Branch: refs/heads/MAINT_4_4_15
Home:
https://github.com/phpmyadmin/phpmyadmin
Commit: 4141d694eb212b676ccc768e61b4d4085566f0ed
https://github.com/phpmyadmin/phpmyadmin/commit/4141d694eb212b676ccc768e61b…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/core.lib.php
M libraries/plugins/auth/AuthenticationCookie.class.php
M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message:
-----------
Strip null bytes from MySQL username
In old PHP versions this could lead to allow/deny rules bypass.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 259694af9a3ce80bd17db04f46fb631693d929b8
https://github.com/phpmyadmin/phpmyadmin/commit/259694af9a3ce80bd17db04f46f…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/ip_allow_deny.lib.php
Log Message:
-----------
Use hash_equals for comparing username in allow/deny rules
The comparison should happen in constant time to avoid possible leak of
usernames in rules.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: f02555fe948c655877d318f82073cc83e333d99c
https://github.com/phpmyadmin/phpmyadmin/commit/f02555fe948c655877d318f8207…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/plugins/auth/AuthenticationCookie.class.php
M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message:
-----------
Use hash_equals for checking username
This makes the comparison happen in constant time and makes it
impossible to use it to guess stored usernames.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 6735d83e10ae33a20153eb5516fb2f1963a594a7
https://github.com/phpmyadmin/phpmyadmin/commit/6735d83e10ae33a20153eb5516f…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/VersionInformation.php
Log Message:
-----------
Silent errors when getting remote file
- both curl and fopen wrappers can emmit errors in cases where remote
site is not accessible
- do not pass false value to json_decode
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: ebcd746a2fc8b356e36c92fa6960d5f7256ebff0
https://github.com/phpmyadmin/phpmyadmin/commit/ebcd746a2fc8b356e36c92fa696…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/export.lib.php
Log Message:
-----------
Remove debugging code
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 5f40a46d24068484a5afe0bbb4ce4e5c8a6c6094
https://github.com/phpmyadmin/phpmyadmin/commit/5f40a46d24068484a5afe0bbb4c…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/Error.class.php
M test/classes/PMA_Error_test.php
Log Message:
-----------
Strip path even if openbasedir restrictions apply
This really should not be the case here as what we get here is code
executed by PHP, so it should have already passed openbasedir
restrictions.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 55c26d0065e83b9899ba90afb49dd72415c8d7f5
https://github.com/phpmyadmin/phpmyadmin/commit/55c26d0065e83b9899ba90afb49…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M js/ajax.js
Log Message:
-----------
Store copy of hash instead of working on live object
This avoids possible race conditions when doing the checks.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 9b8094bb0d61da59f80a2f927011068c8e0f3069
https://github.com/phpmyadmin/phpmyadmin/commit/9b8094bb0d61da59f80a2f92701…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/navigation/NavigationHeader.class.php
Log Message:
-----------
Stricter validation of NavigationLogoLink
It now has to be URL including scheme. Otherwise it's not really
possible to validate it for being just http/https.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 94736885a66a5b28665d252d3062824fca99dd01
https://github.com/phpmyadmin/phpmyadmin/commit/94736885a66a5b28665d252d306…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M js/config.js
Log Message:
-----------
Fix hash validation
- use copy of hash to avoid race condition
- stricter regex to match whole string
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: fa3bcffd4e2e6d0d7f41f2ec0db2fe8d50a0635d
https://github.com/phpmyadmin/phpmyadmin/commit/fa3bcffd4e2e6d0d7f41f2ec0db…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/DBQbe.class.php
M libraries/SavedSearches.class.php
Log Message:
-----------
Limit maximal number of rows in QBE
User would be lost in them anyway by that count and it prevents DOS.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 18fdcd066467259a4fb866961dde73f7902c5e8c
https://github.com/phpmyadmin/phpmyadmin/commit/18fdcd066467259a4fb866961dd…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-08-24 (Wed, 24 Aug 2016)
Changed paths:
M ChangeLog
M index.php
Log Message:
-----------
Do not show warning about short blowfish_secret if none is set
With empty blowfish_secret user would always get both warnings...
