The branch, QA_3_3 has been updated via 8b53799f0da2992b41c1895a8e9f7db10fd2a82f (commit) via 5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit) via 41145feb12e1fe2f7af54c1ccb89a714c39bfb12 (commit) via d128f806057e752db082272fd5e5c2f7244821b9 (commit) via 59b3b4916b31fa44f31b1e2d243ca7dda012ba37 (commit) via 782b8b46be4f06c695ab713eeefbd75970358e2f (commit) via bf60ec82e948450ae18b9e66c48d27da55ebe860 (commit) via f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 (commit) via d2e0e09e0d402555a6223f0b683fdbfa97821a63 (commit) via b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e (commit) via 05ca00e0a20d0eb4848d69bf7a1365df5bba872d (commit) via 48e909660032ddcbc13172830761e363e7a64d72 (commit) via be0f47a93141e2950ad400b8d22a2a98512825c2 (commit) via cd205cc55a46e3dc0f8883966f5c854f842e1000 (commit) via 7dc6cea06522b2d4af50934c983f3967540a4918 (commit) via 6028221d97efa2a7d56a61ab4c5750d1b2343619 (commit) via 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 (commit) via 25ac7de38c125d8067f42bab24212891389ac1e3 (commit) via fa30188dde357426d339d0d7e29a3969f88d188a (commit) via 00add5c43f594f80dab6304a5bb35d2e50540d2d (commit) via c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c (commit) via 533e10213590e7ccd83b98a5cd19ba1c3be119dd (commit) via ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b (commit) via 7f266483b827fb05a4be11663003418c2ef1c878 (commit) via 5bcd95a42c8ba924d389eafee4d7be80bd4039a3 (commit) via 6d548f7d449b7d4b796949d10a503484f63eaf82 (commit) from 893abac3e516b3f6143925a5f24c8bc463639167 (commit)
- Log ----------------------------------------------------------------- -----------------------------------------------------------------------
Summary of changes: ChangeLog | 3 +++ db_search.php | 2 +- db_sql.php | 2 +- error.php | 10 +++++++--- libraries/common.lib.php | 2 +- libraries/core.lib.php | 7 ++++--- libraries/database_interface.lib.php | 4 ++++ libraries/db_info.inc.php | 3 ++- libraries/dbi/mysql.dbi.lib.php | 2 ++ libraries/dbi/mysqli.dbi.lib.php | 2 ++ libraries/sanitizing.lib.php | 17 +++++++++++++++-- libraries/sqlparser.lib.php | 2 +- server_databases.php | 22 ++++++++++++++++++---- server_privileges.php | 30 +++++++++++++++--------------- sql.php | 14 +++++++------- tbl_sql.php | 2 +- 16 files changed, 84 insertions(+), 40 deletions(-)
diff --git a/ChangeLog b/ChangeLog index f53c063..81670e9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #3044189 [doc] Cleared documentation for hide_db. - bug #3042495 [core] Move PMA_sendHeaderLocation to core.lib.php.
+3.3.5.1 (2010-10-20) +- [core] Fixed various XSS issues, see PMASA-2010-5 for more details. + 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of databases, thanks to Stéphane Pontier - shadow_walker diff --git a/db_search.php b/db_search.php index 751675d..455aa61 100644 --- a/db_search.php +++ b/db_search.php @@ -355,7 +355,7 @@ $alter_select = <tr><td align="right"> <?php echo $GLOBALS['strSearchInField']; ?></td> <td><input type="text" name="field_str" size="60" - value="<?php echo ! empty($field_str) ? $field_str : ''; ?>" /></td> + value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td> </tr> </table> </fieldset> diff --git a/db_sql.php b/db_sql.php index 2ac198b..420561e 100644 --- a/db_sql.php +++ b/db_sql.php @@ -37,7 +37,7 @@ if ($num_tables == 0 && empty($db_query_force)) { /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
/** * Displays the footer diff --git a/error.php b/error.php index 674d08e..7e86ffb 100644 --- a/error.php +++ b/error.php @@ -76,10 +76,14 @@ header('Content-Type: text/html; charset=' . $charset); <body> <h1>phpMyAdmin - <?php echo $type; ?></h1> <p><?php -if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { - echo PMA_sanitize(stripslashes($_REQUEST['error'])); +if (!empty($_REQUEST['error'])) { + if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + echo PMA_sanitize(stripslashes($_REQUEST['error'])); + } else { + echo PMA_sanitize($_REQUEST['error']); + } } else { - echo PMA_sanitize($_REQUEST['error']); + echo 'No error message!'; } ?></p> </body> diff --git a/libraries/common.lib.php b/libraries/common.lib.php index 1a62769..d5b38cc 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -575,7 +575,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '', $formatted_sql = ''; } else { if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) { - $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]'; + $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]'; } else { $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); } diff --git a/libraries/core.lib.php b/libraries/core.lib.php index 3e6cc00..f7f9da4 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -614,22 +614,23 @@ function PMA_setCookie($cookie, $value, $default = null, $validity = null, $http function PMA_sendHeaderLocation($uri) { if (PMA_IS_IIS && strlen($uri) > 600) { + require_once './libraries/js_escape.lib.php';
