The branch, QA_3_3 has been updated via a60420aa5003426174dde15a0cecfc05579a37bb (commit) via be8cb6c27ffd7c63842cfc30fc61d29f176c8d66 (commit) via 6aefed1fbc9271afb43ebc72675420a93472f313 (commit) via 555e0db0ac9c7ad2ef8d6cecdffa79716f469c60 (commit) via a5716cb3892f1714a97d8808cde9229ccc8752c8 (commit) via ae20845e36e0e019715842c71eed9e4a9ff99223 (commit) via e11e55cb0689b4a6de5f0d996166668a47f96da9 (commit) via 9d54e57fc8946db9b04666a93541871c80867fe7 (commit) via c78da1582799f35c8f12ca930062ea987a350282 (commit) via a6c8a8fe8ac03f4f36e5aaa7f7fb3bf0e11654f8 (commit) via 3e95b08ceddaad36a3633920d7b0bcf85ce2f565 (commit) from 8a5c5c8ef525e59f3368f993d3cc0ab2bb57ea7e (commit)
- Log ----------------------------------------------------------------- commit a60420aa5003426174dde15a0cecfc05579a37bb Author: Marc Delisle marc@infomarc.info Date: Wed Aug 24 12:13:37 2011 -0400
ChangeLog for 3.3.10.4
commit be8cb6c27ffd7c63842cfc30fc61d29f176c8d66 Merge: 555e0db 6aefed1 Author: Marc Delisle marc@infomarc.info Date: Wed Aug 24 12:12:47 2011 -0400
Merge branch 'MAINT_3_3_10' into QA_3_3
commit 555e0db0ac9c7ad2ef8d6cecdffa79716f469c60 Merge: 8a5c5c8 a5716cb Author: Marc Delisle marc@infomarc.info Date: Wed Aug 24 12:10:12 2011 -0400
Merge branch 'MAINT_3_3_10' into QA_3_3
-----------------------------------------------------------------------
Summary of changes: ChangeLog | 3 ++ tbl_tracking.php | 72 +++++++++++++++++++++++-------------------- transformation_wrapper.php | 2 +- 3 files changed, 42 insertions(+), 35 deletions(-)
diff --git a/ChangeLog b/ChangeLog index f0200a5..ec15343 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
3.3.11.0 (not yet released)
+3.3.10.4 (2011-08-24) +- [security] Missing sanitization on the table, column and index names leads to XSS vulnerabilities, see PMASA-2011-13 + 3.3.10.3 (2011-07-23) - [security] Fixed XSS vulnerability, see PMASA-2011-9 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 diff --git a/tbl_tracking.php b/tbl_tracking.php index b3ac4f3..ab5bd31 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -288,17 +288,17 @@ if (isset($_REQUEST['snapshot'])) { <tr class="<?php echo $style; ?>"> <?php if ($field['Key'] == 'PRI') { - echo '<td><b><u>' . $field['Field'] . '</u></b></td>' . "\n"; + echo '<td><b><u>' . htmlspecialchars($field['Field']) . '</u></b></td>' . "\n"; } else { - echo '<td><b>' . $field['Field'] . '</b></td>' . "\n"; + echo '<td><b>' . htmlspecialchars($field['Field']) . '</b></td>' . "\n"; } ?> - <td><?php echo $field['Type'];?></td> - <td><?php echo $field['Collation'];?></td> - <td><?php echo $field['Null'];?></td> - <td><?php echo $field['Default'];?></td> - <td><?php echo $field['Extra'];?></td> - <td><?php echo $field['Comment'];?></td> + <td><?php echo htmlspecialchars($field['Type']);?></td> + <td><?php echo htmlspecialchars($field['Collation']);?></td> + <td><?php echo htmlspecialchars($field['Null']);?></td> + <td><?php echo htmlspecialchars($field['Default']);?></td> + <td><?php echo htmlspecialchars($field['Extra']);?></td> + <td><?php echo htmlspecialchars($field['Comment']);?></td> </tr> <?php if ($style == 'even') { @@ -344,15 +344,15 @@ if (isset($_REQUEST['snapshot'])) { } ?> <tr class="<?php echo $style; ?>"> - <td><b><?php echo $index['Key_name'];?></b></td> - <td><?php echo $index['Index_type'];?></td> + <td><b><?php echo htmlspecialchars($index['Key_name']);?></b></td> + <td><?php echo htmlspecialchars($index['Index_type']);?></td> <td><?php echo $str_unique;?></td> <td><?php echo $str_packed;?></td> - <td><?php echo $index['Column_name'];?></td> - <td><?php echo $index['Cardinality'];?></td> - <td><?php echo $index['Collation'];?></td> - <td><?php echo $index['Null'];?></td> - <td><?php echo $index['Comment'];?></td> + <td><?php echo htmlspecialchars($index['Column_name']);?></td> + <td><?php echo htmlspecialchars($index['Cardinality']);?></td> + <td><?php echo htmlspecialchars($index['Collation']);?></td> + <td><?php echo htmlspecialchars($index['Null']);?></td> + <td><?php echo htmlspecialchars($index['Comment']);?></td> </tr> <?php if ($style == 'even') { @@ -379,10 +379,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <h3><?php echo $strTrackingReport;?> [<a href="tbl_tracking.php?<?php echo $url_query;?>"><?php echo $strTrackingReportClose;?></a>]</h3>
- <small><?php echo $strTrackingStatements . ' ' . $data['tracking']; ?></small><br/> + <small><?php echo $strTrackingStatements . ' ' . htmlspecialchars($data['tracking']); ?></small><br/> <br/>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> <?php
