Branch: refs/heads/MAINT_4_4_15 Home: https://github.com/phpmyadmin/phpmyadmin Commit: b39c02b0a82b13d2198276d228051139e6b838d9 https://github.com/phpmyadmin/phpmyadmin/commit/b39c02b0a82b13d2198276d22805... Author: Madhura Jayaratne <madhura.cj@gmail.com> Date: 2016-01-15 (Fri, 15 Jan 2016) Changed paths: M setup/frames/form.inc.php M setup/index.php M setup/validate.php Log Message: ----------- [Security] Fix path disclosure, items 1.4.x, 1.5 and 1.6 Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com> Commit: 2b3f915f72bfe7eb9ae60a69582f041ddc55f663 https://github.com/phpmyadmin/phpmyadmin/commit/2b3f915f72bfe7eb9ae60a69582f... Author: Madhura Jayaratne <madhura.cj@gmail.com> Date: 2016-01-19 (Tue, 19 Jan 2016) Changed paths: M libraries/DbSearch.class.php Log Message: ----------- Fix XSS in DB_search.php Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com> Commit: 8f86713de6163ccd0f8bd9987251a9d17feaee18 https://github.com/phpmyadmin/phpmyadmin/commit/8f86713de6163ccd0f8bd9987251... Author: Madhura Jayaratne <madhura.cj@gmail.com> Date: 2016-01-19 (Tue, 19 Jan 2016) Changed paths: M js/normalization.js Log Message: ----------- Fix XSS in normalization.php Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com> Commit: 75de41635d387e1c3c8d71a746241502a90c8422 https://github.com/phpmyadmin/phpmyadmin/commit/75de41635d387e1c3c8d71a74624... Author: Madhura Jayaratne <madhura.cj@gmail.com> Date: 2016-01-19 (Tue, 19 Jan 2016) Changed paths: M libraries/TableSearch.class.php Log Message: ----------- Fix XSS in zoom search Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com> Commit: 8b6737735be5787d0b98c6cdfe2c7e3131b1bc95 https://github.com/phpmyadmin/phpmyadmin/commit/8b6737735be5787d0b98c6cdfe2c... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M js/functions.js Log Message: ----------- Use secure RNG if available Recent browsers come with better RNG, so let's use it for generating password instead of Math.random if available. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 5530a72e162fab442218486a90ff3365c96fde98 https://github.com/phpmyadmin/phpmyadmin/commit/5530a72e162fab442218486a90ff... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M js/functions.js Log Message: ----------- Use full alphabet to generate random passwords Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 91638c04d1f2c3977560a5b9db3ac3879a38691b https://github.com/phpmyadmin/phpmyadmin/commit/91638c04d1f2c3977560a5b9db3a... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M libraries/session.inc.php Log Message: ----------- Use phpseclib's Crypt::Random to generate CSRF token Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 13384f7f47dadb02cfe950af0413c7d3e136df8e https://github.com/phpmyadmin/phpmyadmin/commit/13384f7f47dadb02cfe950af0413... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M libraries/phpseclib/Crypt/AES.php M libraries/phpseclib/Crypt/Base.php M libraries/phpseclib/Crypt/Random.php M libraries/phpseclib/Crypt/Rijndael.php Log Message: ----------- Update phpseclib to 2.0.1 New version uses PHP 7.0 random_bytes to generate cryptographically secure pseudo-random bytes. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 3303b3d6c304d71da4a7d242307bf449aaa955c5 https://github.com/phpmyadmin/phpmyadmin/commit/3303b3d6c304d71da4a7d242307b... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M libraries/common.inc.php M libraries/core.lib.php Log Message: ----------- Use hash_equals for comparing token Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 1414d60cbfe01a2d08ab9d5e6a7178a6323fca68 https://github.com/phpmyadmin/phpmyadmin/commit/1414d60cbfe01a2d08ab9d5e6a71... Author: Madhura Jayaratne <madhura.cj@gmail.