[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_3_5_1-7131-g272c57c

Michal Čihař nijel at users.sourceforge.net
Fri Aug 20 14:10:40 CEST 2010


The branch, master has been updated
       via  272c57cdba6ae6c162ab90634bad9740c2af8b38 (commit)
       via  86baee8d4e81b9ee80dc3ed3692c91f138740a99 (commit)
       via  2af8ff42e91bfb03ce05a11a0dce7a85ac32cecd (commit)
       via  8b53799f0da2992b41c1895a8e9f7db10fd2a82f (commit)
       via  5a0fec9b3c6327bf8d4be31190f0a780a0071e2c (commit)
       via  862e3ca2a7c7fe56c76bb515367db0dce2a79d53 (commit)
       via  41145feb12e1fe2f7af54c1ccb89a714c39bfb12 (commit)
       via  d128f806057e752db082272fd5e5c2f7244821b9 (commit)
       via  59b3b4916b31fa44f31b1e2d243ca7dda012ba37 (commit)
       via  782b8b46be4f06c695ab713eeefbd75970358e2f (commit)
       via  bf60ec82e948450ae18b9e66c48d27da55ebe860 (commit)
       via  f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0 (commit)
       via  d2e0e09e0d402555a6223f0b683fdbfa97821a63 (commit)
       via  b337f45a0a1ba8ff28e3d13f194f137e9aa85e8e (commit)
       via  05ca00e0a20d0eb4848d69bf7a1365df5bba872d (commit)
       via  48e909660032ddcbc13172830761e363e7a64d72 (commit)
       via  be0f47a93141e2950ad400b8d22a2a98512825c2 (commit)
       via  cd205cc55a46e3dc0f8883966f5c854f842e1000 (commit)
       via  7dc6cea06522b2d4af50934c983f3967540a4918 (commit)
       via  6028221d97efa2a7d56a61ab4c5750d1b2343619 (commit)
       via  2a1233b69ccc6c64819c2840ca5277c2dde0b9e0 (commit)
       via  25ac7de38c125d8067f42bab24212891389ac1e3 (commit)
       via  fa30188dde357426d339d0d7e29a3969f88d188a (commit)
       via  00add5c43f594f80dab6304a5bb35d2e50540d2d (commit)
       via  c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c (commit)
       via  533e10213590e7ccd83b98a5cd19ba1c3be119dd (commit)
       via  ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b (commit)
       via  7f266483b827fb05a4be11663003418c2ef1c878 (commit)
       via  5bcd95a42c8ba924d389eafee4d7be80bd4039a3 (commit)
       via  6d548f7d449b7d4b796949d10a503484f63eaf82 (commit)
      from  7b1c0187cfae8bd02d1fe1233aea57cef46b348f (commit)


- Log -----------------------------------------------------------------
commit 272c57cdba6ae6c162ab90634bad9740c2af8b38
Author: Michal Čihař <mcihar at novell.com>
Date:   Fri Aug 20 13:56:28 2010 +0200

    Change back to master after merging to STABLE/TESTING.

commit 86baee8d4e81b9ee80dc3ed3692c91f138740a99
Author: Michal Čihař <mcihar at novell.com>
Date:   Fri Aug 20 13:53:01 2010 +0200

    Do not apply TESTING/STABLE update to 2.11 branch.

commit 2af8ff42e91bfb03ce05a11a0dce7a85ac32cecd
Merge: 862e3ca2a7c7fe56c76bb515367db0dce2a79d53 8b53799f0da2992b41c1895a8e9f7db10fd2a82f
Author: Michal Čihař <mcihar at novell.com>
Date:   Fri Aug 20 13:42:38 2010 +0200

    Merge branch 'QA_3_3'

commit 862e3ca2a7c7fe56c76bb515367db0dce2a79d53
Merge: 7b1c0187cfae8bd02d1fe1233aea57cef46b348f 41145feb12e1fe2f7af54c1ccb89a714c39bfb12
Author: Michal Čihař <mcihar at novell.com>
Date:   Fri Aug 20 13:40:37 2010 +0200

    Merge branch 'QA_3_3'
    
    Conflicts:
    	libraries/core.lib.php
    	server_databases.php
    	server_privileges.php

