From DelislMa at CollegeSherbrooke.qc.ca Mon Feb 14 09:44:19 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Mon Feb 14 09:44:19 2005 Subject: [Phpmyadmin-devel] Re: Patch In-Reply-To: <011201c51252$27655de0$0201a8c0@uranium> References: <41F54312.5010101@CollegeSherbrooke.qc.ca> <011201c51252$27655de0$0201a8c0@uranium> Message-ID: <4210E352.7020808@CollegeSherbrooke.qc.ca> Armel FAUVEAU a écrit : > Hi all, > > I try to clean HTML code (warning and errors), especially in > queryframe.php. > Btw, there is a good HTML validator extension (under Moz) based on Tidy. > It's very usefull to control HTML code. > > So, here is a link : http://users.skynet.be/mgueury/mozilla/ > > Dunno what is the project planning roadmap, but it will be a good idea > to fix all HTML errors and warnings in PMA. That could increase the > quality of this famous project :) > > HTH, > > Armel. Hi Armel, good to have news from you again. About those patches, I made a little research and found http://www.pageresource.com/jscript/jprompt.htm which explains why you want us to escape the forward slashes with backslashes. However, looking at the generated HTML source from phpMyAdmin, I don't see the problem that it's supposed to fix. For example, about your patch 67c67 < document.write(''); --- > document.write('<\/style>'); the js code generated by header.inc.php, as seen in Firefox 1.0, is IMO correct: document.write(''); Or am I missing something? Would this problem occur on older browsers? Marc From DelislMa at CollegeSherbrooke.qc.ca Mon Feb 14 10:30:30 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Mon Feb 14 10:30:30 2005 Subject: [Phpmyadmin-devel] Re: Patch In-Reply-To: <025101c512c0$9e340fc0$1201a8c0@globalis> References: <41F54312.5010101@CollegeSherbrooke.qc.ca> <011201c51252$27655de0$0201a8c0@uranium> <4210E352.7020808@CollegeSherbrooke.qc.ca> <025101c512c0$9e340fc0$1201a8c0@globalis> Message-ID: <4210EDEF.7080102@CollegeSherbrooke.qc.ca> Armel FAUVEAU a écrit : > Hi Marc, > > >>good to have news from you again. > > > Thank you :) > > >>About those patches, I made a little research and found >>http://www.pageresource.com/jscript/jprompt.htm >>which explains why you want us to escape the forward slashes >>with backslashes. > > > Yeah, it's very simple :) For example, > > BAD : document.write(''); > GOOD : document.write('<\/h1>'); > > >>However, looking at the generated HTML source from >>phpMyAdmin, I don't see the problem that it's supposed to fix. >>[snip] >>Or am I missing something? Would this problem occur on older browsers? > > > It's just more W3C compliant. > > Regards, > > Armel. > Armel, to which W3C standard are you referring to? DOM? I did not know that W3C is in the business of setting JavaScript standards. Marc From DelislMa at CollegeSherbrooke.qc.ca Mon Feb 14 10:47:25 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Mon Feb 14 10:47:25 2005 Subject: [Phpmyadmin-devel] Re: Patch In-Reply-To: <4210EDEF.7080102@CollegeSherbrooke.qc.ca> References: <41F54312.5010101@CollegeSherbrooke.qc.ca> <011201c51252$27655de0$0201a8c0@uranium> <4210E352.7020808@CollegeSherbrooke.qc.ca> <025101c512c0$9e340fc0$1201a8c0@globalis> <4210EDEF.7080102@CollegeSherbrooke.qc.ca> Message-ID: <4210F15D.90509@CollegeSherbrooke.qc.ca> Marc Delisle a écrit : > Armel FAUVEAU a écrit : > >> Hi Marc, >> >> >>> good to have news from you again. >> >> >> >> Thank you :) >> >> >>> About those patches, I made a little research and found >>> http://www.pageresource.com/jscript/jprompt.htm >>> which explains why you want us to escape the forward slashes >>> with backslashes. >> >> >> >> Yeah, it's very simple :) For example, >> BAD : document.write(''); >> GOOD : document.write('<\/h1>'); >> >> >>> However, looking