Branch: refs/heads/MAINT_4_0_10 Home: https://github.com/phpmyadmin/phpmyadmin Commit: 285e5623b638cb414b3c3e5ab7c0f3126d616b54 https://github.com/phpmyadmin/phpmyadmin/commit/285e5623b638cb414b3c3e5ab7c0... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/core.lib.php M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message: ----------- Strip null bytes from MySQL username
In old PHP versions this could lead to allow/deny rules bypass.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 58245cb1cc25a1b167941cf30a4cc742a27c0b5b https://github.com/phpmyadmin/phpmyadmin/commit/58245cb1cc25a1b167941cf30a4c... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/ip_allow_deny.lib.php
Log Message: ----------- Use hash_equals for comparing username in allow/deny rules
The comparison should happen in constant time to avoid possible leak of usernames in rules.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 6117ad5cef7bbe3ff080efb557bbafaff757e0ea https://github.com/phpmyadmin/phpmyadmin/commit/6117ad5cef7bbe3ff080efb557bb... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/plugins/auth/AuthenticationCookie.class.php M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message: ----------- Use hash_equals for checking username
This makes the comparison happen in constant time and makes it impossible to use it to guess stored usernames.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: f2add98bd93fa96da130214e78eacb01893aa89a https://github.com/phpmyadmin/phpmyadmin/commit/f2add98bd93fa96da130214e78ea... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/Error.class.php M test/classes/PMA_Error_test.php
Log Message: ----------- Strip path even if openbasedir restrictions apply
This really should not be the case here as what we get here is code executed by PHP, so it should have already passed openbasedir restrictions.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: c2f7a898ddf69422af218718d20c7eb6af62cb88 https://github.com/phpmyadmin/phpmyadmin/commit/c2f7a898ddf69422af218718d20c... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M js/ajax.js
Log Message: ----------- Store copy of hash instead of working on live object
This avoids possible race conditions when doing the checks.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 096856c70c1b8b1b9a94a54ee780f7be623fd1c5 https://github.com/phpmyadmin/phpmyadmin/commit/096856c70c1b8b1b9a94a54ee780... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/navigation/NavigationHeader.class.php
Log Message: ----------- Stricter validation of NavigationLogoLink
It now has to be URL including scheme. Otherwise it's not really possible to validate it for being just http/https.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: b2605ebba6ca729fd0157a0774d173e3ec04eabb https://github.com/phpmyadmin/phpmyadmin/commit/b2605ebba6ca729fd0157a0774d1... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M js/config.js
Log Message: ----------- Fix hash validation
- use copy of hash to avoid race condition - stricter regex to match whole string
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 67700620db6b494c9ecab9f4268d30cf4afb01b3 https://github.com/phpmyadmin/phpmyadmin/commit/67700620db6b494c9ecab9f4268d... Author: Michal Čihař michal@cihar.com Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths: M libraries/DBQbe.class.php
Log Message: ----------- Limit maximal number of rows in QBE
User would be lost in them anyway by that count and it prevents DOS.
Signed-off-by: Michal Čihař michal@cihar.com
Commit: d37abc38daca9c1ebc074e3b4e9b2bdfc1cf523d https://github.com/phpmyadmin/phpmyadmin/commit/d37abc38daca9c1ebc074e3b4e9b... Author: Michal Čihař michal@cihar.com Date: 2016-08-24 (Wed, 24 Aug 2016)
Changed paths: M ChangeLog M index.php
Log Message: ----------- Do not show warning about short blowfish_secret if none is set
With empty blowfish_secret user would always get both warnings...
