[phpMyAdmin Git] [phpmyadmin/phpmyadmin] 285e56: Strip null bytes from MySQL username

Branch: refs/heads/MAINT_4_0_10 Home: https://github.com/phpmyadmin/phpmyadmin Commit: 285e5623b638cb414b3c3e5ab7c0f3126d616b54 https://github.com/phpmyadmin/phpmyadmin/commit/285e5623b638cb414b3c3e5ab7c… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/core.lib.php M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php Log Message: ----------- Strip null bytes from MySQL username In old PHP versions this could lead to allow/deny rules bypass. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 58245cb1cc25a1b167941cf30a4cc742a27c0b5b https://github.com/phpmyadmin/phpmyadmin/commit/58245cb1cc25a1b167941cf30a4… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/ip_allow_deny.lib.php Log Message: ----------- Use hash_equals for comparing username in allow/deny rules The comparison should happen in constant time to avoid possible leak of usernames in rules. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 6117ad5cef7bbe3ff080efb557bbafaff757e0ea https://github.com/phpmyadmin/phpmyadmin/commit/6117ad5cef7bbe3ff080efb557b… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php Log Message: ----------- Use hash_equals for checking username This makes the comparison happen in constant time and makes it impossible to use it to guess stored usernames. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: f2add98bd93fa96da130214e78eacb01893aa89a https://github.com/phpmyadmin/phpmyadmin/commit/f2add98bd93fa96da130214e78e… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/Error.class.php M test/classes/PMA_Error_test.php Log Message: ----------- Strip path even if openbasedir restrictions apply This really should not be the case here as what we get here is code executed by PHP, so it should have already passed openbasedir restrictions. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: c2f7a898ddf69422af218718d20c7eb6af62cb88 https://github.com/phpmyadmin/phpmyadmin/commit/c2f7a898ddf69422af218718d20… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M js/ajax.js Log Message: ----------- Store copy of hash instead of working on live object This avoids possible race conditions when doing the checks. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 096856c70c1b8b1b9a94a54ee780f7be623fd1c5 https://github.com/phpmyadmin/phpmyadmin/commit/096856c70c1b8b1b9a94a54ee78… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/navigation/NavigationHeader.class.php Log Message: ----------- Stricter validation of NavigationLogoLink It now has to be URL including scheme. Otherwise it's not really possible to validate it for being just http/https. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: b2605ebba6ca729fd0157a0774d173e3ec04eabb https://github.com/phpmyadmin/phpmyadmin/commit/b2605ebba6ca729fd0157a0774d… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M js/config.js Log Message: ----------- Fix hash validation - use copy of hash to avoid race condition - stricter regex to match whole string Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 67700620db6b494c9ecab9f4268d30cf4afb01b3 https://github.com/phpmyadmin/phpmyadmin/commit/67700620db6b494c9ecab9f4268… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-18 (Thu, 18 Aug 2016) Changed paths: M libraries/DBQbe.class.php Log Message: ----------- Limit maximal number of rows in QBE User would be lost in them anyway by that count and it prevents DOS. Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: d37abc38daca9c1ebc074e3b4e9b2bdfc1cf523d https://github.com/phpmyadmin/phpmyadmin/commit/d37abc38daca9c1ebc074e3b4e9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-08-24 (Wed, 24 Aug 2016) Changed paths: M ChangeLog M index.php Log Message: ----------- Do not show warning about short blowfish_secret if none is set With empty blowfish_secret user would always get both warnings... Fixes #12485 Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 0c3dfd186c281710516805f97a9875149abeb3ce