The branch, QA_3_4 has been updated via 3b75f549f4a1f5e2ad45b5189f11496b4f70cccb (commit) via f00c57bdf3669d7471b30e6750f6762d2e01947b (commit) via 4e5c583dcfdd6307f1093f80a9e1d1ff0480cc7d (commit) via c547703b1089bff62b238a908d8559ca3ad845f1 (commit) via b659fbeb128b3235738d6fd787cab096ddc3a591 (commit) via 0f5f2d960184db7333ecf7d52da406cae306412b (commit) via 39edf6e1fbe4a39f6fec0919d60eca5dfc2708ff (commit) via 3d8fddceb0f084d4b77c58c48a98e002db6baa6a (commit) via 2b0d12b2deb1b6b5c4073ecaa7971cb0bbb83389 (commit) via ec848d825ffe896b96b6c3e4b8c7d4c12aadd310 (commit) via 09b30b8b6e462aafc24cc32a78491cd9513305c6 (commit) from 29b694c2256c90b3d8413b071e11bf992d6afddb (commit)
- Log ----------------------------------------------------------------- -----------------------------------------------------------------------
Summary of changes: export.php | 1 + libraries/sanitizing.lib.php | 18 +++++ libraries/schema/Dia_Relation_Schema.class.php | 1 + libraries/schema/Eps_Relation_Schema.class.php | 1 + libraries/schema/Pdf_Relation_Schema.class.php | 2 + libraries/schema/Svg_Relation_Schema.class.php | 1 + libraries/schema/Visio_Relation_Schema.class.php | 1 + tbl_get_field.php | 3 +- tbl_tracking.php | 75 ++++++++++++---------- transformation_wrapper.php | 2 +- 10 files changed, 68 insertions(+), 37 deletions(-)
diff --git a/export.php b/export.php index 7da25fc..100269f 100644 --- a/export.php +++ b/export.php @@ -343,6 +343,7 @@ if (!$save_on_server) { // (avoid rewriting data containing HTML with anchors and forms; // this was reported to happen under Plesk) @ini_set('url_rewriter.tags',''); + $filename = PMA_sanitize_filename($filename);
header('Content-Type: ' . $mime_type); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index a362ebd..a65f8ba 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -86,4 +86,22 @@ function PMA_sanitize($message, $escape = false, $safe = false)
return $message; } + + +/** + * Sanitize a filename by removing anything besides A-Za-z0-9_.- + * + * Intended usecase: + * When using a filename in a Content-Disposition header the value should not contain ; or " + * + * @param string The filename + * + * @return string the sanitized filename + * + */ +function PMA_sanitize_filename($filename) { + $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename); + return $filename; +} + ?> diff --git a/libraries/schema/Dia_Relation_Schema.class.php b/libraries/schema/Dia_Relation_Schema.class.php index e58381e..2f6373e 100644 --- a/libraries/schema/Dia_Relation_Schema.class.php +++ b/libraries/schema/Dia_Relation_Schema.class.php @@ -173,6 +173,7 @@ class PMA_DIA extends XMLWriter if(ob_get_clean()){ ob_end_clean(); } + $fileName = PMA_sanitize_filename($fileName); header('Content-type: application/x-dia-diagram'); header('Content-Disposition: attachment; filename="'.$fileName.'.dia"'); $output = $this->flush(); diff --git a/libraries/schema/Eps_Relation_Schema.class.php b/libraries/schema/Eps_Relation_Schema.class.php index 5435db4..7f1c34d 100644 --- a/libraries/schema/Eps_Relation_Schema.class.php +++ b/libraries/schema/Eps_Relation_Schema.class.php @@ -336,6 +336,7 @@ class PMA_EPS // if(ob_get_clean()){ //ob_end_clean(); //} + $fileName = PMA_sanitize_filename($fileName); header('Content-type: image/x-eps'); header('Content-Disposition: attachment; filename="'.$fileName.'.eps"'); $output = $this->stringCommands; diff --git a/libraries/schema/Pdf_Relation_Schema.class.php b/libraries/schema/Pdf_Relation_Schema.class.php index 6078537..ad0fe7a 100644 --- a/libraries/schema/Pdf_Relation_Schema.class.php +++ b/libraries/schema/Pdf_Relation_Schema.class.php @@ -1075,6 +1075,8 @@ class PMA_Pdf_Relation_Schema extends PMA_Export_Relation_Schema if (empty($filename)) { $filename = $pageNumber . '.pdf'; } + $fileName = PMA_sanitize_filename($fileName); + // instead of $pdf->Output(): $pdfData = $pdf->getPDFData(); header('Content-Type: application/pdf'); diff --git a/libraries/schema/Svg_Relation_Schema.class.php b/libraries/schema/Svg_Relation_Schema.class.php index afafda7..52eb439 100644 --- a/libraries/schema/Svg_Relation_Schema.class.php +++ b/libraries/schema/Svg_Relation_Schema.class.php @@ -171,6 +171,7 @@ class PMA_SVG extends XMLWriter function showOutput($fileName) { //ob_get_clean(); + $fileName = PMA_sanitize_filename($fileName); header('Content-type: image/svg+xml'); header('Content-Disposition: attachment; filename="'.$fileName.'