[Phpmyadmin-git] [SCM] phpMyAdmin branch, MAINT_3_3_10, updated. RELEASE_3_3_10_4-7-g6f982a1

The branch, MAINT_3_3_10 has been updated via 6f982a164575ab0d4f35aba9425576189e4013d5 (commit) via 75606e5f82280eb1a3817badf1b24d512a010b80 (commit) via 1a89c8ecfd09ceace81fb11e488f12599c0e49b6 (commit) via 2fbf631384fd8cded55f4500cb87b129442f9ed2 (commit) via 5fa86b8e81565c15ddbc359e8f59ecd829a2b717 (commit) via e3d3ef7af2915cf30bf6f3e69e75f9eb58d94be9 (commit) via c79375598d46552fc1717f798a6560f9a1cdc102 (commit) from bd92c092cd422667097e98a3cd8ebc0140338244 (commit)

- Log ----------------------------------------------------------------- commit 6f982a164575ab0d4f35aba9425576189e4013d5 Author: Marc Delisle marc@infomarc.info Date: Thu Nov 10 08:42:22 2011 -0500

3.3.10.5 release

-----------------------------------------------------------------------

Summary of changes: ChangeLog | 4 +++ Documentation.html | 10 +++++++- README | 2 +- db_datadict.php | 2 +- libraries/Config.class.php | 2 +- libraries/import/ods.php | 12 ++++++++++ libraries/import/xml.php | 50 +++++++++++++++++++++++++++---------------- translators.html | 4 +- 8 files changed, 60 insertions(+), 26 deletions(-)

diff --git a/ChangeLog b/ChangeLog index ddc085d..7a69d01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/C... $

+3.3.10.5 (2011-11-10) +- [security] Fixed possible local file inclusion in XML import +(CVE-2011-4107). + 3.3.10.4 (2011-08-24) - [security] Missing sanitization on the table, column and index names leads to XSS vulnerabilities, see PMASA-2011-13

diff --git a/Documentation.html b/Documentation.html index 7ee8e50..3a115a7 100644 --- a/Documentation.html +++ b/Documentation.html @@ -10,7 +10,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.10.4 - Documentation</title> + <title>phpMyAdmin 3.3.10.5 - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head>

@@ -18,7 +18,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.10.4 + 3.3.10.5 Documentation </h1> </div> @@ -81,6 +81,12 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 </li> <li>To support upload progress bars, see <a href="#faq2_9"> <abbr title="Frequently Asked Questions">FAQ</abbr> 2.9</a>.</li> + <li>To support BLOB streaming, see PHP and MySQL requirements + in <a href="#faq6_25"> + <abbr title="Frequently Asked Questions">FAQ</abbr> 6.25</a>.</li> + <li>To support XML and Open Document Spreadsheet importing, + you need PHP 5.2.17 or newer and the + <a href="http://www.php.net/libxml"><tt>libxml</tt></a> extension.</li> </ul> </li> <li><b>MySQL</b> 5.0 or newer (<a href="#faq1_17">details</a>);</li> diff --git a/README b/README index 4d2bcbd..3ad7217 100644 --- a/README +++ b/README @@ -5,7 +5,7 @@ phpMyAdmin - Readme

A set of PHP-scripts to manage MySQL over the web.

- Version 3.3.10.4 + Version 3.3.10.5 ---------------- http://www.phpmyadmin.net/

diff --git a/db_datadict.php b/db_datadict.php index 0c16cb7..086d7be 100644 --- a/db_datadict.php +++ b/db_datadict.php @@ -70,7 +70,7 @@ while ($row = PMA_DBI_fetch_assoc($rowset)) { echo '<div>' . "\n"; }

- echo '<h2>' . $table . '</h2>' . "\n"; + echo '<h2>' . htmlspecialchars($table) . '</h2>' . "\n";

/** * Gets table informations diff --git a/libraries/Config.class.php b/libraries/Config.class.php index 0ace890..9dd464b 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -92,7 +92,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '3.3.10.4'); + $this->set('PMA_VERSION', '3.3.10.5'); /** * @deprecated */ diff --git a/libraries/import/ods.php b/libraries/import/ods.php index 81aed5e..dcc6a51 100644 --- a/libraries/import/ods.php +++ b/libraries/import/ods.php @@ -14,6 +14,13 @@ if (! defined('PHPMYADMIN')) { }