at the generated HTML source from >>> phpMyAdmin, I don't see the problem that it's supposed to fix. >>> [snip] >>> Or am I missing something? Would this problem occur on older browsers? >> >> >> >> It's just more W3C compliant. >> >> Regards, >> >> Armel. >> > > Armel, > to which W3C standard are you referring to? DOM? > I did not know that W3C is in the business of setting JavaScript standards. > > Marc Ok I found this: http://www.w3.org/TR/REC-html40/interact/scripts.html Marc From me at derrabus.de Tue Feb 15 16:03:02 2005 From: me at derrabus.de (Alexander M. Turek) Date: Tue Feb 15 16:03:02 2005 Subject: [Phpmyadmin-devel] Force second connection for pmadb queries? Message-ID: <42128D98.2000406@derrabus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Currently, we only open a second connection to the MySQL server, if we have a controluser. In order to fight the last collation conflicts on pmadb queries, I'd like to always open a second connection for those queries. This should be cleaner anyway, as we often have to switch between the currently selected db and the pmadb for retreiving the necessary metadata. Regards, AMT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCEo2Y8c/ssWf/SMcRAhXgAJ9BcGfy2rgGqVKCBvdcAraAQgloCACggXKv xjlchGJAgxOzUkU3oar3Zmk= =KbyI -----END PGP SIGNATURE----- From DelislMa at CollegeSherbrooke.qc.ca Tue Feb 15 20:21:16 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Tue Feb 15 20:21:16 2005 Subject: [Phpmyadmin-devel] Force second connection for pmadb queries? In-Reply-To: <42128D98.2000406@derrabus.de> References: <42128D98.2000406@derrabus.de> Message-ID: <4212C9EB.1020806@CollegeSherbrooke.qc.ca> Alexander M. Turek a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi list, > > Currently, we only open a second connection to the MySQL server, if we > have a controluser. > > In order to fight the last collation conflicts on pmadb queries, I'd > like to always open a second connection for those queries. This should > be cleaner anyway, as we often have to switch between the currently > selected db and the pmadb for retreiving the necessary metadata. > > Regards, > > AMT Sounds like a good idea. I also had a note to remind me to rename the variable $dbh to $control_link or something like that. Marc From DelislMa at CollegeSherbrooke.qc.ca Thu Feb 17 09:47:16 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Thu Feb 17 09:47:16 2005 Subject: [Phpmyadmin-devel] Re: Patch In-Reply-To: <026b01c512c7$cc1b9a00$1201a8c0@globalis> References: <41F54312.5010101@CollegeSherbrooke.qc.ca> <011201c51252$27655de0$0201a8c0@uranium> <4210E352.7020808@CollegeSherbrooke.qc.ca> <025101c512c0$9e340fc0$1201a8c0@globalis> <4210EDEF.7080102@CollegeSherbrooke.qc.ca> <4210F15D.90509@CollegeSherbrooke.qc.ca> <026b01c512c7$cc1b9a00$1201a8c0@globalis> Message-ID: <4214D861.8080906@CollegeSherbrooke.qc.ca> Armel FAUVEAU a écrit : >>Ok I found this: >>http://www.w3.org/TR/REC-html40/interact/scripts.html > > > Yes mate :) > > Of course, phpMyAdmin works very well without all of that. But it will be a > good idea to check (and validate) HTML (and CSS) code more systematically. > Look at the HTML validator extension (under Moz) based on Tidy. It's really > efficient and can help us to clean the code. > > And it will be possible, after, to said that PMA is valid HTML / XHTML / CSS > and so on. It is not currently the case, AFAIK :) > > Armel. > > Thanks, I merged the two patches. Let's hope someone finds time to continue the cleaning. Marc From me at derrabus.de Wed Feb 23 09:06:53 2005 From: me at derrabus.de (Alexander M. Turek) Date: Wed Feb 23 09:06:53 2005 Subject: [Phpmyadmin-devel] Roll 2.6.1-pl1? Message-ID: <421CB804.2090406@derrabus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi devels, I suggest to roll 2.6.1-pl1 because of bugs #1149381, #1149383, #1117907 and #1111855. 