Branch: refs/heads/MAINT_4_4_15 Home: https://github.com/phpmyadmin/phpmyadmin Commit: 4141d694eb212b676ccc768e61b4d4085566f0ed https://github.com/phpmyadmin/phpmyadmin/commit/4141d694eb212b676ccc768e61b4... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/core.lib.php M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php Log Message: ----------- Strip null bytes from MySQL username In old PHP versions this could lead to allow/deny rules bypass. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 259694af9a3ce80bd17db04f46fb631693d929b8 https://github.com/phpmyadmin/phpmyadmin/commit/259694af9a3ce80bd17db04f46fb... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/ip_allow_deny.lib.php Log Message: ----------- Use hash_equals for comparing username in allow/deny rules The comparison should happen in constant time to avoid possible leak of usernames in rules. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: f02555fe948c655877d318f82073cc83e333d99c https://github.com/phpmyadmin/phpmyadmin/commit/f02555fe948c655877d318f82073... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php Log Message: ----------- Use hash_equals for checking username This makes the comparison happen in constant time and makes it impossible to use it to guess stored usernames. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 6735d83e10ae33a20153eb5516fb2f1963a594a7 https://github.com/phpmyadmin/phpmyadmin/commit/6735d83e10ae33a20153eb5516fb... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/VersionInformation.php Log Message: ----------- Silent errors when getting remote file - both curl and fopen wrappers can emmit errors in cases where remote site is not accessible - do not pass false value to json_decode Signed-off-by: Michal Čihař <michal@cihar.com> Commit: ebcd746a2fc8b356e36c92fa6960d5f7256ebff0 https://github.com/phpmyadmin/phpmyadmin/commit/ebcd746a2fc8b356e36c92fa6960... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/export.lib.php Log Message: ----------- Remove debugging code Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 5f40a46d24068484a5afe0bbb4ce4e5c8a6c6094 https://github.com/phpmyadmin/phpmyadmin/commit/5f40a46d24068484a5afe0bbb4ce... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/Error.class.php M test/classes/PMA_Error_test.php Log Message: ----------- Strip path even if openbasedir restrictions apply This really should not be the case here as what we get here is code executed by PHP, so it should have already passed openbasedir restrictions. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 55c26d0065e83b9899ba90afb49dd72415c8d7f5 https://github.com/phpmyadmin/phpmyadmin/commit/55c26d0065e83b9899ba90afb49d... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M js/ajax.js Log Message: ----------- Store copy of hash instead of working on live object This avoids possible race conditions when doing the checks. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 9b8094bb0d61da59f80a2f927011068c8e0f3069 https://github.com/phpmyadmin/phpmyadmin/commit/9b8094bb0d61da59f80a2f927011... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/navigation/NavigationHeader.class.php Log Message: ----------- Stricter validation of NavigationLogoLink It now has to be URL including scheme. Otherwise it's not really possible to validate it for being just http/https. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 94736885a66a5b28665d252d3062824fca99dd01 https://github.com/phpmyadmin/phpmyadmin/commit/94736885a66a5b28665d252d3062... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M js/config.js Log Message: ----------- Fix hash validation - use copy of hash to avoid race condition - stricter regex to match whole string Signed-off-by: Michal Čihař <michal@cihar.com> Commit: fa3bcffd4e2e6d0d7f41f2ec0db2fe8d50a0635d https://github.com/phpmyadmin/phpmyadmin/commit/fa3bcffd4e2e6d0d7f41f2ec0db2... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/DBQbe.class.php M libraries/SavedSearches.class.php Log Message: ----------- Limit maximal number of rows in QBE User would be lost in them anyway by that count and it prevents DOS. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 18fdcd066467259a4fb866961dde73f7902c5e8c https://github.com/phpmyadmin/phpmyadmin/commit/18fdcd066467259a4fb866961dde... Author: Michal Čihař <michal@cihar.com> Date: 2016-08-24 (Wed, 24 Aug 2016) Changed paths: M ChangeLog M index.php Log Message: ----------- Do not show warning about short blowfish_secret if none is set With empty blowfish_secret user would always get both warnings... Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 38e4f77a8b0010a774d18cac4d41b104bff4bc53 https://github.com/phpmyadmin/phpmyadmin/commit/38e4f77a8b0010a774d18cac4d41... Author: Michal Čihař <michal@cihar.com> Date: 2016-09-02 (Fri, 02 Sep 2016) Changed paths: M import.php Log Message: ----------- Fix possible DOS on too big skip value - loop only as long as long we have data to skip - convert skip parameter to integer Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 499a61c7d831f424c1e68f734b587e6baa395634 https://github.com/phpmyadmin/phpmyadmin/commit/499a61c7d831f424c1e68f734b58... Author: Michal Čihař <michal@cihar.com> Date: 2016-09-02 (Fri, 02 Sep 2016) Changed paths: M index.php M libraries/core.lib.php Log Message: ----------- Stricter URL validation - do not use empty() as empty('0') is true - do not lowercase the strings, use them as they are - lowercase all domains in our codebase - do not allow to specify port Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 2cb51d22dba43f4a5d57d76ad8c734422db7c916 https://github.com/phpmyadmin/phpmyadmin/commit/2cb51d22dba43f4a5d57d76ad8c7... Author: Michal Čihař <michal@cihar.com> Date: 2016-09-02 (Fri, 02 Sep 2016) Changed paths: M libraries/ip_allow_deny.lib.php Log Message: ----------- Use hash_equals when comparing IPv6 allow rules Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 8ee12d39e568d46b358601be1217e5087f4acf75 https://github.com/phpmyadmin/phpmyadmin/commit/8ee12d39e568d46b358601be1217... Author: Michal Čihař <michal@cihar.com> Date: 2016-09-19 (Mon, 19 Sep 2016) Changed paths: M libraries/plugins/AuthenticationPlugin.class.php M libraries/plugins/auth/AuthenticationConfig.class.php M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php Log Message: ----------- Verify value of access_time to avoid unwanted session extension We need to ansure the access_time parameter is in valid range to avoid possibility of remotely extending session validity. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: e3f2c744916ebdd355f365eb350eed078e2542d7 https://github.com/phpmyadmin/phpmyadmin/commit/e3f2c744916ebdd355f365eb350e... Author: Deven Bansod <devenbansod.bits@gmail.com> Date: 2016-10-02 (Sun, 02 Oct 2016) Changed paths: M prefs_manage.php Log Message: ----------- Don't assume the default arg_separator in URL Respect the value for arg_separator.input too. Signed-off-by: Deven Bansod <devenbansod.bits@gmail.com> Commit: 1fc004d1730b3ca1b857d005de8a3d00d50cfdb4 https://github.com/phpmyadmin/phpmyadmin/commit/1fc004d1730b3ca1b857d005de8a... Author: Michal Čihař <michal@cihar.com> Date: 2016-10-04 (Tue, 04 Oct 2016) Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_safeUnserialize_test.php Log Message: ----------- Correctly parse string length when checking serialized data Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 6d7113776ce6384838b00112f821366a1b92de48 https://github.com/phpmyadmin/phpmyadmin/commit/6d7113776ce6384838b00112f821... Author: Michal Čihař <michal@cihar.com> Date: 2016-10-04 (Tue, 04 Oct 2016) Changed paths: M prefs_manage.php Log Message: ----------- Merge branch 'MAINT_4_4_15-security' of github.com:phpmyadmin/phpmyadmin-security into MAINT_4_4_15-security Commit: 9d0b1915d61e7289d234d26e6bdba021027fda87 https://github.com/phpmyadmin/phpmyadmin/commit/9d0b1915d61e7289d234d26e6bdb... Author: Deven Bansod <devenbansod.bits@gmail.com> Date: 2016-10-11 (Tue, 11 Oct 2016) Changed paths: M libraries/tracking.lib.php Log Message: ----------- Manage new-lines and extra whitespaces properly Signed-off-by: Deven Bansod <devenbansod.bits@gmail.com> Commit: d69375ff75bf58cbc35130081973a9ecfaec7d52 https://github.com/phpmyadmin/phpmyadmin/commit/d69375ff75bf58cbc35130081973... Author: Deven Bansod <devenbansod.bits@gmail.com> Date: 2016-10-11 (Tue, 11 Oct 2016) Changed paths: M libraries/Tracker.class.php Log Message: ----------- Manage new-lines and extra whitespaces properly Signed-off-by: Deven Bansod <devenbansod.bits@gmail.com> Commit: a9e3827b190c386fc6cc0389668545ff0e2b4fdb https://github.com/phpmyadmin/phpmyadmin/commit/a9e3827b190c386fc6cc03896685... Author: Deven Bansod <devenbansod.bits@gmail.com> Date: 2016-11-08 (Tue, 08 Nov 2016) Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_sanitizeMySQLHost_test.php Log Message: ----------- Handle multiple `p:` while sanitizing MySQL hosts Signed-off-by: Deven Bansod <devenbansod.bits@gmail.com> Commit: 0748384685693e3ecf97b021ccab075e295d4d65 https://github.com/phpmyadmin/phpmyadmin/commit/0748384685693e3ecf97b021ccab... Author: Isaac Bennetch <bennetch@gmail.com> Date: 2016-11-24 (Thu, 24 Nov 2016) Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.class.php Log Message: ----------- 4.4.15.9 release and ChangeLog Signed-off-by: Isaac Bennetch <bennetch@gmail.com> Compare: https://github.com/phpmyadmin/phpmyadmin/compare/39864227e7c3...074838468569