Fixes #12485
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 0c3dfd186c281710516805f97a9875149abeb3ce https://github.com/phpmyadmin/phpmyadmin/commit/0c3dfd186c281710516805f97a98... Author: Michal Čihař michal@cihar.com Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths: M import.php
Log Message: ----------- Fix possible DOS on too big skip value
- loop only as long as long we have data to skip - convert skip parameter to integer
Signed-off-by: Michal Čihař michal@cihar.com
Commit: af7c58939155d407233c8c3bf6f2ad3e540f489a https://github.com/phpmyadmin/phpmyadmin/commit/af7c58939155d407233c8c3bf6f2... Author: Michal Čihař michal@cihar.com Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths: M index.php M libraries/core.lib.php
Log Message: ----------- Stricter URL validation
- do not use empty() as empty('0') is true - do not lowercase the strings, use them as they are - lowercase all domains in our codebase - do not allow to specify port
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 63b7f6c0a94af5d7402c4f198846dc0c066f5413 https://github.com/phpmyadmin/phpmyadmin/commit/63b7f6c0a94af5d7402c4f198846... Author: Michal Čihař michal@cihar.com Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths: M libraries/ip_allow_deny.lib.php
Log Message: ----------- Use hash_equals when comparing IPv6 allow rules
Signed-off-by: Michal Čihař michal@cihar.com
Commit: 773f126c89aca6588258753218e600c5764857c2 https://github.com/phpmyadmin/phpmyadmin/commit/773f126c89aca6588258753218e6... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-10-02 (Sun, 02 Oct 2016)
Changed paths: M prefs_manage.php
Log Message: ----------- Don't assume the default arg_separator in URL
Respect the value for arg_separator.input too.
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: 5e108a340f3eac6b6c488439343b6c1a7454787c https://github.com/phpmyadmin/phpmyadmin/commit/5e108a340f3eac6b6c488439343b... Author: Michal Čihař michal@cihar.com Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_safeUnserialize_test.php
Log Message: ----------- Correctly parse string length when checking serialized data
Signed-off-by: Michal Čihař michal@cihar.com
Commit: be5196ba44e6f029de11abe32cea72161c698533 https://github.com/phpmyadmin/phpmyadmin/commit/be5196ba44e6f029de11abe32cea... Author: Michal Čihař michal@cihar.com Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths: M prefs_manage.php
Log Message: ----------- Merge branch 'MAINT_4_0_10-security' of github.com:phpmyadmin/phpmyadmin-security into MAINT_4_0_10-security
Commit: 54875fffc12da0f1c0c2b6042e638b08fc337e2a https://github.com/phpmyadmin/phpmyadmin/commit/54875fffc12da0f1c0c2b6042e63... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths: M tbl_tracking.php
Log Message: ----------- Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: 337b38044ddfe74d334831390c6cb40cd2f001f1 https://github.com/phpmyadmin/phpmyadmin/commit/337b38044ddfe74d334831390c6c... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths: M libraries/Tracker.class.php
Log Message: ----------- Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: 670359777263517b92908677fafc7e8dcd377ec5 https://github.com/phpmyadmin/phpmyadmin/commit/670359777263517b92908677fafc... Author: Deven Bansod devenbansod.bits@gmail.com Date: 2016-11-08 (Tue, 08 Nov 2016)
Changed paths: M libraries/core.lib.php M test/libraries/core/PMA_sanitizeMySQLHost_test.php
Log Message: ----------- Handle multiple `:p` while sanitizing MySQL hosts
Signed-off-by: Deven Bansod devenbansod.bits@gmail.com
Commit: 8783113cec408ad9a81f17e3a97db6c4732e6164 https://github.com/phpmyadmin/phpmyadmin/commit/8783113cec408ad9a81f17e3a97d... Author: Isaac Bennetch bennetch@gmail.com Date: 2016-11-24 (Thu, 24 Nov 2016)
Changed paths: M ChangeLog M README M doc/conf.py M libraries/Config.class.php
Log Message: ----------- 4.0.10.18 release and ChangeLog
Signed-off-by: Isaac Bennetch bennetch@gmail.com
Compare: https://github.com/phpmyadmin/phpmyadmin/compare/5ba96c8804d9...8783113cec40
-
Isaac Bennetch