/FormDisplay.php M libraries/config/Validator.php M libraries/controllers/table/TableSearchController.php M libraries/core.lib.php M libraries/operations.lib.php M libraries/plugins/export/ExportSql.php M libraries/plugins/transformations/abs/DateFormatTransformationsPlugin.php M libraries/plugins/transformations/abs/DownloadTransformationsPlugin.php M libraries/plugins/transformations/abs/ImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/InlineTransformationsPlugin.php M libraries/plugins/transformations/abs/LongToIPv4TransformationsPlugin.php M libraries/plugins/transformations/abs/PreApPendTransformationsPlugin.php M libraries/plugins/transformations/abs/SubstringTransformationsPlugin.php M libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php M libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php M libraries/server_privileges.lib.php M libraries/transformations.lib.php M setup/config.php M setup/frames/index.inc.php M setup/validate.php M templates/columns_definitions/transformation.phtml M templates/server/binlog/log_selector.phtml M templates/server/databases/table_row.phtml M templates/table/search/rows_zoom.phtml M templates/table/structure/display_partitions.phtml M templates/table/structure/display_table_stats.phtml M test/classes/plugin/transformations/TransformationPluginsTest.php M test/libraries/PMA_transformation_test.php A test/libraries/core/PMA_cleanupPathInfo_test.php M test/libraries/core/PMA_warnMissingExtension_test.php Log Message: ----------- Fix merge conflicts Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 58534ce2fc4f964c78dfe83ff5f21e05793c3a4f https://github.com/phpmyadmin/phpmyadmin/commit/58534ce2fc4f964c78dfe83ff5f… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.php Log Message: ----------- Prepare for 4.6.4-dev Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Compare: https://github.com/phpmyadmin/phpmyadmin/compare/e50e37b51db9...58534ce2fc4f

1 0

[phpmyadmin/phpmyadmin] 945ec9: Fix XSS on server privileges
by Isaac Bennetch 23 Jun '16

