The branch, QA_3_4 has been updated
via c5a641961861f3e82b282582c1b86222d73409bf (commit)
via bda213c58aec44925be661acb0e76c19483ea170 (commit)
via 2f28ce9c800274190418da0945ce3647d36e1db6 (commit)
via 4039683ab3ca63c979948e02345b6d38452f8dee (commit)
from c02bd600eeee9a9f17a51c602bc32917de5e28eb (commit)
- Log -----------------------------------------------------------------
commit c5a641961861f3e82b282582c1b86222d73409bf
Merge: c02bd60 bda213c
Author: Marc Delisle <marc(a)infomarc.info>
Date: Thu Sep 8 15:41:40 2011 -0400
Merge branch 'MAINT_3_4_5' into QA_3_4
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 2 ++
js/functions.js | 15 +++++++++++++--
js/sql.js | 2 +-
js/tbl_structure.js | 4 ++--
4 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 614d066..94d28fa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,8 @@ phpMyAdmin - ChangeLog
- [export] Remove native Excel export modules (xls and xlsx formats)
- [import] Remove native Excel import modules (xls and xlsx formats)
- bug #3392920 [edit] BLOB emptied after editing another column
+- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14
+- [security] Fixed XSS with db/table/column names, see PMASA-2011-14
3.4.4.0 (2011-08-24)
- bug #3323060 [parser] SQL parser breaks AJAX requests if query has unclosed quotes
diff --git a/js/functions.js b/js/functions.js
index 75fd677..b076661 100644
--- a/js/functions.js
+++ b/js/functions.js
@@ -172,7 +172,7 @@ function selectContent( element, lock, only_once ) {
}
/**
- * Displays a confirmation box before to submit a "DROP/DELETE/ALTER" query.
+ * Displays a confirmation box before submitting a "DROP/DELETE/ALTER" query.
* This function is called while clicking links
*
* @param object the link
@@ -1657,7 +1657,7 @@ $(document).ready(function() {
/**
* @var question String containing the question to be asked for confirmation
*/
- var question = PMA_messages['strDropDatabaseStrongWarning'] +
'\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP
DATABASE ' + window.parent.db;
+ var question = PMA_messages['strDropDatabaseStrongWarning'] +
'\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP
DATABASE ' + escapeHtml(window.parent.db);
$(this).PMA_confirm(question, $(this).attr('href') ,function(url) {
@@ -2287,3 +2287,14 @@ $(document).ready(function() {
}) // end of $(document).ready()
+/**
+ * HTML escaping
+ */
+function escapeHtml(unsafe) {
+ return unsafe
+ .replace(/&/g, "&")
+ .replace(/</g, "<")
+ .replace(/>/g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+}
diff --git a/js/sql.js b/js/sql.js
index dbba441..842b6c6 100644
--- a/js/sql.js
+++ b/js/sql.js
@@ -1111,7 +1111,7 @@ function PMA_unInlineEditRow($del_hide, $chg_submit, $this_td,
$input_siblings,
}
}
}
- $this_sibling.html(new_html);
+ $this_sibling.text(new_html);
}
})
}
diff --git a/js/tbl_structure.js b/js/tbl_structure.js
index 352848c..493f0eb 100644
--- a/js/tbl_structure.js
+++ b/js/tbl_structure.js
@@ -44,7 +44,7 @@ $(document).ready(function() {
/**
* @var question String containing the question to be asked for confirmation
*/
- var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE
`' + curr_table_name + '` DROP `' + curr_column_name + '`';
+ var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE
`' + escapeHtml(curr_table_name) + '` DROP `' + escapeHtml(curr_column_name) +
'`';
$(this).PMA_confirm(question, $(this).attr('href'), function(url) {
@@ -83,7 +83,7 @@ $(document).ready(function() {
/**
* @var question String containing the question to be asked for confirmation
*/
- var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE
`' + curr_table_name + '` ADD PRIMARY KEY(`' + curr_column_name +
'`)';
+ var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE
`' + escapeHtml(curr_table_name) + '` ADD PRIMARY KEY(`' +
escapeHtml(curr_column_name) + '`)';
$(this).PMA_confirm(question, $(this).attr('href'), function(url) {
hooks/post-receive
--
phpMyAdmin