2.6.2 is not stable enough, imho, so a -pl1 release looks like the best idea to me. The first two bugs are security related and should be considered to be serious (as discussed on the private mailing list). I'm still awaiting an answer from the original reporter of bug #1149383, but as far as I can tell, my hotfix should do the job for now. Bug #1117907 affects our php 4.1.x compatibility and bug #1111855 makes phpMyAdmin unsuable to our Japanese friends. A quick fix for those two bugs shouldn't be a bad idea, either. :-) Fixes against all four bugs are already merged from HEAD into QA_2_6_1. Marc, your fix against #1149373 looks rather trivial. Should we merge it into QA_2_6_1? Regards, AMT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCHLgE8c/ssWf/SMcRAik7AJ9yWvEWz/b1l5Xi62qeQea9WhgzUgCdGpm7 dKydLuE8vyaHZSKCSicCLEI= =NeSQ -----END PGP SIGNATURE----- From DelislMa at CollegeSherbrooke.qc.ca Wed Feb 23 09:57:59 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Wed Feb 23 09:57:59 2005 Subject: [Phpmyadmin-devel] Roll 2.6.1-pl1? In-Reply-To: <421CB804.2090406@derrabus.de> References: <421CB804.2090406@derrabus.de> Message-ID: <421CC3A1.6070908@CollegeSherbrooke.qc.ca> Alexander M. Turek a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi devels, > > I suggest to roll 2.6.1-pl1 because of bugs #1149381, #1149383, #1117907 > and #1111855. 2.6.2 is not stable enough, imho, so a -pl1 release looks > like the best idea to me. Yes for 2.6.1-pl1. But 2.6.2 looks stable to me, it's just that we should do the proper -rc cycle with it. > > The first two bugs are security related and should be considered to be > serious (as discussed on the private mailing list). I'm still awaiting > an answer from the original reporter of bug #1149383, but as far as I > can tell, my hotfix should do the job for now. Let's wait one day for feedback. > > Bug #1117907 affects our php 4.1.x compatibility and bug #1111855 makes > phpMyAdmin unsuable to our Japanese friends. A quick fix for those two > bugs shouldn't be a bad idea, either. :-) > > Fixes against all four bugs are already merged from HEAD into QA_2_6_1. > > Marc, your fix against #1149373 looks rather trivial. Should we merge it > into QA_2_6_1? I will merge it. I think I will also merge this one: https://sourceforge.net/tracker/index.php?func=detail&aid=1107078&group_id=23067&atid=377408 Marc From me at derrabus.de Wed Feb 23 10:11:55 2005 From: me at derrabus.de (Alexander M. Turek) Date: Wed Feb 23 10:11:55 2005 Subject: [Phpmyadmin-devel] Roll 2.6.1-pl1? In-Reply-To: <421CC3A1.6070908@CollegeSherbrooke.qc.ca> References: <421CB804.2090406@derrabus.de> <421CC3A1.6070908@CollegeSherbrooke.qc.ca> Message-ID: <421CC6EF.2090000@derrabus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marc & list, Marc Delisle wrote: > Alexander M. Turek a écrit : >> >> I suggest to roll 2.6.1-pl1 because of bugs #1149381, #1149383, #1117907 >> and #1111855. 2.6.2 is not stable enough, imho, so a -pl1 release looks >> like the best idea to me. > > Yes for 2.6.1-pl1. But 2.6.2 looks stable to me, it's just that we > should do the proper -rc cycle with it. My work on the views / storage engines stuff is only half-finished yet. I wouldn't want to roll out a release from the HEAD branch in this state. >> The first two bugs are security related and should be considered to be >> serious (as discussed on the private mailing list). I'm still awaiting >> an answer from the original reporter of bug #1149383, but as far as I >> can tell, my hotfix should do the job for now. > > Let's wait one day for