[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_3_7-10226-g35cf83b

Michal Čihař nijel at users.sourceforge.net
Tue Sep 21 10:30:52 CEST 2010 

The branch, master has been updated
       via  35cf83bc12805c230f71c31653fd50c8751e32d7 (commit)
       via  4b313daa7a9c70c64a50a1786a5350876cb48c49 (commit)
      from  8f2546271cff3a91434cefbc77f9cf56d5e42168 (commit)


- Log -----------------------------------------------------------------
commit 35cf83bc12805c230f71c31653fd50c8751e32d7
Merge: 8f2546271cff3a91434cefbc77f9cf56d5e42168 4b313daa7a9c70c64a50a1786a5350876cb48c49
Author: Michal Čihař <mcihar at novell.com>
Date:   Tue Sep 21 10:30:19 2010 +0200

    Merge remote branch 'knittl/inline-edit-xss'

commit 4b313daa7a9c70c64a50a1786a5350876cb48c49
Author: Daniel Knittl-Frank <knittl89+git at googlemail.com>
Date:   Mon Sep 20 18:12:05 2010 +0200

    Fix persistent XSS in table browsing mode
    
    $where_clause was used instead of escaped $where_clause_html. This would
    only come into play when a string field was contained in the index (and
    thus used in the where clause).
    
    Signed-off-by: Daniel Knittl-Frank <knittl89+git at googlemail.com>

-----------------------------------------------------------------------

Summary of changes:
 libraries/display_tbl.lib.php       |    2 +-
 libraries/display_tbl_links.lib.php |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libraries/display_tbl.lib.php b/libraries/display_tbl.lib.php
index a57c909..3520257 100644
--- a/libraries/display_tbl.lib.php
+++ b/libraries/display_tbl.lib.php
@@ -1457,7 +1457,7 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
         }
 
         if( !empty($where_clause) ) {
-            $vertical_display['where_clause'][$row_no] = '<input type="hidden" class="where_clause" value ="' . $where_clause . '" />';
+            $vertical_display['where_clause'][$row_no] = '<input type="hidden" class="where_clause" value ="' . $where_clause_html . '" />';
         }
         else {
             unset($vertical_display['where_clause'][$row_no]);
diff --git a/libraries/display_tbl_links.lib.php b/libraries/display_tbl_links.lib.php
index a8511fe..d261fd0 100644
--- a/libraries/display_tbl_links.lib.php
+++ b/libraries/display_tbl_links.lib.php
@@ -61,6 +61,6 @@ if ($doWriteModifyAt == 'left') {
  * Used by jQuery scripts for handling inline editing
  */
 if( !empty($where_clause)) {
-    echo '<input type="hidden" class="where_clause" value ="' . $where_clause . '" />';
+    echo '<input type="hidden" class="where_clause" value ="' . $where_clause_html . '" />';
 }
 ?>


hooks/post-receive
-- 
phpMyAdmin

More information about the Git mailing list