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                            |    3 +++
 db_search.php                        |    2 +-
 db_sql.php                           |    2 +-
 error.php                            |   10 +++++++---
 libraries/common.lib.php             |    2 +-
 libraries/core.lib.php               |    7 ++++---
 libraries/database_interface.lib.php |    4 ++++
 libraries/db_info.inc.php            |    3 ++-
 libraries/dbi/mysql.dbi.lib.php      |    2 ++
 libraries/dbi/mysqli.dbi.lib.php     |    2 ++
 libraries/sanitizing.lib.php         |   17 +++++++++++++++--
 libraries/sqlparser.lib.php          |    2 +-
 scripts/create-release.sh            |   17 +++++++++++------
 server_databases.php                 |   22 ++++++++++++++++++----
 server_privileges.php                |   30 +++++++++++++++---------------
 sql.php                              |   14 +++++++-------
 tbl_sql.php                          |    2 +-
 17 files changed, 95 insertions(+), 46 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3a1d00b..0188759 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -119,6 +119,9 @@ $Id$
 - bug #3044189 [doc] Cleared documentation for hide_db.
 - bug #3042495 [core] Move PMA_sendHeaderLocation to core.lib.php.
 
+3.3.5.1 (2010-10-20)
+- [core] Fixed various XSS issues, see PMASA-2010-5 for more details.
+
 3.3.5.0 (2010-07-26)
 - patch #2932113 [information_schema] Slow export when having lots of
   databases, thanks to Stéphane Pontier - shadow_walker
diff --git a/db_search.php b/db_search.php
index 0b68ba3..854cba8 100644
--- a/db_search.php
+++ b/db_search.php
@@ -336,7 +336,7 @@ $alter_select =
     <tr><td align="right">
             <?php echo __('Inside column:'); ?></td>
         <td><input type="text" name="field_str" size="60"
-                value="<?php echo ! empty($field_str) ? $field_str : ''; ?>" /></td>
+                value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td>
     </tr>
     </table>
 </fieldset>
diff --git a/db_sql.php b/db_sql.php
index 986fb34..50db7bd 100644
--- a/db_sql.php
+++ b/db_sql.php
@@ -36,7 +36,7 @@ if ($num_tables == 0 && empty($db_query_force)) {
 /**
  * Query box, bookmark, insert data from textfile
  */
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
 
 /**
  * Displays the footer
diff --git a/error.php b/error.php
index 117d070..b1d47e2 100644
--- a/error.php
+++ b/error.php
@@ -75,10 +75,14 @@ header('Content-Type: text/html; charset=' . $charset);
 <body>
 <h1>phpMyAdmin - <?php echo $type; ?></h1>
 <p><?php
-if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
-    echo PMA_sanitize(stripslashes($_REQUEST['error']));
+if (!empty($_REQUEST['error'])) {
+    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
+        echo PMA_sanitize(stripslashes($_REQUEST['error']));
+    } else {
+        echo PMA_sanitize($_REQUEST['error']);
+    }
 } else {
-    echo PMA_sanitize($_REQUEST['error']);
+    echo 'No error message!';
 }
 ?></p>
 </body>
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index a1c3c7b..4b1d8d9 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -566,7 +566,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '',
         $formatted_sql = '';
     } else {
         if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) {
-            $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]';
+            $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]';
         } else {
             $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query);
         }
diff --git a/libraries/core.lib.php b/libraries/core.lib.php
index 2355651..8bfc035 100644
--- a/libraries/core.lib.php
+++ b/libraries/core.lib.php
@@ -525,22 +525,23 @@ function PMA_getenv($var_name) {
 function PMA_sendHeaderLocation($uri)
 {
     if (PMA_IS_IIS && strlen($uri) > 600) {
+        require_once './libraries/js_escape.lib.php';
 
         echo '<html><head><title>- - -</title>' . "\n";
         echo '<meta http-equiv="expires" content="0">' . "\n";
         echo '<meta http-equiv="Pragma" content="no-cache">' . "\n";
         echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n";
-        echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n";
+        echo '<meta http-equiv="Refresh" content="0;url=' .  htmlspecialchars($uri) . '">' . "\n";
         echo '<script type="text/javascript">' . "\n";
         echo '//<![CDATA[' . "\n";
-        echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n";
+        echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n";
         echo '//]]>' . "\n";
         echo '</script>' . "\n";
         echo '</head>' . "\n";
         echo '<body>' . "\n";
         echo '<script type="text/javascript">' . "\n";
         echo '//<![CDATA[' . "\n";
-        echo 'document.write(\'<p><a href="' . $uri . '">' . __('Go') . '</a></p>\');' . "\n";
+        echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . __('Go') . '</a></p>\');' . "\n";
         echo '//]]>' . "\n";
         echo '</script></body></html>' . "\n";
 
diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php
index 8eba111..c1a97b4 100644
--- a/libraries/database_interface.lib.php
+++ b/libraries/database_interface.lib.php
@@ -195,6 +195,10 @@ function PMA_usort_comparison_callback($a, $b)
     } else {
         $sorter = 'strcasecmp';
     }
+    /* No sorting when key is not present */
+    if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) {
+        return 0;
+    }
     // produces f.e.:
     // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
     return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]);
diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php
index 969af04..c51b247 100644
--- a/libraries/db_info.inc.php
+++ b/libraries/db_info.inc.php
@@ -211,7 +211,8 @@ if (! isset($sot_ready)) {
         );
 
         // Make sure the sort type is implemented
-        if ($sort = $sortable_name_mappings[$_REQUEST['sort']]) {
+        if (isset($sortable_name_mappings[$_REQUEST['sort']])) {
+            $sort = $sortable_name_mappings[$_REQUEST['sort']];
             if ($_REQUEST['sort_order'] == 'DESC') {
                 $sort_order = 'DESC';
             }
diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php
index fdd83f8..5af59bd 100644
--- a/libraries/dbi/mysql.dbi.lib.php
+++ b/libraries/dbi/mysql.dbi.lib.php
@@ -344,6 +344,8 @@ function PMA_DBI_getError($link = null)
         $error_message = PMA_DBI_convert_message($error_message);
     }
 
+    $error_message = htmlspecialchars($error_message);
+
     // Some errors messages cannot be obtained by mysql_error()
     if ($error_number == 2002) {
         $error = '#' . ((string) $error_number) . ' - ' . __('The server is not responding') . ' ' . __('(or the local MySQL server\'s socket is not correctly configured)');
diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php
index b5915df..9e836eb 100644
--- a/libraries/dbi/mysqli.dbi.lib.php
+++ b/libraries/dbi/mysqli.dbi.lib.php
@@ -400,6 +400,8 @@ function PMA_DBI_getError($link = null)
         $error_message = PMA_DBI_convert_message($error_message);
     }
 
+    $error_message = htmlspecialchars($error_message);
+
     if ($error_number == 2002) {
         $error = '#' . ((string) $error_number) . ' - ' . __('The server is not responding') . ' ' . __('(or the local MySQL server\'s socket is not correctly configured)');
     } else {
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index c9b79a7..eb8696d 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -8,17 +8,26 @@
 
 /**
  * Sanitizes $message, taking into account our special codes
- * for formatting
+ * for formatting.
+ *
+ * If you want to include result in element attribute, you should escape it.
+ *
+ * Examples:
+ *
+ * <p><?php echo PMA_sanitize($foo); ?></p>
+ *
+ * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
  *
  * @uses    preg_replace()
  * @uses    strtr()
  * @param   string   the message
+ * @param   boolean  whether to escape html in result
  *
  * @return  string   the sanitized message
  *
  * @access  public
  */
-function PMA_sanitize($message)
+function PMA_sanitize($message, $escape = false)
 {
     $replace_pairs = array(
         '<'         => '<',
@@ -66,6 +75,10 @@ function PMA_sanitize($message)
         $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
     }
 
