The branch, STABLE has been updated via a8cea1918a48ddde91e52d59c26700d41499fcc8 (commit) via ec040a1b6e9d19bf3439e3f8931a4d63720ce867 (commit) via 1b8f5a5c098905997a3072170d773a073331f7f6 (commit) via 05f96b921a7e7dacd02be5ca61b2e7bdd014ee55 (commit) via 4dd5c0d0dc413d2cb2cfcb31f8d4aec0c753033c (commit) via 063e6f92929c3aed3641cf79add4128c7e972d2f (commit) via 987f943de33a0d0aa6ac3e3c352d48ac4a527a6d (commit) via 34d99de000de9d15cfdf5e9cc8b7682d51110bbd (commit) via a5e206fbd2ca814042cfc1bb7dd3b40c28ce3fb5 (commit) from 9b77e4d68754a39617136a44d9b5cbb21c70cf7a (commit) - Log ----------------------------------------------------------------- commit a8cea1918a48ddde91e52d59c26700d41499fcc8 Merge: 9b77e4d ec040a1 Author: Marc Delisle &lt;marc(a)infomarc.info&gt; Date: Thu Nov 10 09:15:22 2011 -0500 Merge branch 'MAINT_3_4_7' into STABLE ----------------------------------------------------------------------- Summary of changes: ChangeLog | 5 +++- Documentation.html | 7 ++++- README | 2 +- libraries/Config.class.php | 2 +- libraries/import/ods.php | 12 ++++++++++ libraries/import/xml.php | 50 +++++++++++++++++++++++++++---------------- 6 files changed, 54 insertions(+), 24 deletions(-) diff --git a/ChangeLog b/ChangeLog index 04455a7..6ada51e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,10 @@ phpMyAdmin - ChangeLog ====================== -3.4.7.0 (not yet released) +3.4.7.1 (2011-11-10) +- [security] Fixed possible local file inclusion in XML import (CVE-2011-4107). + +3.4.7.0 (2011-10-23) - bug #3418610 [interface] Links in navigation when $cfg['MainPageIconic'] = false - bug #3418849 [interface] Inline edit shows dropdowns even after closing - bug [view] View renaming did not work diff --git a/Documentation.html b/Documentation.html index 834215c..083da6e 100644 --- a/Documentation.html +++ b/Documentation.html @@ -9,7 +9,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.4.7 - Documentation</title> + <title>phpMyAdmin 3.4.7.1 - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -17,7 +17,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.4.7 + 3.4.7.1 Documentation </h1> </div> @@ -82,6 +82,9 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 <li>To support BLOB streaming, see PHP and MySQL requirements in <a href="#faq6_25"> <abbr title="Frequently Asked Questions">FAQ</abbr> 6.25</a>.</li> + <li>To support XML and Open Document Spreadsheet importing, + you need PHP 5.2.17 or newer and the + <a href="http://www.php.net/libxml"><tt>libxml</tt>&l… extension.</li> </ul> </li> <li><b>MySQL</b> 5.0 or newer (<a href="#faq1_17">details</a>);</li> diff --git a/README b/README index ae117eb..488cb04 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.4.7 +Version 3.4.7.1 A set of PHP-scripts to manage MySQL over the web. diff --git a/libraries/Config.class.php b/libraries/Config.class.php index 824d04c..f42ad6e 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -96,7 +96,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '3.4.7'); + $this->set('PMA_VERSION', '3.4.7.1'); /** * @deprecated */ diff --git a/libraries/import/ods.php b/libraries/import/ods.php index 4bf5200..9016016 100644 --- a/libraries/import/ods.php +++ b/libraries/import/ods.php @@ -14,6 +14,13 @@ if (! defined('PHPMYADMIN')) { } /** + * We need way to disable external XML entities processing. + */ +if (!function_exists('libxml_disable_entity_loader')) { + return; +} + +/** * The possible scopes for $plugin_param are: 'table', 'database', and 'server' */ @@ -64,6 +71,11 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) { unset($data); /** + * Disable loading of external XML entities. + */ +libxml_disable_entity_loader(); + +/** * Load the XML string * * The option LIBXML_COMPACT is specified because it can diff --git a/libraries/import/xml.php b/libraries/import/xml.php index 640aac8..ce20fe7 100644 --- a/libraries/import/xml.php +++ b/libraries/import/xml.php @@ -13,6 +13,13 @@ if (! defined('PHPMYADMIN')) { } /** + * We need way to disable external XML entities processing. + */ +if (!function_exists('libxml_disable_entity_loader')) { + return; +} + +/** * The possible scopes for $plugin_param are: 'table', 'database', and 'server' */ @@ -57,6 +64,11 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) { unset($data); /** + * Disable loading of external XML entities. + */ +libxml_disable_entity_loader(); + +/** * Load the XML string * * The option LIBXML_COMPACT is specified because it can @@ -141,19 +153,19 @@ if (isset($namespaces['pma'])) { * Get structures for all tables */ $struct = $xml->children($namespaces['pma']); - + $create = array(); - + foreach ($struct as $tier1 => $val1) { foreach($val1 as $tier2 => $val2) { /* Need to select the correct database for the creation of tables, views, triggers, etc. */ /** - * @todo Generating a USE here blocks importing of a table - * into another database. + * @todo Generating a USE here blocks importing of a table + * into another database. */ $attrs = $val2->attributes(); $create[] = "USE " . PMA_backquote($attrs["name"]); - + foreach ($val2 as $val3) { /** * Remove the extra cosmetic spacing @@ -163,7 +175,7 @@ if (isset($namespaces['pma'])) { } } } - + $struct_present = true; } @@ -179,13 +191,13 @@ $data_present = false; */ if (@count($xml->children())) { $data_present = true; - + /** * Process all database content */ foreach ($xml as $k1 => $v1) { $tbl_attr = $v1->attributes(); - + $isInTables = false; for ($i = 0; $i < count($tables); ++$i) { if (! strcmp($tables[$i][TBL_NAME], (string)$tbl_attr['name'])) { @@ -193,11 +205,11 @@ if (@count($xml->children())) { break; } } - + if ($isInTables == false) { $tables[] = array((string)$tbl_attr['name']); } - + foreach ($v1 as $k2 => $v2) { $row_attr = $v2->attributes(); if (! array_search((string)$row_attr['name'], $tempRow)) @@ -206,17 +218,17 @@ if (@count($xml->children())) { } $tempCells[] = (string)$v2; } - + $rows[] = array((string)$tbl_attr['name'], $tempRow, $tempCells); - + $tempRow = array(); $tempCells = array(); } - + unset($tempRow); unset($tempCells); unset($xml); - + /** * Bring accumulated rows into the corresponding table */ @@ -227,17 +239,17 @@ if (@count($xml->children())) { if (! isset($tables[$i][COL_NAMES])) { $tables[$i][] = $rows[$j][COL_NAMES]; } - + $tables[$i][ROWS][] = $rows[$j][ROWS]; } } } - + unset($rows); - + if (! $struct_present) { $analyses = array(); - + $len = count($tables); for ($i = 0; $i < $len; ++$i) { $analyses[] = PMA_analyzeTable($tables[$i]); @@ -289,7 +301,7 @@ if (strlen($db)) { if ($db_name === NULL) { $db_name = 'XML_DB'; } - + /* Set database collation/charset */ $options = array( 'db_collation' => $collation, hooks/post-receive -- phpMyAdmin