Branch: refs/heads/MAINT_4_4_15 Home: https://github.com/phpmyadmin/phpmyadmin Commit: 4141d694eb212b676ccc768e61b4d4085566f0ed https://github.com/phpmyadmin/phpmyadmin/commit/4141d694eb212b676ccc768e61b4... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/core.lib.php M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message: ----------- Strip null bytes from MySQL username
In old PHP versions this could lead to allow/deny rules bypass.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 259694af9a3ce80bd17db04f46fb631693d929b8 https://github.com/phpmyadmin/phpmyadmin/commit/259694af9a3ce80bd17db04f46fb... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/ip_allow_deny.lib.php
Log Message: ----------- Use hash_equals for comparing username in allow/deny rules
The comparison should happen in constant time to avoid possible leak of usernames in rules.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: f02555fe948c655877d318f82073cc83e333d99c https://github.com/phpmyadmin/phpmyadmin/commit/f02555fe948c655877d318f82073... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message: ----------- Use hash_equals for checking username
This makes the comparison happen in constant time and makes it impossible to use it to guess stored usernames.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 6735d83e10ae33a20153eb5516fb2f1963a594a7 https://github.com/phpmyadmin/phpmyadmin/commit/6735d83e10ae33a20153eb5516fb... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/VersionInformation.php
Log Message: ----------- Silent errors when getting remote file
- both curl and fopen wrappers can emmit errors in cases where remote site is not accessible - do not pass false value to json_decode
Signed-off-by: Michal Čihař michal@cihar.com
Commit: ebcd746a2fc8b356e36c92fa6960d5f7256ebff0 https://github.com/phpmyadmin/phpmyadmin/commit/ebcd746a2fc8b356e36c92fa6960... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/export.lib.php
Log Message: ----------- Remove debugging code
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 5f40a46d24068484a5afe0bbb4ce4e5c8a6c6094 https://github.com/phpmyadmin/phpmyadmin/commit/5f40a46d24068484a5afe0bbb4ce... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/Error.class.php M test/classes/PMA_Error_test.php
Log Message: ----------- Strip path even if openbasedir restrictions apply
This really should not be the case here as what we get here is code executed by PHP, so it should have already passed openbasedir restrictions.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 55c26d0065e83b9899ba90afb49dd72415c8d7f5 https://github.com/phpmyadmin/phpmyadmin/commit/55c26d0065e83b9899ba90afb49d... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M js/ajax.js
Log Message: ----------- Store copy of hash instead of working on live object
This avoids possible race conditions when doing the checks.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 9b8094bb0d61da59f80a2f927011068c8e0f3069 https://github.com/phpmyadmin/phpmyadmin/commit/9b8094bb0d61da59f80a2f927011... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/navigation/NavigationHeader.class.php
Log Message: ----------- Stricter validation of NavigationLogoLink
It now has to be URL including scheme. Otherwise it's not really possible to validate it for being just http/https.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 94736885a66a5b28665d252d3062824fca99dd01 https://github.com/phpmyadmin/phpmyadmin/commit/94736885a66a5b28665d252d3062... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M js/config.js
Log Message: ----------- Fix hash validation
- use copy of hash to avoid race condition - stricter regex to match whole string
Signed-off-by: Michal Čihař michal@cihar.com
Commit: fa3bcffd4e2e6d0d7f41f2ec0db2fe8d50a0635d https://github.com/phpmyadmin/phpmyadmin/commit/fa3bcffd4e2e6d0d7f41f2ec0db2... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/DBQbe.class.php M libraries/SavedSearches.class.php
Log Message: ----------- Limit maximal number of rows in QBE
User would be lost in them anyway by that count and it prevents DOS.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 18fdcd066467259a4fb866961dde73f7902c5e8c https://github.com/phpmyadmin/phpmyadmin/commit/18fdcd066467259a4fb866961dde... Author: Michal Čihař michal@cihar.com Date: 2016-08-24 (Wed, 24 Aug 2016)
Changed paths: M ChangeLog M index.php
Log Message: ----------- Do not show warning about short blowfish_secret if none is set
With empty blowfish_secret user would always get both warnings...