/** + * We need way to disable external XML entities processing. + */ +if (!function_exists('libxml_disable_entity_loader')) { + return; +} + +/** * The possible scopes for $plugin_param are: 'table', 'database', and 'server' */

@@ -62,6 +69,11 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) { unset($data);

/** + * Disable loading of external XML entities. + */ +libxml_disable_entity_loader(); + +/** * Load the XML string * * The option LIBXML_COMPACT is specified because it can diff --git a/libraries/import/xml.php b/libraries/import/xml.php index f62328e..9298225 100644 --- a/libraries/import/xml.php +++ b/libraries/import/xml.php @@ -13,6 +13,13 @@ if (! defined('PHPMYADMIN')) { }

/** + * We need way to disable external XML entities processing. + */ +if (!function_exists('libxml_disable_entity_loader')) { + return; +} + +/** * The possible scopes for $plugin_param are: 'table', 'database', and 'server' */

@@ -57,6 +64,11 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) { unset($data);

/** + * Disable loading of external XML entities. + */ +libxml_disable_entity_loader(); + +/** * Load the XML string * * The option LIBXML_COMPACT is specified because it can @@ -141,19 +153,19 @@ if (isset($namespaces['pma'])) { * Get structures for all tables */ $struct = $xml->children($namespaces['pma']); - + $create = array(); - + foreach ($struct as $tier1 => $val1) { foreach($val1 as $tier2 => $val2) { /* Need to select the correct database for the creation of tables, views, triggers, etc. */ /** - * @todo Generating a USE here blocks importing of a table - * into another database. + * @todo Generating a USE here blocks importing of a table + * into another database. */ $attrs = $val2->attributes(); $create[] = "USE " . PMA_backquote($attrs["name"]); - + foreach ($val2 as $val3) { /** * Remove the extra cosmetic spacing @@ -163,7 +175,7 @@ if (isset($namespaces['pma'])) { } } } - + $struct_present = true; }

@@ -179,13 +191,13 @@ $data_present = false; */ if (@count($xml->children())) { $data_present = true; - + /** * Process all database content */ foreach ($xml as $k1 => $v1) { $tbl_attr = $v1->attributes(); - + $isInTables = false; for ($i = 0; $i < count($tables); ++$i) { if (! strcmp($tables[$i][TBL_NAME], (string)$tbl_attr['name'])) { @@ -193,11 +205,11 @@ if (@count($xml->children())) { break; } } - + if ($isInTables == false) { $tables[] = array((string)$tbl_attr['name']); } - + foreach ($v1 as $k2 => $v2) { $row_attr = $v2->attributes(); if (! array_search((string)$row_attr['name'], $tempRow)) @@ -206,17 +218,17 @@ if (@count($xml->children())) { } $tempCells[] = (string)$v2; } - + $rows[] = array((string)$tbl_attr['name'], $tempRow, $tempCells); - + $tempRow = array(); $tempCells = array(); } - + unset($tempRow); unset($tempCells); unset($xml); - + /** * Bring accumulated rows into the corresponding table */ @@ -227,17 +239,17 @@ if (@count($xml->children())) { if (! isset($tables[$i][COL_NAMES])) { $tables[$i][] = $rows[$j][COL_NAMES]; } - + $tables[$i][ROWS][] = $rows[$j][ROWS]; } } } - + unset($rows); - + if (! $struct_present) { $analyses = array(); - + $len = count($tables); for ($i = 0; $i < $len; ++$i) { $analyses[] = PMA_analyzeTable($tables[$i]); @@ -289,7 +301,7 @@ if (strlen($db)) { if ($db_name === NULL) { $db_name = 'XML_DB'; } - + /* Set database collation/charset */ $options = array( 'db_collation' => $collation, diff --git a/translators.html b/translators.html index 24096d7..af5719b 100644 --- a/translators.html +++ b/translators.html @@ -11,7 +11,7 @@ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.3.10.4 - Official translators</title> + <title>phpMyAdmin 3.3.10.5 - Official translators</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head>

@@ -19,7 +19,7 @@ <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.3.10.4 + 3.3.10.5 official translators list </h1> </div>

hooks/post-receive