echo '<html><head><title>- - -</title>' . "\n"; echo '<meta http-equiv="expires" content="0">' . "\n"; echo '<meta http-equiv="Pragma" content="no-cache">' . "\n"; echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n"; - echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n"; + echo '<meta http-equiv="Refresh" content="0;url=' . htmlspecialchars($uri) . '">' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n"; + echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n"; echo '//]]>' . "\n"; echo '</script>' . "\n"; echo '</head>' . "\n"; echo '<body>' . "\n"; echo '<script type="text/javascript">' . "\n"; echo '//<![CDATA[' . "\n"; - echo 'document.write(\'<p><a href="' . $uri . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; + echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n"; echo '//]]>' . "\n"; echo '</script></body></html>' . "\n";
diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index 501c34d..300a925 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -205,6 +205,10 @@ function PMA_usort_comparison_callback($a, $b) } else { $sorter = 'strcasecmp'; } + /* No sorting when key is not present */ + if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) { + return 0; + } // produces f.e.: // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"]) return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]); diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php index 4f59baa..1e5b401 100644 --- a/libraries/db_info.inc.php +++ b/libraries/db_info.inc.php @@ -213,7 +213,8 @@ if (! isset($sot_ready)) { );
// Make sure the sort type is implemented - if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) { + if (isset($sortable_name_mappings[$_REQUEST['sort']])) { + $sort = $sortable_name_mappings[$_REQUEST['sort']]; if ($_REQUEST['sort_order'] == 'DESC') { $sort_order = 'DESC'; } diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php index 2754588..4750ee2 100644 --- a/libraries/dbi/mysql.dbi.lib.php +++ b/libraries/dbi/mysql.dbi.lib.php @@ -348,6 +348,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); }
+ $error_message = htmlspecialchars($error_message); + // Some errors messages cannot be obtained by mysql_error() if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php index f3bcf26..9672385 100644 --- a/libraries/dbi/mysqli.dbi.lib.php +++ b/libraries/dbi/mysqli.dbi.lib.php @@ -405,6 +405,8 @@ function PMA_DBI_getError($link = null) $error_message = PMA_DBI_convert_message($error_message); }
+ $error_message = htmlspecialchars($error_message); + if ($error_number == 2002) { $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; } else { diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index 2b54bf1..d17fc50 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -9,17 +9,26 @@
/** * Sanitizes $message, taking into account our special codes - * for formatting + * for formatting. + * + * If you want to include result in element attribute, you should escape it. + * + * Examples: + * + * <p><?php echo PMA_sanitize($foo); ?></p> + * + * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a> * * @uses preg_replace() * @uses strtr() * @param string the message + * @param boolean whether to escape html in result * * @return string the sanitized message * * @access public */ -function PMA_sanitize($message) +function PMA_sanitize($message, $escape = false) { $replace_pairs = array( '<' => '<', @@ -67,6 +76,10 @@ function PMA_sanitize($message) $message = preg_replace($pattern, '<a href="\1" target="\2">', $message); }
+ if ($escape) { + $message = htmlspecialchars($message); + } + return $message; } ?> diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php index 53f239a..f844e23 100644 --- a/libraries/sqlparser.lib.php +++ b/libraries/sqlparser.lib.php @@ -2456,7 +2456,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { } $after .= "\n"; */ - $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after; + $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after; } // end for if ($mode=='color') { $str .= '</span>'; diff --git a/server_databases.php b/server_databases.php index 47037cc..5e6d0ec 100644 --- a/server_databases.php +++ b/server_databases.php @@ -22,7 +22,21 @@ require './libraries/replication.inc.php'; if (empty($_REQUEST['sort_by'])) { $sort_by = 'SCHEMA_NAME'; } else { - $sort_by = PMA_sanitize($_REQUEST['sort_by']); + $sort_by_whitelist = array( + 'SCHEMA_NAME', + 'DEFAULT_COLLATION_NAME', + 'SCHEMA_TABLES', + 'SCHEMA_TABLE_ROWS', + 'SCHEMA_DATA_LENGTH', + 'SCHEMA_INDEX_LENGTH', + 'SCHEMA_LENGTH', + 'SCHEMA_DATA_FREE' + ); + if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) { + $sort_by = $_REQUEST['sort_by']; + } else { + $sort_by = 'SCHEMA_NAME'; + } }
if (isset($_REQUEST['sort_order']) @@ -342,11 +356,11 @@ if ($databases_count > 0) { unset($column_order, $stat_name, $stat, $databases, $table_columns);
if ($is_superuser || $cfg['AllowUserDropDatabase']) { - $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats; + $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats)); echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . $strWithChecked . '" />' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strCheckAll . '</a> / ' . "\n" - . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" + . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n" . ' ' . $strUncheckAll . '</a>' . "\n" . '<i>' . $strWithChecked . '</i>' . "\n"; PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', $strDrop, 'b_deltbl.png'); diff --git a/server_privileges.php b/server_privileges.php index 3f14c3f..44e9be7 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1153,7 +1153,7 @@ if (!empty($update_privs)) { } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success('strUpdatePrivMessage'); - $message->addParam(''' . $username . ''@'' . $hostname . '''); + $message->addParam(''' . htmlspecialchars($username) . ''@'' . htmlspecialchars($hostname) . '''); }
