[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_4_4RC1-16974-g4d2521a

Marc Delisle lem9 at users.sourceforge.net
Wed Aug 24 18:33:51 CEST 2011


The branch, master has been updated
       via  4d2521ac91d09697c3b2c209c962ebcbc093446d (commit)
       via  3b75f549f4a1f5e2ad45b5189f11496b4f70cccb (commit)
       via  f00c57bdf3669d7471b30e6750f6762d2e01947b (commit)
       via  4e5c583dcfdd6307f1093f80a9e1d1ff0480cc7d (commit)
       via  c547703b1089bff62b238a908d8559ca3ad845f1 (commit)
       via  b659fbeb128b3235738d6fd787cab096ddc3a591 (commit)
       via  0f5f2d960184db7333ecf7d52da406cae306412b (commit)
       via  39edf6e1fbe4a39f6fec0919d60eca5dfc2708ff (commit)
       via  3d8fddceb0f084d4b77c58c48a98e002db6baa6a (commit)
       via  2b0d12b2deb1b6b5c4073ecaa7971cb0bbb83389 (commit)
       via  ec848d825ffe896b96b6c3e4b8c7d4c12aadd310 (commit)
       via  09b30b8b6e462aafc24cc32a78491cd9513305c6 (commit)
      from  df4f5b7c96a0846a9a98241a5e7d567917d8db0b (commit)


- Log -----------------------------------------------------------------
commit 4d2521ac91d09697c3b2c209c962ebcbc093446d
Merge: df4f5b7 3b75f54
Author: Marc Delisle <marc at infomarc.info>
Date:   Wed Aug 24 12:30:15 2011 -0400

    Merge branch 'QA_3_4'

-----------------------------------------------------------------------

Summary of changes:
 export.php                   |    1 +
 libraries/sanitizing.lib.php |   18 ++++++++++
 tbl_tracking.php             |   72 ++++++++++++++++++++++--------------------
 3 files changed, 57 insertions(+), 34 deletions(-)

diff --git a/export.php b/export.php
index 3678924..5f91713 100644
--- a/export.php
+++ b/export.php
@@ -346,6 +346,7 @@ if (!$save_on_server) {
         // (avoid rewriting data containing HTML with anchors and forms;
         // this was reported to happen under Plesk)
         @ini_set('url_rewriter.tags','');
+        $filename = PMA_sanitize_filename($filename);
 
         PMA_download_header($filename, $mime_type);
     } else {
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index e920150..cbac64d 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -129,4 +129,22 @@ function PMA_sanitize($message, $escape = false, $safe = false)
 
     return $message;
 }
+
+
+/**
+ * Sanitize a filename by removing anything besides A-Za-z0-9_.-
+ *
+ * Intended usecase:
+ *    When using a filename in a Content-Disposition header the value should not contain ; or "
+ *
+ * @param   string  The filename
+ *
+ * @return  string  the sanitized filename
+ *
+ */
+function PMA_sanitize_filename($filename) {
+    $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
+    return $filename;
+}
+
 ?>
diff --git a/tbl_tracking.php b/tbl_tracking.php
index b601348..4430cf0 100644
--- a/tbl_tracking.php
+++ b/tbl_tracking.php
@@ -271,17 +271,17 @@ if (isset($_REQUEST['snapshot'])) {
         <tr class="noclick <?php echo $style; ?>">
             <?php
             if ($field['Key'] == 'PRI') {
-                echo '<td><b><u>' . $field['Field'] . '</u></b></td>' . "\n";
+                echo '<td><b><u>' . htmlspecialchars($field['Field']) . '</u></b></td>' . "\n";
             } else {
-                echo '<td><b>' . $field['Field'] . '</b></td>' . "\n";
+                echo '<td><b>' . htmlspecialchars($field['Field']) . '</b></td>' . "\n";
             }
             ?>
-            <td><?php echo $field['Type'];?></td>
-            <td><?php echo $field['Collation'];?></td>
-            <td><?php echo $field['Null'];?></td>
-            <td><?php echo $field['Default'];?></td>
-            <td><?php echo $field['Extra'];?></td>
-            <td><?php echo $field['Comment'];?></td>
+            <td><?php echo htmlspecialchars($field['Type']);?></td>
+            <td><?php echo htmlspecialchars($field['Collation']);?></td>
+            <td><?php echo htmlspecialchars($field['Null']);?></td>
+            <td><?php echo htmlspecialchars($field['Default']);?></td>
+            <td><?php echo htmlspecialchars($field['Extra']);?></td>
+            <td><?php echo htmlspecialchars($field['Comment']);?></td>
         </tr>
 <?php
             if ($style == 'even') {
@@ -327,15 +327,15 @@ if (isset($_REQUEST['snapshot'])) {
             }
 ?>
             <tr class="noclick <?php echo $style; ?>">
-                <td><b><?php echo $index['Key_name'];?></b></td>
-                <td><?php echo $index['Index_type'];?></td>
+                <td><b><?php echo htmlspecialchars($index['Key_name']);?></b></td>
+                <td><?php echo htmlspecialchars($index['Index_type']);?></td>
                 <td><?php echo $str_unique;?></td>
                 <td><?php echo $str_packed;?></td>
-                <td><?php echo $index['Column_name'];?></td>
-                <td><?php echo $index['Cardinality'];?></td>
-                <td><?php echo $index['Collation'];?></td>
-                <td><?php echo $index['Null'];?></td>
-                <td><?php echo $index['Comment'];?></td>
+                <td><?php echo htmlspecialchars($index['Column_name']);?></td>
+                <td><?php echo htmlspecialchars($index['Cardinality']);?></td>
+                <td><?php echo htmlspecialchars($index['Collation']);?></td>
+                <td><?php echo htmlspecialchars($index['Null']);?></td>
+                <td><?php echo htmlspecialchars($index['Comment']);?></td>
             </tr>
 <?php
             if ($style == 'even') {
@@ -399,10 +399,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
     ?>
     <h3><?php echo __('Tracking report');?>  [<a href="tbl_tracking.php?<?php echo $url_query;?>"><?php echo __('Close');?></a>]</h3>
 