feedback. OK. >> Marc, your fix against #1149373 looks rather trivial. Should we merge it >> into QA_2_6_1? > > I will merge it. I think I will also merge this one: > https://sourceforge.net/tracker/index.php?func=detail&aid=1107078&group_id=23067&atid=377408 Good idea. Regards, AMT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCHMbv8c/ssWf/SMcRAuN8AJ9hNch9uaCdFqnWP/lOV0ipPIcr+QCggAsb x56jgUa8CdXs+TK4YiT8y1Q= =T9U4 -----END PGP SIGNATURE----- From me at derrabus.de Wed Feb 23 11:30:33 2005 From: me at derrabus.de (Alexander M. Turek) Date: Wed Feb 23 11:30:33 2005 Subject: [Phpmyadmin-devel] Roll 2.6.1-pl1? In-Reply-To: <421CC6EF.2090000@derrabus.de> References: <421CB804.2090406@derrabus.de> <421CC3A1.6070908@CollegeSherbrooke.qc.ca> <421CC6EF.2090000@derrabus.de> Message-ID: <421CD9C4.4030302@derrabus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marc, Alexander M. Turek wrote: > Marc Delisle wrote: [...] >> Let's wait one day for feedback. > > OK. Feddback provided, bug marked as fixed. I think we can roll 2.6.1-pl1 now, together with some explanations concerning register_globals and display_errors. Regards, AMT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCHNnE8c/ssWf/SMcRAvsZAJ9wuoTBTvElEHQFyJAtYqNNR7OuIQCgsQfX dSokfBqhcxPjofm047lV7Ms= =jiiu -----END PGP SIGNATURE----- From DelislMa at CollegeSherbrooke.qc.ca Wed Feb 23 11:39:32 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Wed Feb 23 11:39:32 2005 Subject: [Phpmyadmin-devel] Roll 2.6.1-pl1? In-Reply-To: <421CD9C4.4030302@derrabus.de> References: <421CB804.2090406@derrabus.de> <421CC3A1.6070908@CollegeSherbrooke.qc.ca> <421CC6EF.2090000@derrabus.de> <421CD9C4.4030302@derrabus.de> Message-ID: <421CDBAF.6050201@CollegeSherbrooke.qc.ca> Alexander M. Turek a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Marc, > > Alexander M. Turek wrote: > >>Marc Delisle wrote: > > [...] > >>>Let's wait one day for feedback. >> >>OK. > > > Feddback provided, bug marked as fixed. > > I think we can roll 2.6.1-pl1 now, together with some explanations > concerning register_globals and display_errors. > > Regards, I'll try to find time for the release tonight (my tonight :) Marc From DelislMa at CollegeSherbrooke.qc.ca Wed Feb 23 18:20:30 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Wed Feb 23 18:20:30 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl1 is released Message-ID: <421D3872.2090301@CollegeSherbrooke.qc.ca> Hi, Patch level 1 of phpMyAdmin 2.6.1 fixes some security problems, along with a few other bugs. A more formal security alert will be posted when ready. Meanwhile, the phpMyAdmin development team strongly advises an upgrade to phpMyAdmin 2.6.1-pl1, and to also apply the following security measures on your PHP installation (if feasible) by modifying your php.ini configuration file (or virtual host settings): - set register_globals to Off - set display_errors to Off - set log_errors to On - define the path to your error log with the error_log directive Both settings are recommended in the PHP documentation on a server running in production. For example: http://www.php.net/manual/en/security.errors.php However, we suggest you review the impact of those changes before applying them. Meanwhile, work continues on the development version 2.6.2. Marc Delisle, for the team. From DelislMa at CollegeSherbrooke.qc.ca Thu Feb 24 07:33:22 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Thu Feb 24 07:33:22 2005 Subject: [Phpmyadmin-devel] new grab_globals and 2.6.1-pl1 Message-ID: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> Hi, there is a problem with the new grab_globals.lib.php as released in 2.6.1-pl1. For example, the Search page no longer works. I'm looking at this right