.svg"'); $output = $this->flush(); diff --git a/libraries/schema/Visio_Relation_Schema.class.php b/libraries/schema/Visio_Relation_Schema.class.php index ab45b13..0c3f7ec 100644 --- a/libraries/schema/Visio_Relation_Schema.class.php +++ b/libraries/schema/Visio_Relation_Schema.class.php @@ -158,6 +158,7 @@ class PMA_VISIO extends XMLWriter //if(ob_get_clean()){ //ob_end_clean(); //} + $fileName = PMA_sanitize_filename($fileName); header('Content-type: application/visio'); header('Content-Disposition: attachment; filename="'.$fileName.'.vdx"'); $output = $this->flush(); diff --git a/tbl_get_field.php b/tbl_get_field.php index a58eb51..be0bdde 100644 --- a/tbl_get_field.php +++ b/tbl_get_field.php @@ -39,7 +39,8 @@ if ($result === false) {
header('Content-Type: ' . PMA_detectMIME($result)); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); -header('Content-Disposition: attachment; filename="' . $table . '-' . $transform_key . '.bin"'); +$filename = PMA_sanitize_filename($table . '-' . $transform_key . '.bin'); +header('Content-Disposition: attachment; filename="' . $filename . '"'); if (PMA_USR_BROWSER_AGENT == 'IE') { header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); diff --git a/tbl_tracking.php b/tbl_tracking.php index 99a540e..96d5024 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -111,7 +111,8 @@ if (isset($_REQUEST['report_export']) && $_REQUEST['export_type'] == 'sqldumpfil foreach($entries as $entry) { $dump .= $entry['statement']; } - $filename = 'log_' . htmlspecialchars($_REQUEST['table']) . '.sql'; + //$filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql'; + $filename = PMA_sanitize_filename('log_' . $_REQUEST['table'] . '.sql'); header('Content-Type: text/x-sql'); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Content-Disposition: attachment; filename="' . $filename . '"'); @@ -281,17 +282,17 @@ if (isset($_REQUEST['snapshot'])) { <tr class="noclick <?php echo $style; ?>"> <?php if ($field['Key'] == 'PRI') { - echo '<td><b><u>' . $field['Field'] . '</u></b></td>' . "\n"; + echo '<td><b><u>' . htmlspecialchars($field['Field']) . '</u></b></td>' . "\n"; } else { - echo '<td><b>' . $field['Field'] . '</b></td>' . "\n"; + echo '<td><b>' . htmlspecialchars($field['Field']) . '</b></td>' . "\n"; } ?> - <td><?php echo $field['Type'];?></td> - <td><?php echo $field['Collation'];?></td> - <td><?php echo $field['Null'];?></td> - <td><?php echo $field['Default'];?></td> - <td><?php echo $field['Extra'];?></td> - <td><?php echo $field['Comment'];?></td> + <td><?php echo htmlspecialchars($field['Type']);?></td> + <td><?php echo htmlspecialchars($field['Collation']);?></td> + <td><?php echo htmlspecialchars($field['Null']);?></td> + <td><?php echo htmlspecialchars($field['Default']);?></td> + <td><?php echo htmlspecialchars($field['Extra']);?></td> + <td><?php echo htmlspecialchars($field['Comment']);?></td> </tr> <?php if ($style == 'even') { @@ -337,15 +338,15 @@ if (isset($_REQUEST['snapshot'])) { } ?> <tr class="noclick <?php echo $style; ?>"> - <td><b><?php echo $index['Key_name'];?></b></td> - <td><?php echo $index['Index_type'];?></td> + <td><b><?php echo htmlspecialchars($index['Key_name']);?></b></td> + <td><?php echo htmlspecialchars($index['Index_type']);?></td> <td><?php echo $str_unique;?></td> <td><?php echo $str_packed;?></td> - <td><?php echo $index['Column_name'];?></td> - <td><?php echo $index['Cardinality'];?></td> - <td><?php echo $index['Collation'];?></td> - <td><?php echo $index['Null'];?></td> - <td><?php echo $index['Comment'];?></td> + <td><?php echo htmlspecialchars($index['Column_name']);?></td> + <td><?php echo htmlspecialchars($index['Cardinality']);?></td> + <td><?php echo htmlspecialchars($index['Collation']);?></td> + <td><?php echo htmlspecialchars($index['Null']);?></td> + <td><?php echo htmlspecialchars($index['Comment']);?></td> </tr> <?php if ($style == 'even') { @@ -372,10 +373,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <h3><?php echo __('Tracking report');?> [<a href="tbl_tracking.php?<?php echo $url_query;?>"><?php echo __('Close');?></a>]</h3>
- <small><?php echo __('Tracking statements') . ' ' . $data['tracking']; ?></small><br/> + <small><?php echo __('Tracking statements') . ' ' . htmlspecialchars($data['tracking']); ?></small><br/> <br/>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> <?php