23 Jun '16

Branch: refs/heads/MAINT_4_4_15 Home: https://github.com/phpmyadmin/phpmyadmin Commit: 945ec9e9b8b299176278d4630b460971d54093bd https://github.com/phpmyadmin/phpmyadmin/commit/945ec9e9b8b299176278d4630b4… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M libraries/server_privileges.lib.php Log Message: ----------- Fix XSS on server privileges Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 6e0786253113f1df096ee8dd9eec4e408bd86863 https://github.com/phpmyadmin/phpmyadmin/commit/6e0786253113f1df096ee8dd9ee… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M libraries/config/FormDisplay.class.php Log Message: ----------- Setup script did not properly use input type password in all cases Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 1dca386505f396f0c2035112a403cc80768a141f https://github.com/phpmyadmin/phpmyadmin/commit/1dca386505f396f0c2035112a40… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M setup/frames/index.inc.php Log Message: ----------- Use javascript for redirection to https The current approach is broken since whitelisting is active in url.php and also allows potential bbcode injection. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: abb3685c8702de887988fee31a97ef4d80d856a1 https://github.com/phpmyadmin/phpmyadmin/commit/abb3685c8702de887988fee31a9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M js/get_scripts.js.php Log Message: ----------- Limit number of included scripts in get_scripts.js.php This avoids potential DOS, the limit is same as we use for generating the URLs. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 9de4114e6f1fdb8d35d49c421e0e7d65fb04e515 https://github.com/phpmyadmin/phpmyadmin/commit/9de4114e6f1fdb8d35d49c421e0… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M libraries/Scripts.class.php Log Message: ----------- Avoid using too log URLs when getting javascripts Some researchers have come with great idea of recommending setting "LimitRequestline 512" in Apache, what allows even shorter URLs than with MSIE. I still consider this a really bad idea as most of the applications really do not count with so small URL limits, but this error seems to be quite widely spread among CentOS users (probably coming from some howto). Fixes #12244 Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 8a0705008b9b79c9579d1b23ce3fb323b33ea32f https://github.com/phpmyadmin/phpmyadmin/commit/8a0705008b9b79c9579d1b23ce3… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-16 (Thu, 16 Jun 2016) Changed paths: M libraries/central_columns.lib.php Log Message: ----------- Properly escape database name in central column queries Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 3108270bb66668c4300ed6f2f5ff4a053b02a98d https://github.com/phpmyadmin/phpmyadmin/commit/3108270bb66668c4300ed6f2f5f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/FormDisplay.class.php Log Message: ----------- Properly convert POST parameters We can get array instead of single parameter, so handle this gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 6a75879fa44075c81e433d2af6d8352fe14a0f78 https://github.com/phpmyadmin/phpmyadmin/commit/6a75879fa44075c81e433d2af6d… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/Util.class.php M libraries/config/FormDisplay.class.php Log Message: ----------- Move request conversion to generic code Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 961453bb58dc00805596e419bdd38ea9631db01d https://github.com/phpmyadmin/phpmyadmin/commit/961453bb58dc00805596e419bdd… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/validate.php Log Message: ----------- Fix error reporting on invalid request data Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 3014c4a6c67bd93a31606f27765bd0100b9217d9 https://github.com/phpmyadmin/phpmyadmin/commit/3014c4a6c67bd93a31606f27765… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/Validator.class.php Log Message: ----------- Validate input of validator We can not trust the input here, so we can expect anything and deal with missing parameters or invalid values. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: abe88edc744c3073967bfb5c74b54fe2cbd614d7 https://github.com/phpmyadmin/phpmyadmin/commit/abe88edc744c3073967bfb5c74b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/config.php M setup/frames/index.inc.php Log Message: ----------- Improve error handling in setup in case config dir is not present We do not show these options in UI, but the scripts should handle it gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 70e917c654731c818b849dc326c2d171663fe287 https://github.com/phpmyadmin/phpmyadmin/commit/70e917c654731c818b849dc326c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Improve error handling in OpenID example - properly check parameter types - catch all exceptions (eg. network error) Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 52e7898bdc71f4548f4d518c1e12bf2bcb8802e6 https://github.com/phpmyadmin/phpmyadmin/commit/52e7898bdc71f4548f4d518c1e1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Escape error messages from OpenID Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d005ba65304f254d393d5dfee5ac66f1750cec89 https://github.com/phpmyadmin/phpmyadmin/commit/d005ba65304f254d393d5dfee5a… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Add error handling to constructing openid message Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d184e4d8cdc6ecc3b789e0ffb16f425747cf175d https://github.com/phpmyadmin/phpmyadmin/commit/d184e4d8cdc6ecc3b789e0ffb16… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/build_html_for_db.lib.php Log Message: ----------- Properly escape translated string Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: e5ab397fe01e629b179928609929080d91ac0645 https://github.com/phpmyadmin/phpmyadmin/commit/e5ab397fe01e629b17992860992… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/server_bin_log.lib.php Log Message: ----------- Escape binary log name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: feb911e90a26995b8ff7cfa5aeb3ed6a2bd70acf https://github.com/phpmyadmin/phpmyadmin/commit/feb911e90a26995b8ff7cfa5aeb… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/plugins/transformations/abstract/DateFormatTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/DownloadTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/ImageLinkTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/InlineTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/LongToIPv4TransformationsPlugin.class.php M libraries/plugins/transformations/abstract/PreApPendTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/SubstringTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php M libraries/transformations.lib.php M test/libraries/PMA_transformation_test.php Log Message: ----------- Simplify and cleanup transformation plugins Remove PMA_transformation_global_html_replace which makes the code only more confusing. Also add escaping to browse transformations. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 22ad8b6b789091660fc7bdbb636e652b65dd3768 https://github.com/phpmyadmin/phpmyadmin/commit/22ad8b6b789091660fc7bdbb636… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.class.php Log Message: ----------- Add referrer CSP and <meta> tag This avoids leaking Referer header in modern browsers. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 50bf3999534ee9ed6ce47953d5286ad7db111928 https://github.com/phpmyadmin/phpmyadmin/commit/50bf3999534ee9ed6ce47953d52… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/get_image.js.php Log Message: ----------- Escape attributes when showing images in javascript Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c14709f132b0cbd3139ff63714a4841a67a008e3 https://github.com/phpmyadmin/phpmyadmin/commit/c14709f132b0cbd3139ff63714a… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/ajax.js Log Message: ----------- Escape HTML when rendering AJAX error Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: a31d7f481073e6d202f6887773356083437250be https://github.com/phpmyadmin/phpmyadmin/commit/a31d7f481073e6d202f68877733… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/console.js Log Message: ----------- Escape error message from server Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: adfec38cc71fcb03493a80224c94f0bc5b747a62 https://github.com/phpmyadmin/phpmyadmin/commit/adfec38cc71fcb03493a80224c9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.class.php Log Message: ----------- Update referrer <meta> to match current standards Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 33d1373ab645d61cca258fabb07b0c817f1d254c https://github.com/phpmyadmin/phpmyadmin/commit/33d1373ab645d61cca258fabb07… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/TableSearch.class.php Log Message: ----------- Always use delimiter not present in search expression This avoids need to figure out correct escaping in case delimiter is present in the expression. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: daf375163eb7125282d24494e287e4825a931e1e https://github.com/phpmyadmin/phpmyadmin/commit/daf375163eb7125282d24494e28… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Tracker.class.php M libraries/plugins/export/ExportSql.class.php M libraries/tbl_columns_definition_form.lib.php M test/libraries/core/PMA_warnMissingExtension_test.php Log Message: ----------- Quote delimiter before using preg_replace Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: ef2da77d4f134d74c262d2f821201bf2c5d2e8a3 https://github.com/phpmyadmin/phpmyadmin/commit/ef2da77d4f134d74c262d2f8212… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/server_privileges.lib.php Log Message: ----------- Escape user group when displaying Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 9be01a7724decd089f9b793de5f77459c2c5d8de https://github.com/phpmyadmin/phpmyadmin/commit/9be01a7724decd089f9b793de5f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/DBQbe.class.php Log Message: ----------- Escape saved search name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 98514fafe103d97295f541742c4fe181f11704ac https://github.com/phpmyadmin/phpmyadmin/commit/98514fafe103d97295f541742c4… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/TableSearch.class.php Log Message: ----------- Properly escape zoom search column type Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d4ce93cd9cf5905d1bbe257a2e3e0ecdc866b407 https://github.com/phpmyadmin/phpmyadmin/commit/d4ce93cd9cf5905d1bbe257a2e3… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/functions.js Log Message: ----------- Escape database name when showing dialog Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 5b7a055ac00c8b1e1c589e8a728ca0dfc08d74c4 https://github.com/phpmyadmin/phpmyadmin/commit/5b7a055ac00c8b1e1c589e8a728… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/tbl_chart.js Log Message: ----------- Fixed rendering of chart of columns with HTML inside Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 42ff2c1ac46833156bfe203d1046dc13a7f89b04 https://github.com/phpmyadmin/phpmyadmin/commit/42ff2c1ac46833156bfe203d104… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php Log Message: ----------- Do not allow javascript: links in transformation Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 46ff2bd85e0c0fef130f0822b41b9bcf33942ae8 https://github.com/phpmyadmin/phpmyadmin/commit/46ff2bd85e0c0fef130f0822b41… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M ChangeLog Log Message: ----------- Changelog entries for security release Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 66aba31923f26124e06b2a55b837e4fd47c5ef1d https://github.com/phpmyadmin/phpmyadmin/commit/66aba31923f26124e06b2a55b83… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M README M doc/conf.py M libraries/Config.class.php Log Message: ----------- Release 4.4.15.7 Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Compare: https://github.com/phpmyadmin/phpmyadmin/compare/1f1e63cd5956...66aba31923f2