now. Marc From me at derrabus.de Thu Feb 24 07:43:24 2005 From: me at derrabus.de (Alexander M. Turek) Date: Thu Feb 24 07:43:24 2005 Subject: [Phpmyadmin-devel] new grab_globals and 2.6.1-pl1 In-Reply-To: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> References: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> Message-ID: <421DF566.7090003@derrabus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marc & list, Marc Delisle wrote: > > there is a problem with the new grab_globals.lib.php > as released in 2.6.1-pl1. For example, the Search > page no longer works. > > I'm looking at this right now. Strange... as long as the search page does rely on GET / POST parameters that are named 'cfg', 'GLOBALS', '_something' or 'strSomething', this should not happen. Regards, AMT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCHfVl8c/ssWf/SMcRAg2jAKCaURQVtPskqqoRHqqOVvWKakSYCwCdERu3 LU9oJfn9/fbZFDbTdmF8WiE= =FA6S -----END PGP SIGNATURE----- From DelislMa at CollegeSherbrooke.qc.ca Thu Feb 24 08:05:53 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Thu Feb 24 08:05:53 2005 Subject: [Phpmyadmin-devel] new grab_globals and 2.6.1-pl1 In-Reply-To: <421DF566.7090003@derrabus.de> References: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> <421DF566.7090003@derrabus.de> Message-ID: <421DFAD3.4070809@CollegeSherbrooke.qc.ca> Alexander M. Turek a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Marc & list, > > Marc Delisle wrote: > >>there is a problem with the new grab_globals.lib.php >>as released in 2.6.1-pl1. For example, the Search >>page no longer works. >> >>I'm looking at this right now. > > > Strange... as long as the search page does rely on GET / POST parameters > that are named 'cfg', 'GLOBALS', '_something' or 'strSomething', this > should not happen. > The bug does not happen with this code: if ( //$key == 'cfg' //$key == 'GLOBALS' substr($key, 0, 3) == 'str' || $key{0} == '_') { continue; } but happens if I activate the first or the second comparison! Marc (scratching his head) From DelislMa at CollegeSherbrooke.qc.ca Thu Feb 24 08:06:25 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Thu Feb 24 08:06:25 2005 Subject: [Phpmyadmin-devel] new grab_globals and 2.6.1-pl1 In-Reply-To: <421DF566.7090003@derrabus.de> References: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> <421DF566.7090003@derrabus.de> Message-ID: <421DF922.7050400@CollegeSherbrooke.qc.ca> Alexander M. Turek a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Marc & list, > > Marc Delisle wrote: > >>there is a problem with the new grab_globals.lib.php >>as released in 2.6.1-pl1. For example, the Search >>page no longer works. >> >>I'm looking at this right now. > > > Strange... as long as the search page does rely on GET / POST parameters > that are named 'cfg', 'GLOBALS', '_something' or 'strSomething', this > should not happen. > > Regards, Can you reproduce the problem? In my test, tbl_select.php loses $param[0] after grab_globals. $param[1] stays set. I think that bugs 1150996 and 1150902 have the same cause, but I haven't tested it yet. Marc From DelislMa at CollegeSherbrooke.qc.ca Thu Feb 24 08:18:00 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Thu Feb 24 08:18:00 2005 Subject: [Phpmyadmin-devel] new grab_globals and 2.6.1-pl1 In-Reply-To: <421DFAD3.4070809@CollegeSherbrooke.qc.ca> References: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> <421DF566.7090003@derrabus.de> <421DFAD3.4070809@CollegeSherbrooke.qc.ca> Message-ID: <421DFD74.6020507@CollegeSherbrooke.qc.ca> Marc Delisle a écrit : > Alexander M. Turek a écrit : > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi Marc & list, >> >> Marc Delisle wrote: >> >>> there is a problem with the