Branch: refs/heads/MAINT_4_0_10
Home:
https://github.com/phpmyadmin/phpmyadmin
Commit: 285e5623b638cb414b3c3e5ab7c0f3126d616b54
https://github.com/phpmyadmin/phpmyadmin/commit/285e5623b638cb414b3c3e5ab7c…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/core.lib.php
M libraries/plugins/auth/AuthenticationCookie.class.php
M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message:
-----------
Strip null bytes from MySQL username
In old PHP versions this could lead to allow/deny rules bypass.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 58245cb1cc25a1b167941cf30a4cc742a27c0b5b
https://github.com/phpmyadmin/phpmyadmin/commit/58245cb1cc25a1b167941cf30a4…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/ip_allow_deny.lib.php
Log Message:
-----------
Use hash_equals for comparing username in allow/deny rules
The comparison should happen in constant time to avoid possible leak of
usernames in rules.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 6117ad5cef7bbe3ff080efb557bbafaff757e0ea
https://github.com/phpmyadmin/phpmyadmin/commit/6117ad5cef7bbe3ff080efb557b…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/plugins/auth/AuthenticationCookie.class.php
M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message:
-----------
Use hash_equals for checking username
This makes the comparison happen in constant time and makes it
impossible to use it to guess stored usernames.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: f2add98bd93fa96da130214e78eacb01893aa89a
https://github.com/phpmyadmin/phpmyadmin/commit/f2add98bd93fa96da130214e78e…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/Error.class.php
M test/classes/PMA_Error_test.php
Log Message:
-----------
Strip path even if openbasedir restrictions apply
This really should not be the case here as what we get here is code
executed by PHP, so it should have already passed openbasedir
restrictions.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: c2f7a898ddf69422af218718d20c7eb6af62cb88
https://github.com/phpmyadmin/phpmyadmin/commit/c2f7a898ddf69422af218718d20…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M js/ajax.js
Log Message:
-----------
Store copy of hash instead of working on live object
This avoids possible race conditions when doing the checks.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 096856c70c1b8b1b9a94a54ee780f7be623fd1c5
https://github.com/phpmyadmin/phpmyadmin/commit/096856c70c1b8b1b9a94a54ee78…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/navigation/NavigationHeader.class.php
Log Message:
-----------
Stricter validation of NavigationLogoLink
It now has to be URL including scheme. Otherwise it's not really
possible to validate it for being just http/https.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: b2605ebba6ca729fd0157a0774d173e3ec04eabb
https://github.com/phpmyadmin/phpmyadmin/commit/b2605ebba6ca729fd0157a0774d…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M js/config.js
Log Message:
-----------
Fix hash validation
- use copy of hash to avoid race condition
- stricter regex to match whole string
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 67700620db6b494c9ecab9f4268d30cf4afb01b3
https://github.com/phpmyadmin/phpmyadmin/commit/67700620db6b494c9ecab9f4268…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/DBQbe.class.php
Log Message:
-----------
Limit maximal number of rows in QBE
User would be lost in them anyway by that count and it prevents DOS.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: d37abc38daca9c1ebc074e3b4e9b2bdfc1cf523d
https://github.com/phpmyadmin/phpmyadmin/commit/d37abc38daca9c1ebc074e3b4e9…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-24 (Wed, 24 Aug 2016)
Changed paths:
M ChangeLog
M index.php
Log Message:
-----------
Do not show warning about short blowfish_secret if none is set
With empty blowfish_secret user would always get both warnings...
Fixes #12485
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 0c3dfd186c281710516805f97a9875149abeb3ce
https://github.com/phpmyadmin/phpmyadmin/commit/0c3dfd186c281710516805f97a9…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M import.php
Log Message:
-----------
Fix possible DOS on too big skip value
- loop only as long as long we have data to skip
- convert skip parameter to integer
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: af7c58939155d407233c8c3bf6f2ad3e540f489a
https://github.com/phpmyadmin/phpmyadmin/commit/af7c58939155d407233c8c3bf6f…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M index.php
M libraries/core.lib.php
Log Message:
-----------
Stricter URL validation
- do not use empty() as empty('0') is true
- do not lowercase the strings, use them as they are
- lowercase all domains in our codebase
- do not allow to specify port
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 63b7f6c0a94af5d7402c4f198846dc0c066f5413
https://github.com/phpmyadmin/phpmyadmin/commit/63b7f6c0a94af5d7402c4f19884…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M libraries/ip_allow_deny.lib.php
Log Message:
-----------
Use hash_equals when comparing IPv6 allow rules
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 773f126c89aca6588258753218e600c5764857c2
https://github.com/phpmyadmin/phpmyadmin/commit/773f126c89aca6588258753218e…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-10-02 (Sun, 02 Oct 2016)
Changed paths:
M prefs_manage.php
Log Message:
-----------
Don't assume the default arg_separator in URL
Respect the value for arg_separator.input too.
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: 5e108a340f3eac6b6c488439343b6c1a7454787c
https://github.com/phpmyadmin/phpmyadmin/commit/5e108a340f3eac6b6c488439343…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths:
M libraries/core.lib.php
M test/libraries/core/PMA_safeUnserialize_test.php
Log Message:
-----------
Correctly parse string length when checking serialized data
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: be5196ba44e6f029de11abe32cea72161c698533
https://github.com/phpmyadmin/phpmyadmin/commit/be5196ba44e6f029de11abe32ce…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths:
M prefs_manage.php
Log Message:
-----------
Merge branch 'MAINT_4_0_10-security' of
github.com:phpmyadmin/phpmyadmin-security into MAINT_4_0_10-security
Commit: 54875fffc12da0f1c0c2b6042e638b08fc337e2a
https://github.com/phpmyadmin/phpmyadmin/commit/54875fffc12da0f1c0c2b6042e6…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths:
M tbl_tracking.php
Log Message:
-----------
Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: 337b38044ddfe74d334831390c6cb40cd2f001f1
https://github.com/phpmyadmin/phpmyadmin/commit/337b38044ddfe74d334831390c6…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths:
M libraries/Tracker.class.php
Log Message:
-----------
Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: 670359777263517b92908677fafc7e8dcd377ec5
https://github.com/phpmyadmin/phpmyadmin/commit/670359777263517b92908677faf…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-11-08 (Tue, 08 Nov 2016)
Changed paths:
M libraries/core.lib.php
M test/libraries/core/PMA_sanitizeMySQLHost_test.php
Log Message:
-----------
Handle multiple `:p` while sanitizing MySQL hosts
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: 8783113cec408ad9a81f17e3a97db6c4732e6164
https://github.com/phpmyadmin/phpmyadmin/commit/8783113cec408ad9a81f17e3a97…
Author: Isaac Bennetch <bennetch(a)gmail.com>
Date: 2016-11-24 (Thu, 24 Nov 2016)
Changed paths:
M ChangeLog
M README
M doc/conf.py
M libraries/Config.class.php
Log Message:
-----------
4.0.10.18 release and ChangeLog
Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com>
Compare:
https://github.com/phpmyadmin/phpmyadmin/compare/5ba96c8804d9...8783113cec40