1 0

[phpmyadmin/phpmyadmin] bf7379: Use javascript for redirection to https
by Isaac Bennetch 23 Jun '16

23 Jun '16

Branch: refs/heads/MAINT_4_0_10 Home: https://github.com/phpmyadmin/phpmyadmin Commit: bf7379771f4b32e01f4af3b36f8ec6900288688e https://github.com/phpmyadmin/phpmyadmin/commit/bf7379771f4b32e01f4af3b36f8… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M setup/frames/index.inc.php Log Message: ----------- Use javascript for redirection to https The current approach is broken since whitelisting is active in url.php and also allows potential bbcode injection. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 75724a361bc1873525245e8ff0889cc21456fe38 https://github.com/phpmyadmin/phpmyadmin/commit/75724a361bc1873525245e8ff08… Author: Madhura Jayaratne <madhura.cj(a)gmail.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M libraries/Scripts.class.php Log Message: ----------- Fix #11457 414 Request-URI Too Large Signed-off-by: Madhura Jayaratne <madhura.cj(a)gmail.com> Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 805225a28c1428d7809e613c731c2126960e98df https://github.com/phpmyadmin/phpmyadmin/commit/805225a28c1428d7809e613c731… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-15 (Wed, 15 Jun 2016) Changed paths: M js/get_scripts.js.php Log Message: ----------- Limit number of included scripts in get_scripts.js.php This avoids potential DOS, the limit is same as we use for generating the URLs. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 6b52ae4d190716bedf76c530ca6b561c9f9c4a44 https://github.com/phpmyadmin/phpmyadmin/commit/6b52ae4d190716bedf76c530ca6… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-16 (Thu, 16 Jun 2016) Changed paths: M test/classes/PMA_Scripts_test.php Log Message: ----------- Adjust test expectations to match new code Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c9faf855a0b9d494015d1e2a2c121b75be90d176 https://github.com/phpmyadmin/phpmyadmin/commit/c9faf855a0b9d494015d1e2a2c1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/FormDisplay.class.php Log Message: ----------- Properly convert POST parameters We can get array instead of single parameter, so handle this gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 8451a7a5d26f30692c5be7e7cc1175996a31c007 https://github.com/phpmyadmin/phpmyadmin/commit/8451a7a5d26f30692c5be7e7cc1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/Util.class.php M libraries/config/FormDisplay.class.php Log Message: ----------- Move request conversion to generic code Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: e1eb5e8e8939c80309382738f6c5c300969cccec https://github.com/phpmyadmin/phpmyadmin/commit/e1eb5e8e8939c80309382738f6c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/validate.php Log Message: ----------- Fix error reporting on invalid request data Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 96c6a7c0a2d7a473f414dde22efed4c024083f64 https://github.com/phpmyadmin/phpmyadmin/commit/96c6a7c0a2d7a473f414dde22ef… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/validate.lib.php Log Message: ----------- Validate input of validator We can not trust the input here, so we can expect anything and deal with missing parameters or invalid values. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: fa7a9b787b394c086a5e7c5e7eaa2eacacddbd01 https://github.com/phpmyadmin/phpmyadmin/commit/fa7a9b787b394c086a5e7c5e7ea… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M setup/config.php M setup/frames/index.inc.php Log Message: ----------- Improve error handling in setup in case config dir is not present We do not show these options in UI, but the scripts should handle it gracefully. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c93c82ee9c21f9e4e539749188f99d0b6fc148dc https://github.com/phpmyadmin/phpmyadmin/commit/c93c82ee9c21f9e4e539749188f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/config/validate.lib.php Log Message: ----------- Fix typo in validator Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c795a395ba74d29a584abfe48d8a5139df92f0fd https://github.com/phpmyadmin/phpmyadmin/commit/c795a395ba74d29a584abfe48d8… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Improve error handling in OpenID example - properly check parameter types - catch all exceptions (eg. network error) Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 5fefa5113948044983d8341f272950ace7bbf1e8 https://github.com/phpmyadmin/phpmyadmin/commit/5fefa5113948044983d8341f272… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Escape error messages from OpenID Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 78f6c54f1b404c639277d98123429b90d43fb088 https://github.com/phpmyadmin/phpmyadmin/commit/78f6c54f1b404c639277d981234… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M examples/openid.php Log Message: ----------- Add error handling to constructing openid message Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 975089b8c346a2c2aa75889f42f5a1729ae79497 https://github.com/phpmyadmin/phpmyadmin/commit/975089b8c346a2c2aa75889f42f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/build_html_for_db.lib.php Log Message: ----------- Properly escape translated string Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: f662d591c506346ac7b1804d5b8ec2754885feb9 https://github.com/phpmyadmin/phpmyadmin/commit/f662d591c506346ac7b1804d5b8… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M server_binlog.php Log