new grab_globals.lib.php >>> as released in 2.6.1-pl1. For example, the Search >>> page no longer works. >>> >>> I'm looking at this right now. >> >> >> >> Strange... as long as the search page does rely on GET / POST parameters >> that are named 'cfg', 'GLOBALS', '_something' or 'strSomething', this >> should not happen. >> > > The bug does not happen with this code: > > if ( //$key == 'cfg' > //$key == 'GLOBALS' > substr($key, 0, 3) == 'str' > || $key{0} == '_') { > continue; > } > > but happens if I activate the first or the second comparison! > > Marc (scratching his head) Confirmed other problem with same cause: can no longer edit a row! Let's work quickly on this one. I am considering deactivating 2.6.1-pl1 unless we can come up with a -pl2 today. Marc From DelislMa at collegesherbrooke.qc.ca Thu Feb 24 08:45:55 2005 From: DelislMa at collegesherbrooke.qc.ca (Marc Delisle) Date: Thu Feb 24 08:45:55 2005 Subject: [Phpmyadmin-devel] new grab_globals and 2.6.1-pl1 In-Reply-To: <421DFAD3.4070809@CollegeSherbrooke.qc.ca> References: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> <421DF566.7090003@derrabus.de> <421DFAD3.4070809@CollegeSherbrooke.qc.ca> Message-ID: <421E0276.9050003@CollegeSherbrooke.qc.ca> Marc Delisle a écrit : > Alexander M. Turek a écrit : > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi Marc & list, >> >> Marc Delisle wrote: >> >>> there is a problem with the new grab_globals.lib.php >>> as released in 2.6.1-pl1. For example, the Search >>> page no longer works. >>> >>> I'm looking at this right now. >> >> >> >> Strange... as long as the search page does rely on GET / POST parameters >> that are named 'cfg', 'GLOBALS', '_something' or 'strSomething', this >> should not happen. >> > > The bug does not happen with this code: > > if ( //$key == 'cfg' > //$key == 'GLOBALS' > substr($key, 0, 3) == 'str' > || $key{0} == '_') { > continue; > } > > but happens if I activate the first or the second comparison! > > Marc (scratching his head) This solves the bug for me, please comment: if ( is_string($key) && ($key == 'cfg' || $key == 'GLOBALS' || substr($key, 0, 3) == 'str' || $key{0} == '_')) { continue; } Without the first test, each [0] is lost. Marc From me at derrabus.de Thu Feb 24 09:26:34 2005 From: me at derrabus.de (Alexander M. Turek) Date: Thu Feb 24 09:26:34 2005 Subject: [Phpmyadmin-devel] new grab_globals and 2.6.1-pl1 In-Reply-To: <421E0276.9050003@CollegeSherbrooke.qc.ca> References: <421DF2AF.4000203@CollegeSherbrooke.qc.ca> <421DF566.7090003@derrabus.de> <421DFAD3.4070809@CollegeSherbrooke.qc.ca> <421E0276.9050003@CollegeSherbrooke.qc.ca> Message-ID: <421E0DAA.9090200@derrabus.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marc, Marc Delisle wrote: > > This solves the bug for me, please comment: > > if ( is_string($key) > && ($key == 'cfg' > || $key == 'GLOBALS' > || substr($key, 0, 3) == 'str' > || $key{0} == '_')) { > continue; > } > > Without the first test, each [0] is lost. I am as confused as you are, but I can confirm that the code fixes the newly introduced bug. Regards, AMT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCHg2q8c/ssWf/SMcRAnb6AJ452jNJ77pQEoa7w7LUekAl8eMLDQCgrbaS U3FrTkeyNXzKYM23P/Am6fY= =6s8P -----END PGP SIGNATURE----- From DelislMa at CollegeSherbrooke.qc.ca Thu Feb 24 11:32:55 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Thu Feb 24 11:32:55 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl2 is released Message-ID: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> Hi, We are sorry to report that the release of 2.6.1-pl1 introduced an instability, producing various problems. This has been fixed, and here is 2.6.1-pl2. See http://www.phpmyadmin.net. Marc Delisle, for the team From michal at cihar.com Fri Feb 25 07:02:26 2005 From: michal at cihar.com (Michal =?utf-8?q?