The branch, QA_3_4 has been updated via c5a641961861f3e82b282582c1b86222d73409bf (commit) via bda213c58aec44925be661acb0e76c19483ea170 (commit) via 2f28ce9c800274190418da0945ce3647d36e1db6 (commit) via 4039683ab3ca63c979948e02345b6d38452f8dee (commit) from c02bd600eeee9a9f17a51c602bc32917de5e28eb (commit)
- Log ----------------------------------------------------------------- commit c5a641961861f3e82b282582c1b86222d73409bf Merge: c02bd60 bda213c Author: Marc Delisle marc@infomarc.info Date: Thu Sep 8 15:41:40 2011 -0400
Merge branch 'MAINT_3_4_5' into QA_3_4
-----------------------------------------------------------------------
Summary of changes: ChangeLog | 2 ++ js/functions.js | 15 +++++++++++++-- js/sql.js | 2 +- js/tbl_structure.js | 4 ++-- 4 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog index 614d066..94d28fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,8 @@ phpMyAdmin - ChangeLog - [export] Remove native Excel export modules (xls and xlsx formats) - [import] Remove native Excel import modules (xls and xlsx formats) - bug #3392920 [edit] BLOB emptied after editing another column +- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14 +- [security] Fixed XSS with db/table/column names, see PMASA-2011-14
3.4.4.0 (2011-08-24) - bug #3323060 [parser] SQL parser breaks AJAX requests if query has unclosed quotes diff --git a/js/functions.js b/js/functions.js index 75fd677..b076661 100644 --- a/js/functions.js +++ b/js/functions.js @@ -172,7 +172,7 @@ function selectContent( element, lock, only_once ) { }
/** - * Displays a confirmation box before to submit a "DROP/DELETE/ALTER" query. + * Displays a confirmation box before submitting a "DROP/DELETE/ALTER" query. * This function is called while clicking links * * @param object the link @@ -1657,7 +1657,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + window.parent.db; + var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + escapeHtml(window.parent.db);
$(this).PMA_confirm(question, $(this).attr('href') ,function(url) {
@@ -2287,3 +2287,14 @@ $(document).ready(function() {
}) // end of $(document).ready()
+/** + * HTML escaping + */ +function escapeHtml(unsafe) { + return unsafe + .replace(/&/g, "&") + .replace(/</g, "<") + .replace(/>/g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); +} diff --git a/js/sql.js b/js/sql.js index dbba441..842b6c6 100644 --- a/js/sql.js +++ b/js/sql.js @@ -1111,7 +1111,7 @@ function PMA_unInlineEditRow($del_hide, $chg_submit, $this_td, $input_siblings, } } } - $this_sibling.html(new_html); + $this_sibling.text(new_html); } }) } diff --git a/js/tbl_structure.js b/js/tbl_structure.js index 352848c..493f0eb 100644 --- a/js/tbl_structure.js +++ b/js/tbl_structure.js @@ -44,7 +44,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` DROP `' + curr_column_name + '`'; + var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` DROP `' + escapeHtml(curr_column_name) + '`';
$(this).PMA_confirm(question, $(this).attr('href'), function(url) {
@@ -83,7 +83,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` ADD PRIMARY KEY(`' + curr_column_name + '`)'; + var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` ADD PRIMARY KEY(`' + escapeHtml(curr_column_name) + '`)';
$(this).PMA_confirm(question, $(this).attr('href'), function(url) {
hooks/post-receive
-
Marc Delisle