The branch, MAINT_3_4_1 has been updated via 89c8f3cbfe5356995ad71e5a41438e81fa994a55 (commit) via 7e10c132a3887c8ebfd7a8eee356b28375f1e287 (commit) via d3ccf798fdbd4f8a89d4088130637d8dee918492 (commit) from b7a8179eb6bf0f1643970ac57a70b5b513a1cd4f (commit)
- Log ----------------------------------------------------------------- -----------------------------------------------------------------------
Summary of changes: ChangeLog | 4 ++++ libraries/tbl_links.inc.php | 2 +- tbl_tracking.php | 12 ++++++------ 3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog index 99d7444..f6b479f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,7 @@ - bug #3285929 [privileges] Revert temporary fix - bug #3302872 [synchronize] Synchronize and user name - bug #3302733 [core] Some browsers report an insecure https connection +- [security] Make redirector require valid token
3.4.0.0 (2011-05-11) + rfe #2890226 [view] Enable VIEW rename @@ -167,6 +168,9 @@
3.3.11.0 (not yet released)
+3.3.10.1 (2011-05-20) +- [security] XSS on Tracking page + 3.3.10.0 (2011-03-19) - patch #3147400 [structure] Aria table size printed as unknown, thanks to erickoh75 - erickoh75 diff --git a/libraries/tbl_links.inc.php b/libraries/tbl_links.inc.php index bc72d21..e31dd53 100644 --- a/libraries/tbl_links.inc.php +++ b/libraries/tbl_links.inc.php @@ -112,7 +112,7 @@ unset($tabs);
if(PMA_Tracker::isActive() and PMA_Tracker::isTracked($GLOBALS["db"], $GLOBALS["table"])) { - $msg = PMA_Message::notice('<a href="tbl_tracking.php?'.$url_query.'">'.sprintf(__('Tracking of %s.%s is activated.'), $GLOBALS["db"], $GLOBALS["table"]).'</a>'); + $msg = PMA_Message::notice('<a href="tbl_tracking.php?'.$url_query.'">'.sprintf(__('Tracking of %s.%s is activated.'), htmlspecialchars($GLOBALS["db"]), htmlspecialchars($GLOBALS["table"])).'</a>'); $msg->display(); }
diff --git a/tbl_tracking.php b/tbl_tracking.php index 757456b..99a540e 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -179,7 +179,7 @@ if (isset($_REQUEST['submit_create_version'])) { $tracking_set = rtrim($tracking_set, ',');
if (PMA_Tracker::createVersion($GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'], $tracking_set )) { - $msg = PMA_Message::success(sprintf(__('Version %s is created, tracking for %s.%s is activated.'), $_REQUEST['version'], $GLOBALS['db'], $GLOBALS['table'])); + $msg = PMA_Message::success(sprintf(__('Version %s is created, tracking for %s.%s is activated.'), $_REQUEST['version'], htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table']))); $msg->display(); } } @@ -187,7 +187,7 @@ if (isset($_REQUEST['submit_create_version'])) { // Deactivate tracking if (isset($_REQUEST['submit_deactivate_now'])) { if (PMA_Tracker::deactivateTracking($GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'])) { - $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is deactivated.'), $GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'])); + $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is deactivated.'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table']), $_REQUEST['version'])); $msg->display(); } } @@ -195,7 +195,7 @@ if (isset($_REQUEST['submit_deactivate_now'])) { // Activate tracking if (isset($_REQUEST['submit_activate_now'])) { if (PMA_Tracker::activateTracking($GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'])) { - $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is activated.'), $GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'])); + $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is activated.'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table']), $_REQUEST['version'])); $msg->display(); } } @@ -632,7 +632,7 @@ if ($last_version > 0) { <div id="div_deactivate_tracking"> <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>"> <fieldset> - <legend><?php printf(__('Deactivate tracking for %s.%s'), $GLOBALS['db'], $GLOBALS['table']); ?></legend> + <legend><?php printf(__('Deactivate tracking for %s.%s'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table'])); ?></legend> <input type="hidden" name="version" value="<?php echo $last_version; ?>" /> <input type="submit" name="submit_deactivate_now" value="<?php echo __('Deactivate now'); ?>" /> </fieldset> @@ -645,7 +645,7 @@ if ($last_version > 0) { <div id="div_activate_tracking"> <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>"> <fieldset> - <legend><?php printf(__('Activate tracking for %s.%s'), $GLOBALS['db'], $GLOBALS['table']); ?></legend> + <legend><?php printf(__('Activate tracking for %s.%s'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table'])); ?></legend> <input type="hidden" name="version" value="<?php echo $last_version; ?>" /> <input type="submit" name="submit_activate_now" value="<?php echo __('Activate now'); ?>" /> </fieldset> @@ -660,7 +660,7 @@ if ($last_version > 0) { <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>"> <?php echo PMA_generate_common_hidden_inputs($GLOBALS['db'], $GLOBALS['table']); ?> <fieldset> - <legend><?php printf(__('Create version %s of %s.%s'), ($last_version + 1), $GLOBALS['db'], $GLOBALS['table']); ?></legend> + <legend><?php printf(__('Create version %s of %s.%s'), ($last_version + 1), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table'])); ?></legend>
<input type="hidden" name="version" value="<?php echo ($last_version + 1); ?>" />
hooks/post-receive