=C4=8Ciha=C5=99?=) Date: Fri Feb 25 07:02:26 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl2 is released In-Reply-To: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> References: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> Message-ID: <200502251553.33185.michal@cihar.com> Hi On Thu 24. 2. 2005 20:28, Marc Delisle wrote: > We are sorry to report that the release of 2.6.1-pl1 introduced an > instability, producing various problems. This has been fixed, and > here is 2.6.1-pl2. > > See http://www.phpmyadmin.net. Will you write also security announcement? Side note: I'm anyway fixing phpMyAdmin for older SUSE distributions, so I can provide patches for some older version if wanted. I have only slight problem with 2.4.0 and older where we used code: if (!empty($_GET)) { extract($_GET, EXTR_OVERWRITE); } else if (!empty($HTTP_GET_VARS)) { extract($HTTP_GET_VARS, EXTR_OVERWRITE); } // end if Will it work if I change EXTR_OVERWRITE to EXTR_SKIP or do I have to backport all logic from newer version? -- Michal Čihař | http://www.cihar.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From DelislMa at CollegeSherbrooke.qc.ca Fri Feb 25 07:25:10 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Fri Feb 25 07:25:10 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl2 is released In-Reply-To: <200502251553.33185.michal@cihar.com> References: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> <200502251553.33185.michal@cihar.com> Message-ID: <421F4165.1050102@CollegeSherbrooke.qc.ca> Michal Čihař a écrit : > Hi > > On Thu 24. 2. 2005 20:28, Marc Delisle wrote: > >>We are sorry to report that the release of 2.6.1-pl1 introduced an >>instability, producing various problems. This has been fixed, and >>here is 2.6.1-pl2. >> >>See http://www.phpmyadmin.net. > > > Will you write also security announcement? Yes, PMASA-2005-1 is already on-line, PMASA-2005-2 is being written (about path disclosure). When PMASA-2005-2 is on-line, I will send a email on the lists about both announcements. > > Side note: I'm anyway fixing phpMyAdmin for older SUSE distributions, so > I can provide patches for some older version if wanted. Good! Can you work on patching 2.2.7-pl1 for a -pl2? Do you have a PHP3 system on-line to test it? > > I have only slight problem with 2.4.0 and older where we used code: > > if (!empty($_GET)) { > extract($_GET, EXTR_OVERWRITE); > } else if (!empty($HTTP_GET_VARS)) { > extract($HTTP_GET_VARS, EXTR_OVERWRITE); > } // end if > > Will it work if I change EXTR_OVERWRITE to EXTR_SKIP or do I have to > backport all logic from newer version? > I don't remember this old code but I would say it's safer to backport the whole logic. Marc From michal at cihar.com Fri Feb 25 07:51:51 2005 From: michal at cihar.com (Michal =?utf-8?q?=C4=8Ciha=C5=99?=) Date: Fri Feb 25 07:51:51 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl2 is released In-Reply-To: <421F4165.1050102@CollegeSherbrooke.qc.ca> References: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> <200502251553.33185.michal@cihar.com> <421F4165.1050102@CollegeSherbrooke.qc.ca> Message-ID: <200502251643.17439.michal@cihar.com> On Fri 25. 2. 2005 16:16, Marc Delisle wrote: > Michal Čihař a écrit : > > Side note: I'm anyway fixing phpMyAdmin for older SUSE > > distributions, so I can provide patches for some older version if > > wanted. > > Good! Available here: http://www.cihar.com/phpMyAdmin/security-backports/ -- Michal Čihař | http://www.cihar.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From michal at cihar.com Fri Feb 25 07:58:36 2005 From: michal at cihar.com (Michal =?utf-8?q?