+    if ($escape) {
+        $message = htmlspecialchars($message);
+    }
+
     return $message;
 }
 ?>
diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php
index 5509db1..3e74ca7 100644
--- a/libraries/sqlparser.lib.php
+++ b/libraries/sqlparser.lib.php
@@ -2574,7 +2574,7 @@ if (! defined('PMA_MINIMUM_COMMON')) {
             }
             $after                 .= "\n";
 */
-            $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after;
+            $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after;
         } // end for
         /* End possibly unclosed documentation link */
         if ($close_docu_link) {
diff --git a/scripts/create-release.sh b/scripts/create-release.sh
index fd73f2e..35ac3dd 100755
--- a/scripts/create-release.sh
+++ b/scripts/create-release.sh
@@ -221,13 +221,18 @@ if [ $# -gt 0 ] ; then
                 tagname=RELEASE_`echo $version | tr . _ | tr '[:lower:]' '[:upper:]' | tr -d -`
                 echo "* Tagging release as $tagname"
                 git tag -a -m "Released $version" $tagname $branch
-                if echo $version | grep '[a-z_-]' ; then
-                    mark_as_release $branch TESTING
+                if echo $version | grep -q '^2\.11\.' ; then
+                    echo '* 2.11 branch, no STABLE/TESTING update'
                 else
-                    # We update both branches here
-                    # As it does not make sense to have older testing than stable
-                    mark_as_release $branch TESTING
-                    mark_as_release $branch STABLE
+                    if echo $version | grep '[a-z_-]' ; then
+                        mark_as_release $branch TESTING
+                    else
+                        # We update both branches here
+                        # As it does not make sense to have older testing than stable
+                        mark_as_release $branch TESTING
+                        mark_as_release $branch STABLE
+                    fi
+                    git checkout master
                 fi
                 echo "   Dont forget to push tags using: git push --tags"
                 ;;
diff --git a/server_databases.php b/server_databases.php
index 7aeee67..d054aca 100644
--- a/server_databases.php
+++ b/server_databases.php
@@ -19,7 +19,21 @@ require './libraries/replication.inc.php';
 if (empty($_REQUEST['sort_by'])) {
     $sort_by = 'SCHEMA_NAME';
 } else {
-    $sort_by = PMA_sanitize($_REQUEST['sort_by']);
+    $sort_by_whitelist = array(
+        'SCHEMA_NAME',
+        'DEFAULT_COLLATION_NAME',
+        'SCHEMA_TABLES',
+        'SCHEMA_TABLE_ROWS',
+        'SCHEMA_DATA_LENGTH',
+        'SCHEMA_INDEX_LENGTH',
+        'SCHEMA_LENGTH',
+        'SCHEMA_DATA_FREE'
+    );
+    if (in_array($_REQUEST['sort_by'], $sort_by_whitelist)) {
+        $sort_by = $_REQUEST['sort_by'];
+    } else {
+        $sort_by = 'SCHEMA_NAME';
+    }
 }
 
 if (isset($_REQUEST['sort_order'])
@@ -339,11 +353,11 @@ if ($databases_count > 0) {
     unset($column_order, $stat_name, $stat, $databases, $table_columns);
 
     if ($is_superuser || $cfg['AllowUserDropDatabase']) {
-        $common_url_query = PMA_generate_common_url() . '&sort_by=' . $sort_by . '&sort_order=' . $sort_order . '&dbstats=' . $dbstats;
+        $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats));
         echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . __('With selected:') . '" />' . "\n"
-           . '<a href="./server_databases.php?' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n"
+           . '<a href="./server_databases.php' . $common_url_query . '&checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n"
            . '    ' . __('Check All') . '</a> / ' . "\n"
-           . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n"
+           . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n"
            . '    ' . __('Uncheck All') . '</a>' . "\n"
            . '<i>' . __('With selected:') . '</i>' . "\n";
         PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', __('Drop'), 'b_deltbl.png');
diff --git a/server_privileges.php b/server_privileges.php
index cd5afe7..33483d2 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1182,7 +1182,7 @@ if (!empty($update_privs)) {
     }
     $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2;
     $message = PMA_Message::success(__('You have updated the privileges for %s.'));
-    $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+    $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
 }
 
 
@@ -1206,7 +1206,7 @@ if (isset($_REQUEST['revokeall'])) {
     }
     $sql_query = $sql_query0 . ' ' . $sql_query1;
     $message = PMA_Message::success(__('You have revoked the privileges for %s'));
-    $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+    $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
     if (! isset($tablename)) {
         unset($dbname);
     } else {
@@ -1242,7 +1242,7 @@ if (isset($_REQUEST['change_pw'])) {
         PMA_DBI_try_query($local_query)
             or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
         $message = PMA_Message::success(__('The password for %s was changed successfully.'));
-        $message->addParam('\'' . $username . '\'@\'' . $hostname . '\'');
+        $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
     }
 }
 
