[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_4_4RC1-16974-g4d2521a
The branch, master has been updated via 4d2521ac91d09697c3b2c209c962ebcbc093446d (commit) via 3b75f549f4a1f5e2ad45b5189f11496b4f70cccb (commit) via f00c57bdf3669d7471b30e6750f6762d2e01947b (commit) via 4e5c583dcfdd6307f1093f80a9e1d1ff0480cc7d (commit) via c547703b1089bff62b238a908d8559ca3ad845f1 (commit) via b659fbeb128b3235738d6fd787cab096ddc3a591 (commit) via 0f5f2d960184db7333ecf7d52da406cae306412b (commit) via 39edf6e1fbe4a39f6fec0919d60eca5dfc2708ff (commit) via 3d8fddceb0f084d4b77c58c48a98e002db6baa6a (commit) via 2b0d12b2deb1b6b5c4073ecaa7971cb0bbb83389 (commit) via ec848d825ffe896b96b6c3e4b8c7d4c12aadd310 (commit) via 09b30b8b6e462aafc24cc32a78491cd9513305c6 (commit) from df4f5b7c96a0846a9a98241a5e7d567917d8db0b (commit)
- Log ----------------------------------------------------------------- commit 4d2521ac91d09697c3b2c209c962ebcbc093446d Merge: df4f5b7 3b75f54 Author: Marc Delisle marc@infomarc.info Date: Wed Aug 24 12:30:15 2011 -0400
Merge branch 'QA_3_4'
-----------------------------------------------------------------------
Summary of changes: export.php | 1 + libraries/sanitizing.lib.php | 18 ++++++++++ tbl_tracking.php | 72 ++++++++++++++++++++++-------------------- 3 files changed, 57 insertions(+), 34 deletions(-)
diff --git a/export.php b/export.php index 3678924..5f91713 100644 --- a/export.php +++ b/export.php @@ -346,6 +346,7 @@ if (!$save_on_server) { // (avoid rewriting data containing HTML with anchors and forms; // this was reported to happen under Plesk) @ini_set('url_rewriter.tags',''); + $filename = PMA_sanitize_filename($filename);
PMA_download_header($filename, $mime_type); } else { diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index e920150..cbac64d 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -129,4 +129,22 @@ function PMA_sanitize($message, $escape = false, $safe = false)
return $message; } + + +/** + * Sanitize a filename by removing anything besides A-Za-z0-9_.- + * + * Intended usecase: + * When using a filename in a Content-Disposition header the value should not contain ; or " + * + * @param string The filename + * + * @return string the sanitized filename + * + */ +function PMA_sanitize_filename($filename) { + $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename); + return $filename; +} + ?> diff --git a/tbl_tracking.php b/tbl_tracking.php index b601348..4430cf0 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -271,17 +271,17 @@ if (isset($_REQUEST['snapshot'])) { <tr class="noclick <?php echo $style; ?>"> <?php if ($field['Key'] == 'PRI') { - echo '<td><b><u>' . $field['Field'] . '</u></b></td>' . "\n"; + echo '<td><b><u>' . htmlspecialchars($field['Field']) . '</u></b></td>' . "\n"; } else { - echo '<td><b>' . $field['Field'] . '</b></td>' . "\n"; + echo '<td><b>' . htmlspecialchars($field['Field']) . '</b></td>' . "\n"; } ?> - <td><?php echo $field['Type'];?></td> - <td><?php echo $field['Collation'];?></td> - <td><?php echo $field['Null'];?></td> - <td><?php echo $field['Default'];?></td> - <td><?php echo $field['Extra'];?></td> - <td><?php echo $field['Comment'];?></td> + <td><?php echo htmlspecialchars($field['Type']);?></td> + <td><?php echo htmlspecialchars($field['Collation']);?></td> + <td><?php echo htmlspecialchars($field['Null']);?></td> + <td><?php echo htmlspecialchars($field['Default']);?></td> + <td><?php echo htmlspecialchars($field['Extra']);?></td> + <td><?php echo htmlspecialchars($field['Comment']);?></td> </tr> <?php if ($style == 'even') { @@ -327,15 +327,15 @@ if (isset($_REQUEST['snapshot'])) { } ?> <tr class="noclick <?php echo $style; ?>"> - <td><b><?php echo $index['Key_name'];?></b></td> - <td><?php echo $index['Index_type'];?></td> + <td><b><?php echo htmlspecialchars($index['Key_name']);?></b></td> + <td><?php echo htmlspecialchars($index['Index_type']);?></td> <td><?php echo $str_unique;?></td> <td><?php echo $str_packed;?></td> - <td><?php echo $index['Column_name'];?></td> - <td><?php echo $index['Cardinality'];?></td> - <td><?php echo $index['Collation'];?></td> - <td><?php echo $index['Null'];?></td> - <td><?php echo $index['Comment'];?></td> + <td><?php echo htmlspecialchars($index['Column_name']);?></td> + <td><?php echo htmlspecialchars($index['Cardinality']);?></td> + <td><?php echo htmlspecialchars($index['Collation']);?></td> + <td><?php echo htmlspecialchars($index['Null']);?></td> + <td><?php echo htmlspecialchars($index['Comment']);?></td> </tr> <?php if ($style == 'even') { @@ -399,10 +399,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <h3><?php echo __('Tracking report');?> [<a href="tbl_tracking.php?<?php echo $url_query;?>"><?php echo __('Close');?></a>]</h3>