$str1 = '<select name="logtype">' . @@ -383,9 +384,9 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { '<option value="data"' . ($selection_data ? ' selected="selected"' : ''). '>' . __('Data only') . '</option>' . '<option value="schema_and_data"' . ($selection_both ? ' selected="selected"' : '') . '>' . __('Structure and data') . '</option>' . '</select>'; - $str2 = '<input type="text" name="date_from" value="' . $_REQUEST['date_from'] . '" size="19" />'; - $str3 = '<input type="text" name="date_to" value="' . $_REQUEST['date_to'] . '" size="19" />'; - $str4 = '<input type="text" name="users" value="' . $_REQUEST['users'] . '" />'; + $str2 = '<input type="text" name="date_from" value="' . htmlspecialchars($_REQUEST['date_from']) . '" size="19" />'; + $str3 = '<input type="text" name="date_to" value="' . htmlspecialchars($_REQUEST['date_to']) . '" size="19" />'; + $str4 = '<input type="text" name="users" value="' . htmlspecialchars($_REQUEST['users']) . '" />'; $str5 = '<input type="submit" name="list_report" value="' . __('Go') . '" />';
printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5); @@ -422,8 +423,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <tr class="noclick <?php echo $style; ?>"> <td><small><?php echo $i;?></small></td> - <td><small><?php echo $entry['date'];?></small></td> - <td><small><?php echo $entry['username']; ?></small></td> + <td><small><?php echo htmlspecialchars($entry['date']);?></small></td> + <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td> <td><?php echo $statement; ?></td> </tr> <?php @@ -473,8 +474,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> <tr class="noclick <?php echo $style; ?>"> <td><small><?php echo $i; ?></small></td> - <td><small><?php echo $entry['date']; ?></small></td> - <td><small><?php echo $entry['username']; ?></small></td> + <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td> + <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td> <td><?php echo $statement; ?></td> </tr> <?php @@ -493,7 +494,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { } ?> </form> - <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> <?php printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
@@ -506,11 +507,11 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { $str_export2 = '<input type="submit" name="report_export" value="' . __('Go') .'" />'; ?> </form> - <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>"> - <input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" /> - <input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" /> - <input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" /> - <input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" /> + <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>"> + <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" /> + <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" /> + <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" /> + <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" /> <?php echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>"; ?> @@ -612,11 +613,15 @@ if ($last_version > 0) { <tr class="noclick <?php echo $style;?>"> <td><?php echo htmlspecialchars($version['db_name']);?></td> <td><?php echo htmlspecialchars($version['table_name']);?></td> - <td><?php echo $version['version'];?></td> - <td><?php echo $version['date_created'];?></td> - <td><?php echo $version['date_updated'];?></td> + <td><?php echo htmlspecialchars($version['version']);?></td> + <td><?php echo htmlspecialchars($version['date_created']);?></td> + <td><?php echo htmlspecialchars($version['date_updated']);?></td> <td><?php echo $version_status;?></td> - <td> <a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>"><?php echo __('Tracking report');?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&snapshot=true&version=<?php echo $version['version'];?>"><?php echo __('Structure snapshot');?></a></td> + <td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version']) +);?>"><?php echo __('Tracking report');?></a> + | <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version']) +);?>"><?php echo __('Structure snapshot');?></a> + </td> </tr> <?php if ($style == 'even') { diff --git a/transformation_wrapper.php b/transformation_wrapper.php index 3699dd0..f04c8ac 100644 --- a/transformation_wrapper.php +++ b/transformation_wrapper.php @@ -68,7 +68,7 @@ if (isset($ct) && !empty($ct)) { header($content_type);
if (isset($cn) && !empty($cn)) { - header('Content-Disposition: attachment; filename=' . $cn); + header('Content-Disposition: attachment; filename=' . PMA_sanitize_filename($cn)); }
if (!isset($resize)) {
hooks/post-receive
-
Marc Delisle