https://github.com/phpmyadmin/phpmyadmin/commit/0c3dfd186c281710516805f97a9… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-09-02 (Fri, 02 Sep 2016) Changed paths: M import.php Log Message: ----------- Fix possible DOS on too big skip value - loop only as long as long we have data to skip - convert skip parameter to integer Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: af7c58939155d407233c8c3bf6f2ad3e540f489a https://github.com/phpmyadmin/phpmyadmin/commit/af7c58939155d407233c8c3bf6f… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-09-02 (Fri, 02 Sep 2016) Changed paths: M index.php M libraries/core.lib.php Log Message: ----------- Stricter URL validation - do not use empty() as empty('0') is true - do not lowercase the strings, use them as they are - lowercase all domains in our codebase - do not allow to specify port Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 63b7f6c0a94af5d7402c4f198846dc0c066f5413 https://github.com/phpmyadmin/phpmyadmin/commit/63b7f6c0a94af5d7402c4f19884… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-09-02 (Fri, 02 Sep 2016) Changed paths: M libraries/ip_allow_deny.lib.php Log Message: ----------- Use hash_equals when comparing IPv6 allow rules Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: 773f126c89aca6588258753218e600c5764857c2 https://github.com/phpmyadmin/phpmyadmin/commit/773f126c89aca6588258753218e… Author: Deven Bansod <devenbansod.bits(a)gmail.com> Date: 2016-10-02 (Sun, 02 Oct 2016) Changed paths: M prefs_manage.php Log Message: ----------- Don't assume the default arg_separator in URL Respect the value for arg_separator.input too. Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com> Commit: 5e108a340f3eac6b6c488439343b6c1a7454787c https://github.com/phpmyadmin/phpmyadmin/commit/5e108a340f3eac6b6c488439343… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-10-04 (Tue, 04 Oct 2016) Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_safeUnserialize_test.php Log Message: ----------- Correctly parse string length when checking serialized data Signed-off-by: Michal Čihař <michal(a)cihar.com> Commit: be5196ba44e6f029de11abe32cea72161c698533 https://github.com/phpmyadmin/phpmyadmin/commit/be5196ba44e6f029de11abe32ce… Author: Michal Čihař <michal(a)cihar.com> Date: 2016-10-04 (Tue, 04 Oct 2016) Changed paths: M prefs_manage.php Log Message: ----------- Merge branch 'MAINT_4_0_10-security' of github.com:phpmyadmin/phpmyadmin-security into MAINT_4_0_10-security Commit: 54875fffc12da0f1c0c2b6042e638b08fc337e2a https://github.com/phpmyadmin/phpmyadmin/commit/54875fffc12da0f1c0c2b6042e6… Author: Deven Bansod <devenbansod.bits(a)gmail.com> Date: 2016-10-11 (Tue, 11 Oct 2016) Changed paths: M tbl_tracking.php Log Message: ----------- Manage new-lines and extra whitespaces properly Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com> Commit: 337b38044ddfe74d334831390c6cb40cd2f001f1 https://github.com/phpmyadmin/phpmyadmin/commit/337b38044ddfe74d334831390c6… Author: Deven Bansod <devenbansod.bits(a)gmail.com> Date: 2016-10-11 (Tue, 11 Oct 2016) Changed paths: M libraries/Tracker.class.php Log Message: ----------- Manage new-lines and extra whitespaces properly Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com> Commit: 670359777263517b92908677fafc7e8dcd377ec5 https://github.com/phpmyadmin/phpmyadmin/commit/670359777263517b92908677faf… Author: Deven Bansod <devenbansod.bits(a)gmail.com> Date: 2016-11-08 (Tue, 08 Nov 2016) Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_sanitizeMySQLHost_test.php Log Message: ----------- Handle multiple `:p` while sanitizing MySQL hosts Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com> Commit: 8783113cec408ad9a81f17e3a97db6c4732e6164 https://github.com/phpmyadmin/phpmyadmin/commit/8783113cec408ad9a81f17e3a97… Author: Isaac Bennetch <bennetch(a)gmail.com> Date: 2016-11-24 (Thu, 24 Nov 2016) Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.class.php Log Message: ----------- 4.0.10.18 release and ChangeLog Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com> Compare: https://github.com/phpmyadmin/phpmyadmin/compare/5ba96c8804d9...8783113cec40