Message: ----------- Escape binary log name Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 288efea5b42b1514ada0f22c84049067281b3eca https://github.com/phpmyadmin/phpmyadmin/commit/288efea5b42b1514ada0f22c840… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-17 (Fri, 17 Jun 2016) Changed paths: M libraries/plugins/transformations/abstract/AppendTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/DateFormatTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/DownloadTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/ImageLinkTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/InlineTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/LongToIPv4TransformationsPlugin.class.php M libraries/plugins/transformations/abstract/SubstringTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php M libraries/transformations.lib.php Log Message: ----------- Simplify and cleanup transformation plugins Remove PMA_transformation_global_html_replace which makes the code only more confusing. Also add escaping to browse transformations. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 32875196f971dc41f98a265808f1f8b4bd3ee5da https://github.com/phpmyadmin/phpmyadmin/commit/32875196f971dc41f98a265808f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.class.php Log Message: ----------- Add referrer CSP and <meta> tag This avoids leaking Referer header in modern browsers. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: e13f9862ef4406d0f10580a0305d4a99a5716dac https://github.com/phpmyadmin/phpmyadmin/commit/e13f9862ef4406d0f10580a0305… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.class.php Log Message: ----------- Backport Content-Security-Policy from latest release This way it will work well on current browsers. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: abfd97983a01556dccf92bbeb932a543ef8c6b80 https://github.com/phpmyadmin/phpmyadmin/commit/abfd97983a01556dccf92bbeb93… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/get_image.js.php Log Message: ----------- Escape attributes when showing images in javascript Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 02971f754fc4623ce3a4edaf25b9dcb0ce2af271 https://github.com/phpmyadmin/phpmyadmin/commit/02971f754fc4623ce3a4edaf25b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M js/ajax.js Log Message: ----------- Escape HTML when rendering AJAX error Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 8c336ba285f3789c9afc15195f1f3e7b65fe2689 https://github.com/phpmyadmin/phpmyadmin/commit/8c336ba285f3789c9afc15195f1… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/Header.class.php Log Message: ----------- Update referrer <meta> to match current standards Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 351019c07429d2d6498e9abaa693ce8d88eadb5f https://github.com/phpmyadmin/phpmyadmin/commit/351019c07429d2d6498e9abaa69… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-20 (Mon, 20 Jun 2016) Changed paths: M libraries/tbl_columns_definition_form.inc.php Log Message: ----------- Quote delimiter before using preg_replace Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 9b6f64b8b972f97711463a3c60c6a0f0c247a1b9 https://github.com/phpmyadmin/phpmyadmin/commit/9b6f64b8b972f97711463a3c60c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/TableSearch.class.php Log Message: ----------- Properly escape zoom search column type Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: b974b567811db3461b7a0c8eb1bae1024904277d https://github.com/phpmyadmin/phpmyadmin/commit/b974b567811db3461b7a0c8eb1b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M js/tbl_chart.js Log Message: ----------- Fixed rendering of chart of columns with HTML inside Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: b04150e30ee5614ded9e072e4823fa6e3d1b15e6 https://github.com/phpmyadmin/phpmyadmin/commit/b04150e30ee5614ded9e072e482… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php M libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php Log Message: ----------- Do not allow javascript: links in transformation Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c3d22bee082e8fb8e86492647255a0406ef68a68 https://github.com/phpmyadmin/phpmyadmin/commit/c3d22bee082e8fb8e8649264725… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: M ChangeLog Log Message: ----------- Changelog entries for security release Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Commit: 83416df64f2277d8853fcdd048df7bb154514d03 https://github.com/phpmyadmin/phpmyadmin/commit/83416df64f2277d8853fcdd048d… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-06-23 (Thu, 23 Jun 2016) Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.class.php Log Message: ----------- Release 4.0.10.16 Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Compare: https://github.com/phpmyadmin/phpmyadmin/compare/ee10ed130626...83416df64f22

1 0

[phpmyadmin/website] be04a4: Remove length limit for references
by Michal Čihař 22 Jun '16

22 Jun '16

Branch: refs/heads/master Home: https://github.com/phpmyadmin/website Commit: be04a46aabe0f584ba562f43cf81dcfec892fd55 https://github.com/phpmyadmin/website/commit/be04a46aabe0f584ba562f43cf81dc… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-06-22 (Wed, 22 Jun 2016) Changed paths: A security/migrations/0004_auto_20160622_1134.py M security/models.py Log Message: ----------- Remove length limit for references Signed-off-by: Michal Čihař <michal(a)cihar.com>

1 0