- <small><?php echo __('Tracking statements') . ' ' . $data['tracking']; ?></small><br/> + <small><?php echo __('Tracking statements') . ' ' . htmlspecialchars($data['tracking']); ?></small><br/> <br/>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> <?php
$str1 = '<select name="logtype">' . @@ -410,9 +410,9 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { '<option value="data"' . ($selection_data ? ' selected="selected"' : ''). '>' . __('Data only') . '</option>' . '<option value="schema_and_data"' . ($selection_both ? ' selected="selected"' : '') . '>' . __('Structure and data') . '</option>' . '</select>'; - $str2 = '<input type="text" name="date_from" value="' . $_REQUEST['date_from'] . '" size="19" />'; - $str3 = '<input type="text" name="date_to" value="' . $_REQUEST['date_to'] . '" size="19" />'; - $str4 = '<input type="text" name="users" value="' . $_REQUEST['users'] . '" />'; + $str2 = '<input type="text" name="date_from" value="' . htmlspecialchars($_REQUEST['date_from']) . '" size="19" />'; + $str3 = '<input type="text" name="date_to" value="' . htmlspecialchars($_REQUEST['date_to']) . '" size="19" />'; + $str4 = '<input type="text" name="users" value="' . htmlspecialchars($_REQUEST['users']) . '" />'; $str5 = '<input type="submit" name="list_report" value="' . __('Go') . '" />';
printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5); @@ -464,8 +464,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <tr class="noclick <?php echo $style; ?>"> <td><small><?php echo $i;?></small></td> - <td><small><?php echo $entry['date'];?></small></td> - <td><small><?php echo $entry['username']; ?></small></td> + <td><small><?php echo htmlspecialchars($entry['date']);?></small></td> + <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td> <td><?php echo $statement; ?></td> <td nowrap="nowrap"><a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>&delete_ddlog=<?php echo $i-1; ?>"><?php echo $drop_image_or_text; ?></a></td> </tr> @@ -520,8 +520,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <tr class="noclick <?php echo $style; ?>"> <td><small><?php echo $i; ?></small></td> - <td><small><?php echo $entry['date']; ?></small></td> - <td><small><?php echo $entry['username']; ?></small></td> + <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td> + <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td> <td><?php echo $statement; ?></td> <td nowrap="nowrap"><a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>&delete_dmlog=<?php echo $i-$ddlog_count; ?>"><?php echo $drop_image_or_text; ?></a></td> </tr> @@ -541,7 +541,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { } ?> </form> - <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> <?php printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
@@ -554,11 +554,11 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { $str_export2 = '<input type="submit" name="report_export" value="' . __('Go') .'" />'; ?> </form> - <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> - <input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" /> - <input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" /> - <input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" /> - <input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" /> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> + <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" /> + <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" /> + <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" /> + <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" /> <?php echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>"; ?> @@ -660,11 +660,15 @@ if ($last_version > 0) { <tr class="noclick <?php echo $style;?>"> <td><?php echo htmlspecialchars($version['db_name']);?></td> <td><?php echo htmlspecialchars($version['table_name']);?></td> - <td><?php echo $version['version'];?></td> - <td><?php echo $version['date_created'];?></td> - <td><?php echo $version['date_updated'];?></td> + <td><?php echo htmlspecialchars($version['version']);?></td> + <td><?php echo htmlspecialchars($version['date_created']);?></td> + <td><?php echo htmlspecialchars($version['date_updated']);?></td> <td><?php echo $version_status;?></td> - <td> <a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>"><?php echo __('Tracking report');?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&snapshot=true&version=<?php echo $version['version'];?>"><?php echo __('Structure snapshot');?></a></td> + <td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version']) +);?>"><?php echo __('Tracking report');?></a> + | <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version']) +);?>"><?php echo __('Structure snapshot');?></a> + </td> </tr> <?php if ($style == 'even') {
hooks/post-receive
-
Marc Delisle