[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_4_3_1-13368-g79df749

Mon Aug 8 14:27:48 CEST 2011

The branch, master has been updated
       via  79df74937cd20a400837b76f264eef4a4f2fe245 (commit)
       via  1fa702b45c1d7cadf00fbcd4762f9368517fac09 (commit)
       via  bfdf28e24c6b5b92451e3d9f71e9984eadf6c58c (commit)
      from  4d15c3d1205895b7eccfbcc79a0760c15c71724a (commit)


- Log -----------------------------------------------------------------
commit 79df74937cd20a400837b76f264eef4a4f2fe245
Merge: 1fa702b45c1d7cadf00fbcd4762f9368517fac09 4d15c3d1205895b7eccfbcc79a0760c15c71724a
Author: Marc Delisle <marc at infomarc.info>
Date:   Mon Aug 8 08:27:28 2011 -0400

    Merge branch 'master' of ssh://phpmyadmin.git.sourceforge.net/gitroot/phpmyadmin/phpmyadmin

commit 1fa702b45c1d7cadf00fbcd4762f9368517fac09
Author: Marc Delisle <marc at infomarc.info>
Date:   Mon Aug 8 08:27:10 2011 -0400

    Coding style

commit bfdf28e24c6b5b92451e3d9f71e9984eadf6c58c
Author: Tyron Madlener <tyronx at gmail.com>
Date:   Mon Aug 8 08:25:20 2011 -0400

    Workaround too small value of suhosin.get.max_value_length

-----------------------------------------------------------------------

Summary of changes:
 libraries/common.lib.php |   49 +++++++++++++++++++++++++++++++++------------
 1 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 5de802b..c3a9d69 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -1702,8 +1702,23 @@ function PMA_linkOrButton($url, $message, $tag_params = array(),
     if (stristr($message, '<img') && (!$strip_img || $GLOBALS['cfg']['PropertiesIconic'] === true) && strip_tags($message)==$message) {
         $displayed_message = '<span>' . htmlspecialchars(preg_replace('/^.*\salt="([^"]*)".*$/si', '\1', $message)) . '</span>';
     }
-
+    
+    // Suhosin: Check that each query parameter is not above maximum
+    $in_suhosin_limits = true;
     if ($url_length <= $GLOBALS['cfg']['LinkLengthLimit']) {
+        if ($suhosin_get_MaxValueLength = ini_get('suhosin.get.max_value_length')) {
+            $query_parts = PMA_splitURLQuery($url);
+            foreach($query_parts as $query_pair) {
+                list($eachvar, $eachval) = explode('=', $query_pair);
+                if(strlen($eachval) > $suhosin_get_MaxValueLength) {
+                    $in_suhosin_limits = false;
+                    break;
+                }
+            }
+        }
+    }
+
+    if ($url_length <= $GLOBALS['cfg']['LinkLengthLimit'] && $in_suhosin_limits) {
         // no whitespace within an <a> else Safari will make it part of the link
         $ret = "\n" . '<a href="' . $url . '" '
             . implode(' ', $tag_params_strings) . '>'
@@ -1717,20 +1732,12 @@ function PMA_linkOrButton($url, $message, $tag_params = array(),
         if (empty($tag_params['class'])) {
             $tag_params['class'] = 'link';
         }
-
-        // decode encoded url separators
-        $separator   = PMA_get_arg_separator();
-        // on most places separator is still hard coded ...
-        if ($separator !== '&') {
-            // ... so always replace & with $separator
-            $url         = str_replace(htmlentities('&'), $separator, $url);
-            $url         = str_replace('&', $separator, $url);
+        
+        if (! isset($query_parts)) {
+            $query_parts = PMA_splitURLQuery($url);
         }
-        $url         = str_replace(htmlentities($separator), $separator, $url);
-        // end decode
-
         $url_parts   = parse_url($url);
-        $query_parts = explode($separator, $url_parts['query']);
+        
         if ($new_form) {
             $ret = '<form action="' . $url_parts['path'] . '" class="link"'
                  . ' method="post"' . $target . ' style="display: inline;">';
@@ -1768,6 +1775,22 @@ function PMA_linkOrButton($url, $message, $tag_params = array(),
 } // end of the 'PMA_linkOrButton()' function
 
 
+function PMA_splitURLQuery($url) {
+    // decode encoded url separators
+    $separator   = PMA_get_arg_separator();
+    // on most places separator is still hard coded ...
+    if ($separator !== '&') {
+        // ... so always replace & with $separator
+        $url         = str_replace(htmlentities('&'), $separator, $url);
+        $url         = str_replace('&', $separator, $url);
+    }
+    $url         = str_replace(htmlentities($separator), $separator, $url);
+    // end decode
+
+    $url_parts   = parse_url($url);
+    return explode($separator, $url_parts['query']);
+}
+
 /**
  * Returns a given timespan value in a readable format.
  *


hooks/post-receive
-- 
phpMyAdmin