@@ -1647,8 +1647,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
 
         if (isset($dbname)) {
             echo ' <i><a href="server_privileges.php?'
-                . $GLOBALS['url_query'] . '&username=' . urlencode($username)
-                . '&hostname=' . urlencode($hostname) . '&dbname=&tablename=">\''
+                . $GLOBALS['url_query'] . '&username=' . htmlspecialchars(urlencode($username))
+                . '&hostname=' . htmlspecialchars(urlencode($hostname)) . '&dbname=&tablename=">\''
                 . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname)
                 . '\'</a></i>' . "\n";
             $url_dbname = urlencode(str_replace(array('\_', '\%'), array('_', '%'), $dbname));
@@ -1656,8 +1656,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
             echo ' - ' . ($dbname_is_wildcard ? __('Databases') : __('Database') );
             if (isset($tablename)) {
                 echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query']
-                    . '&username=' . urlencode($username) . '&hostname=' . urlencode($hostname)
-                    . '&dbname=' . $url_dbname . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>';
+                    . '&username=' . htmlspecialchars(urlencode($username)) . '&hostname=' . htmlspecialchars(urlencode($hostname))
+                    . '&dbname=' . htmlspecialchars($url_dbname) . '&tablename=">' . htmlspecialchars($dbname) . '</a></i>';
                 echo ' - ' . __('Table') . ' <i>' . htmlspecialchars($tablename) . '</i>';
             } else {
                 echo ' <i>' . htmlspecialchars($dbname) . '</i>';
@@ -1891,16 +1891,16 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
                     }
                     echo '</td>' . "\n"
                        . '    <td>';
-                    printf($link_edit, urlencode($username),
-                        urlencode($hostname),
-                        urlencode((! isset($dbname)) ? $row['Db'] : $dbname),
+                    printf($link_edit, htmlspecialchars(urlencode($username)),
+                        urlencode(htmlspecialchars($hostname)),
+                        urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
                         urlencode((! isset($dbname)) ? '' : $row['Table_name']));
                     echo '</td>' . "\n"
                        . '    <td>';
                     if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
-                        printf($link_revoke, urlencode($username),
-                            urlencode($hostname),
-                            urlencode((! isset($dbname)) ? $row['Db'] : $dbname),
+                        printf($link_revoke, htmlspecialchars(urlencode($username)),
+                            urlencode(htmlspecialchars($hostname)),
+                            urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
                             urlencode((! isset($dbname)) ? '' : $row['Table_name']));
                     }
                     echo '</td>' . "\n"
@@ -1980,7 +1980,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
             if (isset($tablename)) {
                 echo ' [ ' . __('Table') . ' <a href="'
                     . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query']
-                    . '&db=' . $url_dbname . '&table=' . urlencode($tablename)
+                    . '&db=' . $url_dbname . '&table=' . htmlspecialchars(urlencode($tablename))
                     . '&reload=1">' . htmlspecialchars($tablename) . ': '
                     . PMA_getTitleForTarget($GLOBALS['cfg']['DefaultTabTable'])
                     . "</a> ]\n";
@@ -2207,7 +2207,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
 
     // Offer to create a new user for the current database
     echo '<fieldset id="fieldset_add_user">' . "\n"
-       . '    <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . $checkprivs .'">' . "\n"
+       . '    <a href="server_privileges.php?' . $GLOBALS['url_query'] . '&adduser=1&dbname=' . htmlspecialchars($checkprivs) .'">' . "\n"
        . PMA_getIcon('b_usradd.png')
        . '        ' . __('Add a new User') . '</a>' . "\n"
        . '</fieldset>' . "\n";
diff --git a/sql.php b/sql.php
index a98b9d4..a3ae0cf 100644
--- a/sql.php
+++ b/sql.php
@@ -173,14 +173,14 @@ if ($do_confirm) {
         .PMA_generate_common_hidden_inputs($db, $table);
     ?>
     <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" />
-    <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" />
+    <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" />
     <input type="hidden" name="goto" value="<?php echo $goto; ?>" />
-    <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" />
-    <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" />
-    <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" />
-    <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" />
-    <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" />
-    <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" />
+    <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" />
+    <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" />
+    <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" />
+    <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" />
+    <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" />
+    <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" />
     <?php
     echo '<fieldset class="confirmation">' . "\n"
         .'    <legend>' . __('Do you really want to ') . '</legend>'
diff --git a/tbl_sql.php b/tbl_sql.php
index e72dce3..aa0af4d 100644
--- a/tbl_sql.php
+++ b/tbl_sql.php
@@ -37,7 +37,7 @@ require_once './libraries/tbl_links.inc.php';
 /**
  * Query box, bookmark, insert data from textfile
  */
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
 
 /**
  * Displays the footer


hooks/post-receive
-- 
phpMyAdmin




More information about the Git mailing list