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 38e4f77a8b0010a774d18cac4d41b104bff4bc53
https://github.com/phpmyadmin/phpmyadmin/commit/38e4f77a8b0010a774d18cac4d4…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M import.php
Log Message:
-----------
Fix possible DOS on too big skip value
- loop only as long as long we have data to skip
- convert skip parameter to integer
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 499a61c7d831f424c1e68f734b587e6baa395634
https://github.com/phpmyadmin/phpmyadmin/commit/499a61c7d831f424c1e68f734b5…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M index.php
M libraries/core.lib.php
Log Message:
-----------
Stricter URL validation
- do not use empty() as empty('0') is true
- do not lowercase the strings, use them as they are
- lowercase all domains in our codebase
- do not allow to specify port
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 2cb51d22dba43f4a5d57d76ad8c734422db7c916
https://github.com/phpmyadmin/phpmyadmin/commit/2cb51d22dba43f4a5d57d76ad8c…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M libraries/ip_allow_deny.lib.php
Log Message:
-----------
Use hash_equals when comparing IPv6 allow rules
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 8ee12d39e568d46b358601be1217e5087f4acf75
https://github.com/phpmyadmin/phpmyadmin/commit/8ee12d39e568d46b358601be121…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-09-19 (Mon, 19 Sep 2016)
Changed paths:
M libraries/plugins/AuthenticationPlugin.class.php
M libraries/plugins/auth/AuthenticationConfig.class.php
M libraries/plugins/auth/AuthenticationCookie.class.php
M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message:
-----------
Verify value of access_time to avoid unwanted session extension
We need to ansure the access_time parameter is in valid range to avoid
possibility of remotely extending session validity.
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: e3f2c744916ebdd355f365eb350eed078e2542d7
https://github.com/phpmyadmin/phpmyadmin/commit/e3f2c744916ebdd355f365eb350…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-10-02 (Sun, 02 Oct 2016)
Changed paths:
M prefs_manage.php
Log Message:
-----------
Don't assume the default arg_separator in URL
Respect the value for arg_separator.input too.
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: 1fc004d1730b3ca1b857d005de8a3d00d50cfdb4
https://github.com/phpmyadmin/phpmyadmin/commit/1fc004d1730b3ca1b857d005de8…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths:
M libraries/core.lib.php
M test/libraries/core/PMA_safeUnserialize_test.php
Log Message:
-----------
Correctly parse string length when checking serialized data
Signed-off-by: Michal Čihař <michal(a)cihar.com>
Commit: 6d7113776ce6384838b00112f821366a1b92de48
https://github.com/phpmyadmin/phpmyadmin/commit/6d7113776ce6384838b00112f82…
Author: Michal Čihař <michal(a)cihar.com>
Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths:
M prefs_manage.php
Log Message:
-----------
Merge branch 'MAINT_4_4_15-security' of
github.com:phpmyadmin/phpmyadmin-security into MAINT_4_4_15-security
Commit: 9d0b1915d61e7289d234d26e6bdba021027fda87
https://github.com/phpmyadmin/phpmyadmin/commit/9d0b1915d61e7289d234d26e6bd…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths:
M libraries/tracking.lib.php
Log Message:
-----------
Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: d69375ff75bf58cbc35130081973a9ecfaec7d52
https://github.com/phpmyadmin/phpmyadmin/commit/d69375ff75bf58cbc3513008197…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths:
M libraries/Tracker.class.php
Log Message:
-----------
Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: a9e3827b190c386fc6cc0389668545ff0e2b4fdb
https://github.com/phpmyadmin/phpmyadmin/commit/a9e3827b190c386fc6cc0389668…
Author: Deven Bansod <devenbansod.bits(a)gmail.com>
Date: 2016-11-08 (Tue, 08 Nov 2016)
Changed paths:
M libraries/core.lib.php
M test/libraries/core/PMA_sanitizeMySQLHost_test.php
Log Message:
-----------
Handle multiple `p:` while sanitizing MySQL hosts
Signed-off-by: Deven Bansod <devenbansod.bits(a)gmail.com>
Commit: 0748384685693e3ecf97b021ccab075e295d4d65
https://github.com/phpmyadmin/phpmyadmin/commit/0748384685693e3ecf97b021cca…
Author: Isaac Bennetch <bennetch(a)gmail.com>
Date: 2016-11-24 (Thu, 24 Nov 2016)
Changed paths:
M ChangeLog
M README
M doc/conf.py
M libraries/Config.class.php
Log Message:
-----------
4.4.15.9 release and ChangeLog
Signed-off-by: Isaac Bennetch <bennetch(a)gmail.com>
Compare:
https://github.com/phpmyadmin/phpmyadmin/compare/39864227e7c3...074838468569