The branch, master has been updated via c555fc1b347dd25b02ce2e586d2d76c7c6b3d216 (commit) via ba255de1b263ca9b86014414b131ec79e621b28c (commit) via 0e707906e69ce90c4852a0fce2a0fac7db86a3cd (commit) via bd3735ba584e7a49aee78813845245354b061f61 (commit) from 9bf4527ab422d1594bb77a2eed5773dafbbfb3bd (commit) - Log ----------------------------------------------------------------- commit c555fc1b347dd25b02ce2e586d2d76c7c6b3d216 Merge: 9bf4527 ba255de Author: Marc Delisle <marc@infomarc.info> Date: Wed Dec 14 08:00:51 2011 -0500 Fix merge conflicts ----------------------------------------------------------------------- Summary of changes: ChangeLog | 2 ++ libraries/config/ConfigFile.class.php | 2 +- libraries/display_export.lib.php | 6 +++--- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f9d873..d3b47a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -76,6 +76,8 @@ phpMyAdmin - ChangeLog - bug #3449659 [navi] Fast filter broken with table tree - bug #3448485 [GUI] Firefox favicon frameset regression - [core] Better compatibility with mysql extension +- [security] Self-XSS on export options (export server/database/table), see PMASA-2011-20 +- [security] Self-XSS in setup (host parameter), see PMASA-2011-19 3.4.8.0 (2011-12-01) - bug #3425230 [interface] enum data split at space char (more space to edit) diff --git a/libraries/config/ConfigFile.class.php b/libraries/config/ConfigFile.class.php index dfe2235..dffa62d 100644 --- a/libraries/config/ConfigFile.class.php +++ b/libraries/config/ConfigFile.class.php @@ -417,7 +417,7 @@ class ConfigFile return htmlspecialchars($verbose); } $host = $this->get("Servers/$id/host"); - return empty($host) ? 'localhost' : $host; + return empty($host) ? 'localhost' : htmlspecialchars($host); } /** diff --git a/libraries/display_export.lib.php b/libraries/display_export.lib.php index 7a5824e..db87a99 100644 --- a/libraries/display_export.lib.php +++ b/libraries/display_export.lib.php @@ -152,10 +152,10 @@ if (isset($_GET['sql_query'])) { echo '<label for ="radio_allrows_0">' . __('Dump some row(s)') . '</label>'; ?> <ul> <li><label for="limit_to"><?php echo __('Number of rows:') . '</label> <input type="text" id="limit_to" name="limit_to" size="5" value="' - . ((isset($_GET['limit_to'])) ? $_GET['limit_to'] : ((isset($unlim_num_rows) ? $unlim_num_rows : PMA_Table::countRecords($db, $table)))) + . ((isset($_GET['limit_to'])) ? htmlspecialchars($_GET['limit_to']) : ((isset($unlim_num_rows) ? $unlim_num_rows : PMA_Table::countRecords($db, $table)))) . '" onfocus="this.select()" />' ?></li> <li><label for="limit_from"><?php echo __('Row to begin at:') . '</label> <input type="text" id="limit_from" name="limit_from" value="' - . ((isset($_GET['limit_from'])) ? $_GET['limit_from'] : '0') + . ((isset($_GET['limit_from'])) ? htmlspecialchars($_GET['limit_from']) : '0') . '" size="5" onfocus="this.select()" />'; ?></li> </ul> </li> @@ -244,7 +244,7 @@ if (isset($_GET['sql_query'])) { <?php echo ' value="'; if (isset($_GET['filename_template'])) { - echo $_GET['filename_template']; + echo htmlspecialchars($_GET['filename_template']); } else { if ($export_type == 'database') { echo htmlspecialchars($GLOBALS['PMA_Config']->getUserValue( hooks/post-receive -- phpMyAdmin