=C4=8Ciha=C5=99?=) Date: Fri Feb 25 07:58:36 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl2 is released In-Reply-To: <421F4165.1050102@CollegeSherbrooke.qc.ca> References: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> <200502251553.33185.michal@cihar.com> <421F4165.1050102@CollegeSherbrooke.qc.ca> Message-ID: <200502251652.19158.michal@cihar.com> On Fri 25. 2. 2005 16:16, Marc Delisle wrote: > Michal Čihař a écrit : > > Side note: I'm anyway fixing phpMyAdmin for older SUSE > > distributions, so I can provide patches for some older version if > > wanted. > > Good! Can you work on patching 2.2.7-pl1 for a -pl2? Do you have a > PHP3 system on-line to test it? No, I fixed only 2.4.0 and several newer versions. > > I have only slight problem with 2.4.0 and older where we used code: > > > > if (!empty($_GET)) { > > extract($_GET, EXTR_OVERWRITE); > > } else if (!empty($HTTP_GET_VARS)) { > > extract($HTTP_GET_VARS, EXTR_OVERWRITE); > > } // end if > > > > Will it work if I change EXTR_OVERWRITE to EXTR_SKIP or do I have > > to backport all logic from newer version? > > I don't remember this old code but I would say it's safer to backport > the whole logic. I did exactly this, it looks safer. -- Michal Čihař | http://www.cihar.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From DelislMa at CollegeSherbrooke.qc.ca Fri Feb 25 08:13:19 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Fri Feb 25 08:13:19 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl2 is released In-Reply-To: <200502251643.17439.michal@cihar.com> References: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> <200502251553.33185.michal@cihar.com> <421F4165.1050102@CollegeSherbrooke.qc.ca> <200502251643.17439.michal@cihar.com> Message-ID: <421F4C30.1000306@CollegeSherbrooke.qc.ca> Michal Čihař a écrit : > On Fri 25. 2. 2005 16:16, Marc Delisle wrote: > >>Michal Čihař a écrit : >> >>>Side note: I'm anyway fixing phpMyAdmin for older SUSE >>>distributions, so I can provide patches for some older version if >>>wanted. >> >>Good! > > > Available here: > http://www.cihar.com/phpMyAdmin/security-backports/ > Interesting! Do you plan to include 2.2.7 as well? Marc From michal at cihar.com Fri Feb 25 08:28:43 2005 From: michal at cihar.com (Michal =?utf-8?q?=C4=8Ciha=C5=99?=) Date: Fri Feb 25 08:28:43 2005 Subject: [Phpmyadmin-devel] phpMyAdmin 2.6.1-pl2 is released In-Reply-To: <421F4C30.1000306@CollegeSherbrooke.qc.ca> References: <421E2AC2.5070406@CollegeSherbrooke.qc.ca> <200502251643.17439.michal@cihar.com> <421F4C30.1000306@CollegeSherbrooke.qc.ca> Message-ID: <200502251724.36566.michal@cihar.com> On Fri 25. 2. 2005 17:02, Marc Delisle wrote: > Michal Čihař a écrit : > > On Fri 25. 2. 2005 16:16, Marc Delisle wrote: > >>Michal Čihař a écrit : > >>>Side note: I'm anyway fixing phpMyAdmin for older SUSE > >>>distributions, so I can provide patches for some older version if > >>>wanted. > >> > >>Good! > > > > Available here: > > http://www.cihar.com/phpMyAdmin/security-backports/ > > Interesting! Do you plan to include 2.2.7 as well? No I have no need to do this ;-). And no access to php3 server to test it. All these were needed to provide security updates for SUSE, where I work. -- Michal Čihař | http://www.cihar.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From DelislMa at CollegeSherbrooke.qc.ca Sat Feb 26 04:21:15 2005 From: DelislMa at CollegeSherbrooke.qc.ca (Marc Delisle) Date: Sat Feb 26 04:21:15 2005 Subject: [Phpmyadmin-devel] phpMyAdmin: 2 new security alerts Message-ID: <422068D9.1050501@CollegeSherbrooke.qc.ca> Hi, Please refer to our security page http://www.phpmyadmin.net/home_page/security.php for the alerts PMASA-2005-1 and PMASA-2005-2. Marc Delisle, for the team.