@@ -1177,7 +1177,7 @@ if (isset($_REQUEST['revokeall'])) { } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success('strRevokeMessage'); - $message->addParam(''' . $username . ''@'' . $hostname . '''); + $message->addParam(''' . htmlspecialchars($username) . ''@'' . htmlspecialchars($hostname) . '''); if (! isset($tablename)) { unset($dbname); } else { @@ -1213,7 +1213,7 @@ if (isset($_REQUEST['change_pw'])) { PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = PMA_Message::success('strPasswordChanged'); - $message->addParam(''' . $username . ''@'' . $hostname . '''); + $message->addParam(''' . htmlspecialchars($username) . ''@'' . htmlspecialchars($hostname) . '''); } }
@@ -1595,8 +1595,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
if (isset($dbname)) { echo ' <i><a href="server_privileges.php?' - . $GLOBALS['url_query'] . '&username=' . urlencode($username) - . '&hostname=' . urlencode($hostname) . '&dbname=&tablename=">'' + . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username)) + . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">'' . htmlspecialchars($username) . ''@'' . htmlspecialchars($hostname) . ''</a></i>' . "\n"; $url_dbname = urlencode(str_replace(array('_', '%'), array('_', '%'), $dbname)); @@ -1604,8 +1604,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] ); if (isset($tablename)) { echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] - . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname) - . '&dbname=' . $url_dbname . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; + . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname)) + . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>'; echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>'; } else { echo ' <i>' . htmlspecialchars($dbname) . '</i>'; @@ -1839,16 +1839,16 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs } echo '</td>' . "\n" . ' <td>'; - printf($link_edit, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_edit, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); echo '</td>' . "\n" . ' <td>'; if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { - printf($link_revoke, urlencode($username), - urlencode($hostname), - urlencode((! isset($dbname)) ? $row['Db'] : $dbname), + printf($link_revoke, htmlspecialchars(urlencode($username)), + urlencode(htmlspecialchars($hostname)), + urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? '' : $row['Table_name'])); } echo '</td>' . "\n" @@ -1928,7 +1928,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs if (isset($tablename)) { echo ' [ ' . $GLOBALS['strTable'] . ' <a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] - . '&db=' . $url_dbname . '&table=' . urlencode($tablename) + . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename)) . '&reload=1">' . htmlspecialchars($tablename) . ': ' . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable']) . "</a> ]\n"; @@ -2155,7 +2155,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
// Offer to create a new user for the current database echo '<fieldset id="fieldset_add_user">' . "\n" - . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . $checkprivs .'">' . "\n" + . ' <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . htmlspecialchars($checkprivs) .'">' . "\n" . PMA_getIcon('b_usradd.png') . ' ' . $GLOBALS['strAddUser'] . '</a>' . "\n" . '</fieldset>' . "\n"; diff --git a/sql.php b/sql.php index 4dbfee2..b728184 100644 --- a/sql.php +++ b/sql.php @@ -175,14 +175,14 @@ if ($do_confirm) { .PMA_generate_common_hidden_inputs($db, $table); ?> <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" /> - <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" /> + <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" /> <input type="hidden" name="goto" value="<?php echo $goto; ?>" /> - <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" /> - <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" /> - <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" /> - <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" /> - <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" /> - <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" /> + <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" /> + <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" /> + <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" /> + <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" /> + <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" /> + <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" /> <?php echo '<fieldset class="confirmation">' . "\n" .' <legend>' . $strDoYouReally . '</legend>' diff --git a/tbl_sql.php b/tbl_sql.php index 5565d92..f3c3aac 100644 --- a/tbl_sql.php +++ b/tbl_sql.php @@ -38,7 +38,7 @@ require_once './libraries/tbl_links.inc.php'; /** * Query box, bookmark, insert data from textfile */ -PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';'); +PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
/** * Displays the footer
hooks/post-receive