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 38e4f77a8b0010a774d18cac4d41b104bff4bc53 https://github.com/phpmyadmin/phpmyadmin/commit/38e4f77a8b0010a774d18cac4d41... Author: Michal Čihař michal@cihar.com Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths: M import.php
Log Message: ----------- Fix possible DOS on too big skip value
- loop only as long as long we have data to skip - convert skip parameter to integer
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 499a61c7d831f424c1e68f734b587e6baa395634 https://github.com/phpmyadmin/phpmyadmin/commit/499a61c7d831f424c1e68f734b58... Author: Michal Čihař michal@cihar.com Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths: M index.php M libraries/core.lib.php
Log Message: ----------- Stricter URL validation
- do not use empty() as empty('0') is true - do not lowercase the strings, use them as they are - lowercase all domains in our codebase - do not allow to specify port
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 2cb51d22dba43f4a5d57d76ad8c734422db7c916 https://github.com/phpmyadmin/phpmyadmin/commit/2cb51d22dba43f4a5d57d76ad8c7... Author: Michal Čihař michal@cihar.com Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths: M libraries/ip_allow_deny.lib.php
Log Message: ----------- Use hash_equals when comparing IPv6 allow rules
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 8ee12d39e568d46b358601be1217e5087f4acf75 https://github.com/phpmyadmin/phpmyadmin/commit/8ee12d39e568d46b358601be1217... Author: Michal Čihař michal@cihar.com Date: 2016-09-19 (Mon, 19 Sep 2016)
Changed paths: M libraries/plugins/AuthenticationPlugin.class.php M libraries/plugins/auth/AuthenticationConfig.class.php M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message: ----------- Verify value of access_time to avoid unwanted session extension
We need to ansure the access_time parameter is in valid range to avoid possibility of remotely extending session validity.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: e3f2c744916ebdd355f365eb350eed078e2542d7 https://github.com/phpmyadmin/phpmyadmin/commit/e3f2c744916ebdd355f365eb350e... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-10-02 (Sun, 02 Oct 2016)
Changed paths: M prefs_manage.php
Log Message: ----------- Don't assume the default arg_separator in URL
Respect the value for arg_separator.input too.
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: 1fc004d1730b3ca1b857d005de8a3d00d50cfdb4 https://github.com/phpmyadmin/phpmyadmin/commit/1fc004d1730b3ca1b857d005de8a... Author: Michal Čihař michal@cihar.com Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_safeUnserialize_test.php
Log Message: ----------- Correctly parse string length when checking serialized data
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 6d7113776ce6384838b00112f821366a1b92de48 https://github.com/phpmyadmin/phpmyadmin/commit/6d7113776ce6384838b00112f821... Author: Michal Čihař michal@cihar.com Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths: M prefs_manage.php
Log Message: ----------- Merge branch 'MAINT_4_4_15-security' of github.com:phpmyadmin/phpmyadmin-security into MAINT_4_4_15-security
Commit: 9d0b1915d61e7289d234d26e6bdba021027fda87 https://github.com/phpmyadmin/phpmyadmin/commit/9d0b1915d61e7289d234d26e6bdb... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths: M libraries/tracking.lib.php
Log Message: ----------- Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: d69375ff75bf58cbc35130081973a9ecfaec7d52 https://github.com/phpmyadmin/phpmyadmin/commit/d69375ff75bf58cbc35130081973... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths: M libraries/Tracker.class.php
Log Message: ----------- Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: a9e3827b190c386fc6cc0389668545ff0e2b4fdb https://github.com/phpmyadmin/phpmyadmin/commit/a9e3827b190c386fc6cc03896685... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-11-08 (Tue, 08 Nov 2016)
Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_sanitizeMySQLHost_test.php
Log Message: ----------- Handle multiple `p:` while sanitizing MySQL hosts
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: 0748384685693e3ecf97b021ccab075e295d4d65 https://github.com/phpmyadmin/phpmyadmin/commit/0748384685693e3ecf97b021ccab... Author: Isaac Bennetch bennetch@gmail.com Date: 2016-11-24 (Thu, 24 Nov 2016)
Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.class.php
Log Message: ----------- 4.4.15.9 release and ChangeLog
Signed-off-by: Isaac Bennetch bennetch@gmail.com
Compare: https://github.com/phpmyadmin/phpmyadmin/compare/39864227e7c3...074838468569
-
Isaac Bennetch