-    <small><?php echo __('Tracking statements') . ' ' . $data['tracking']; ?></small><br/>
+    <small><?php echo __('Tracking statements') . ' ' . htmlspecialchars($data['tracking']); ?></small><br/>
     <br/>
 
-    <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>">
+    <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
     <?php
 
     $str1 = '<select name="logtype">' .
@@ -410,9 +410,9 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
             '<option value="data"' . ($selection_data ? ' selected="selected"' : ''). '>' . __('Data only') . '</option>' .
             '<option value="schema_and_data"' . ($selection_both ? ' selected="selected"' : '') . '>' . __('Structure and data') . '</option>' .
             '</select>';
-    $str2 = '<input type="text" name="date_from" value="' . $_REQUEST['date_from'] . '" size="19" />';
-    $str3 = '<input type="text" name="date_to" value="' . $_REQUEST['date_to'] . '" size="19" />';
-    $str4 = '<input type="text" name="users" value="' . $_REQUEST['users'] . '" />';
+    $str2 = '<input type="text" name="date_from" value="' . htmlspecialchars($_REQUEST['date_from']) . '" size="19" />';
+    $str3 = '<input type="text" name="date_to" value="' . htmlspecialchars($_REQUEST['date_to']) . '" size="19" />';
+    $str4 = '<input type="text" name="users" value="' . htmlspecialchars($_REQUEST['users']) . '" />';
     $str5 = '<input type="submit" name="list_report" value="' . __('Go') . '" />';
 
     printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
@@ -464,8 +464,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
         ?>
                 <tr class="noclick <?php echo $style; ?>">
                     <td><small><?php echo $i;?></small></td>
-                    <td><small><?php echo $entry['date'];?></small></td>
-                    <td><small><?php echo $entry['username']; ?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['date']);?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
                     <td><?php echo $statement; ?></td>
                     <td nowrap="nowrap"><a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>&delete_ddlog=<?php echo $i-1; ?>"><?php echo $drop_image_or_text; ?></a></td>
                 </tr>
@@ -520,8 +520,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
         ?>
                 <tr class="noclick <?php echo $style; ?>">
                     <td><small><?php echo $i; ?></small></td>
-                    <td><small><?php echo $entry['date']; ?></small></td>
-                    <td><small><?php echo $entry['username']; ?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td>
+                    <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
                     <td><?php echo $statement; ?></td>
                     <td nowrap="nowrap"><a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>&delete_dmlog=<?php echo $i-$ddlog_count; ?>"><?php echo $drop_image_or_text; ?></a></td>
                 </tr>
@@ -541,7 +541,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
     }
     ?>
     </form>
-    <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>">
+    <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
     <?php
     printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
 
@@ -554,11 +554,11 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
     $str_export2 = '<input type="submit" name="report_export" value="' . __('Go') .'" />';
     ?>
     </form>
-    <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>">
-    <input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" />
-    <input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" />
-    <input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" />
-    <input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" />
+    <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
+    <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" />
+    <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" />
+    <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" />
+    <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" />
     <?php
     echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>";
     ?>
@@ -660,11 +660,15 @@ if ($last_version > 0) {
         <tr class="noclick <?php echo $style;?>">
             <td><?php echo htmlspecialchars($version['db_name']);?></td>
             <td><?php echo htmlspecialchars($version['table_name']);?></td>
-            <td><?php echo $version['version'];?></td>
-            <td><?php echo $version['date_created'];?></td>
-            <td><?php echo $version['date_updated'];?></td>
+            <td><?php echo htmlspecialchars($version['version']);?></td>
+            <td><?php echo htmlspecialchars($version['date_created']);?></td>
+            <td><?php echo htmlspecialchars($version['date_updated']);?></td>
             <td><?php echo $version_status;?></td>
-            <td> <a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>"><?php echo __('Tracking report');?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&snapshot=true&version=<?php echo $version['version'];?>"><?php echo __('Structure snapshot');?></a></td>
+            <td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version'])
+);?>"><?php echo __('Tracking report');?></a> 
+                | <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version'])
+);?>"><?php echo __('Structure snapshot');?></a>
+            </td>
         </tr>
     <?php
         if ($style == 'even') {


hooks/post-receive
-- 
phpMyAdmin




More information about the Git mailing list