$str1 = '<select name="logtype">' . @@ -390,9 +390,9 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { '<option value="data"' . ($selection_data ? ' selected="selected"' : ''). '>' . $strDataOnly . '</option>' . '<option value="schema_and_data"' . ($selection_both ? ' selected="selected"' : '') . '>' . $strStrucData . '</option>' . '</select>'; - $str2 = '<input type="text" name="date_from" value="' . $_REQUEST['date_from'] . '" size="19" />'; - $str3 = '<input type="text" name="date_to" value="' . $_REQUEST['date_to'] . '" size="19" />'; - $str4 = '<input type="text" name="users" value="' . $_REQUEST['users'] . '" />'; + $str2 = '<input type="text" name="date_from" value="' . htmlspecialchars($_REQUEST['date_from']) . '" size="19" />'; + $str3 = '<input type="text" name="date_to" value="' . htmlspecialchars($_REQUEST['date_to']) . '" size="19" />'; + $str4 = '<input type="text" name="users" value="' . htmlspecialchars($_REQUEST['users']) . '" />'; $str5 = '<input type="submit" name="list_report" value="' . $strGo . '" />';
printf($strTrackingShowLogDateUsers, $str1, $str2, $str3, $str4, $str5); @@ -429,8 +429,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <tr class="<?php echo $style; ?>"> <td><small><?php echo $i;?></small></td> - <td><small><?php echo $entry['date'];?></small></td> - <td><small><?php echo $entry['username']; ?></small></td> + <td><small><?php echo htmlspecialchars($entry['date']);?></small></td> + <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td> <td><?php echo $statement; ?></td> </tr> <?php @@ -480,8 +480,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <tr class="<?php echo $style; ?>"> <td><small><?php echo $i; ?></small></td> - <td><small><?php echo $entry['date']; ?></small></td> - <td><small><?php echo $entry['username']; ?></small></td> + <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td> + <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td> <td><?php echo $statement; ?></td> </tr> <?php @@ -500,7 +500,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { } ?> </form> - <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> <?php printf($strTrackingShowLogDateUsers, $str1, $str2, $str3, $str4, $str5);
@@ -513,11 +513,11 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { $str_export2 = '<input type="submit" name="report_export" value="' . $strGo .'" />'; ?> </form> - <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> - <input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" /> - <input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" /> - <input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" /> - <input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" /> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> + <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" /> + <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" /> + <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" /> + <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" /> <?php echo "<br/>" . sprintf($strTrackingExportAs, $str_export1) . $str_export2 . "<br/>"; ?> @@ -618,11 +618,15 @@ if ($last_version > 0) { <tr class="<?php echo $style;?>"> <td><?php echo htmlspecialchars($version['db_name']);?></td> <td><?php echo htmlspecialchars($version['table_name']);?></td> - <td><?php echo $version['version'];?></td> - <td><?php echo $version['date_created'];?></td> - <td><?php echo $version['date_updated'];?></td> + <td><?php echo htmlspecialchars($version['version']);?></td> + <td><?php echo htmlspecialchars($version['date_created']);?></td> + <td><?php echo htmlspecialchars($version['date_updated']);?></td> <td><?php echo $version_status;?></td> - <td> <a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>"><?php echo $strTrackingReport;?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&snapshot=true&version=<?php echo $version['version'];?>"><?php echo $strTrackingStructureSnapshot;?></a></td> + <td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version']) +);?>"><?php echo $strTrackingReport;?></a> + | <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version']) +);?>"><?php echo $strTrackingStructureSnapshot;?></a> + </td> </tr> <?php if ($style == 'even') { diff --git a/transformation_wrapper.php b/transformation_wrapper.php index 011effe..6f06450 100644 --- a/transformation_wrapper.php +++ b/transformation_wrapper.php @@ -70,7 +70,7 @@ if (isset($ct) && !empty($ct)) { header($content_type);
if (isset($cn) && !empty($cn)) { - header('Content-Disposition: attachment; filename=' . $cn); + header('Content-Disposition: attachment; filename=' . PMA_sanitize_filename($cn)); }
if (!isset($resize)) {
hooks/post-receive