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M libraries/core.lib.php Log Message: ----------- Escape javascript variable content Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com> Commit: 470cd68344e86915679356dcc2cdb88c63a1d91d https://github.com/phpmyadmin/phpmyadmin/commit/470cd68344e86915679356dcc2cd... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M libraries/common.inc.php Log Message: ----------- Include common libraries in setup We use PMA_fatalError which in turn needs Response and related objects. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: b95360334d69b032b58cafb7d29db6670e9c7224 https://github.com/phpmyadmin/phpmyadmin/commit/b95360334d69b032b58cafb7d29d... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M setup/lib/common.inc.php Log Message: ----------- Can not use PMA_fatalError when including fails Signed-off-by: Michal Čihař <michal@cihar.com> Commit: d63a8ab7e028925707902266fc989760118a4c72 https://github.com/phpmyadmin/phpmyadmin/commit/d63a8ab7e028925707902266fc98... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M libraries/common.inc.php Log Message: ----------- Do not process subforms with PMA_MINIMUM_COMMON In such case needed infrastructure is not loaded, so related code won't work anyway. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 879a14ad165b475ec58ceab33687d7cc5913a63b https://github.com/phpmyadmin/phpmyadmin/commit/879a14ad165b475ec58ceab33687... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M libraries/DatabaseInterface.class.php Log Message: ----------- Fallback to default collation connection If user supplied wrong string we should gracefully fallback. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: ccf3c36f474f8b202c7d3b167b2477d23fd5b8e6 https://github.com/phpmyadmin/phpmyadmin/commit/ccf3c36f474f8b202c7d3b167b24... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-26 (Tue, 26 Jan 2016) Changed paths: M .travis.yml M libraries/VersionInformation.php Log Message: ----------- Merge branch 'MAINT_4_4_15' into MAINT_4_4_15-security Commit: d0a9baef3728a37120d53dc0a96abf04ace139da https://github.com/phpmyadmin/phpmyadmin/commit/d0a9baef3728a37120d53dc0a96a... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-27 (Wed, 27 Jan 2016) Changed paths: M libraries/common.inc.php Log Message: ----------- Enable localization before redirect This is needed in case of IIS which needs full HTML response. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 3b96f3600651163b8c1d9b6ff7ebd0b142412993 https://github.com/phpmyadmin/phpmyadmin/commit/3b96f3600651163b8c1d9b6ff7eb... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-27 (Wed, 27 Jan 2016) Changed paths: M libraries/phpseclib/Crypt/AES.php M libraries/phpseclib/Crypt/Rijndael.php Log Message: ----------- Avoid execution outside phpMyAdmin This is hacky, but avoids path disclossure on direct access to the scripts. Signed-off-by: Michal Čihař <michal@cihar.com> Commit: 11eeed0c0577acc256ad1a331cda7e65d51d3a41 https://github.com/phpmyadmin/phpmyadmin/commit/11eeed0c0577acc256ad1a331cda... Author: Michal Čihař <michal@cihar.com> Date: 2016-01-27 (Wed, 27 Jan 2016) Changed paths: M libraries/phpseclib/Crypt/AES.php M libraries/phpseclib/Crypt/Rijndael.php Log Message: ----------- Move security check behind namespace Signed-off-by: Michal Čihař <michal@cihar.com> Commit: c21937440af0b0b2ed752f229c3d2523ac178d85 https://github.com/phpmyadmin/phpmyadmin/commit/c21937440af0b0b2ed752f229c3d... Author: Isaac Bennetch <bennetch@gmail.com> Date: 2016-01-27 (Wed, 27 Jan 2016) Changed paths: M README M doc/conf.py M libraries/Config.class.php Log Message: ----------- Release 4.4.15.3 Signed-off-by: Isaac Bennetch <bennetch@gmail.com> Compare: https://github.com/phpmyadmin/phpmyadmin/compare/01d0e0975f68...c21937440af0