[Phpmyadmin-git] [SCM] phpMyAdmin branch, TESTING, updated. RELEASE_3_4_4-43-g4788017
Marc Delisle
lem9 at users.sourceforge.net
Wed Aug 24 19:06:17 CEST 2011
The branch, TESTING has been updated
via 478801729d9a939dd06b75a62b029a8cc618a3d4 (commit)
via b5686c68ab98b2916f187daff90f8b8f392ce394 (commit)
via dd81a0fce80b7766e7305c16c7b2cf32207d80fd (commit)
via f00c57bdf3669d7471b30e6750f6762d2e01947b (commit)
via 4e5c583dcfdd6307f1093f80a9e1d1ff0480cc7d (commit)
via c547703b1089bff62b238a908d8559ca3ad845f1 (commit)
via b659fbeb128b3235738d6fd787cab096ddc3a591 (commit)
via 0f5f2d960184db7333ecf7d52da406cae306412b (commit)
via 39edf6e1fbe4a39f6fec0919d60eca5dfc2708ff (commit)
via 3d8fddceb0f084d4b77c58c48a98e002db6baa6a (commit)
via 2b0d12b2deb1b6b5c4073ecaa7971cb0bbb83389 (commit)
via ec848d825ffe896b96b6c3e4b8c7d4c12aadd310 (commit)
from 049fd9fd97ed3da8cb38804be1666125129d4b19 (commit)
- Log -----------------------------------------------------------------
commit 478801729d9a939dd06b75a62b029a8cc618a3d4
Merge: 049fd9f b5686c6
Author: Marc Delisle <marc at infomarc.info>
Date: Wed Aug 24 12:46:30 2011 -0400
Merge branch 'MAINT_3_4_4' into TESTING
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 3 +-
Documentation.html | 4 +-
README | 2 +-
export.php | 1 +
libraries/Config.class.php | 2 +-
libraries/sanitizing.lib.php | 18 +++++
libraries/schema/Dia_Relation_Schema.class.php | 1 +
libraries/schema/Eps_Relation_Schema.class.php | 1 +
libraries/schema/Pdf_Relation_Schema.class.php | 2 +
libraries/schema/Svg_Relation_Schema.class.php | 1 +
libraries/schema/Visio_Relation_Schema.class.php | 1 +
tbl_get_field.php | 3 +-
tbl_tracking.php | 75 ++++++++++++----------
transformation_wrapper.php | 2 +-
14 files changed, 74 insertions(+), 42 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3c30745..3fa39b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,7 @@
phpMyAdmin - ChangeLog
======================
-3.4.4.0 (not yet released)
+3.4.4.0 (2011-08-24)
- bug #3323060 [parser] SQL parser breaks AJAX requests if query has unclosed quotes
- bug #3323101 [parser] Invalid escape sequence in SQL parser
- bug #3348995 [config] $cfg['Export']['asfile'] set to false does not select asText option
@@ -19,6 +19,7 @@ phpMyAdmin - ChangeLog
- bug #3372807 [interface] Fix security warning link in setup
- bug #3374347 [display] Backquotes in normal text on import page
- bug #3358750 [core] With Suhosin, urls are too long in edit links
+- [security] Missing sanitization on the table, column and index names leads to XSS vulnerabilities, see PMASA-2011-13
3.4.3.2 (2011-07-23)
- [security] Fixed XSS vulnerability, see PMASA-2011-9
diff --git a/Documentation.html b/Documentation.html
index 057c6c9..fd0f6b8 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -9,7 +9,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78
<link rel="icon" href="./favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>phpMyAdmin 3.4.4-rc1 - Documentation</title>
+ <title>phpMyAdmin 3.4.4 - Documentation</title>
<link rel="stylesheet" type="text/css" href="docs.css" />
</head>
@@ -17,7 +17,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78
<div id="header">
<h1>
<a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a>
- 3.4.4-rc1
+ 3.4.4
Documentation
</h1>
</div>
diff --git a/README b/README
index 6e7197d..ab29c94 100644
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
phpMyAdmin - Readme
===================
-Version 3.4.4-rc1
+Version 3.4.4
A set of PHP-scripts to manage MySQL over the web.
diff --git a/export.php b/export.php
index 7da25fc..100269f 100644
--- a/export.php
+++ b/export.php
@@ -343,6 +343,7 @@ if (!$save_on_server) {
// (avoid rewriting data containing HTML with anchors and forms;
// this was reported to happen under Plesk)
@ini_set('url_rewriter.tags','');
+ $filename = PMA_sanitize_filename($filename);
header('Content-Type: ' . $mime_type);
header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
diff --git a/libraries/Config.class.php b/libraries/Config.class.php
index a55bd02..37356e0 100644
--- a/libraries/Config.class.php
+++ b/libraries/Config.class.php
@@ -96,7 +96,7 @@ class PMA_Config
*/
function checkSystem()
{
- $this->set('PMA_VERSION', '3.4.4-rc1');
+ $this->set('PMA_VERSION', '3.4.4');
/**
* @deprecated
*/
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index a362ebd..a65f8ba 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -86,4 +86,22 @@ function PMA_sanitize($message, $escape = false, $safe = false)
return $message;
}
+
+
+/**
+ * Sanitize a filename by removing anything besides A-Za-z0-9_.-
+ *
+ * Intended usecase:
+ * When using a filename in a Content-Disposition header the value should not contain ; or "
+ *
+ * @param string The filename
+ *
+ * @return string the sanitized filename
+ *
+ */
+function PMA_sanitize_filename($filename) {
+ $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
+ return $filename;
+}
+
?>
diff --git a/libraries/schema/Dia_Relation_Schema.class.php b/libraries/schema/Dia_Relation_Schema.class.php
index e58381e..2f6373e 100644
--- a/libraries/schema/Dia_Relation_Schema.class.php
+++ b/libraries/schema/Dia_Relation_Schema.class.php
@@ -173,6 +173,7 @@ class PMA_DIA extends XMLWriter
if(ob_get_clean()){
ob_end_clean();
}
+ $fileName = PMA_sanitize_filename($fileName);
header('Content-type: application/x-dia-diagram');
header('Content-Disposition: attachment; filename="'.$fileName.'.dia"');
$output = $this->flush();
diff --git a/libraries/schema/Eps_Relation_Schema.class.php b/libraries/schema/Eps_Relation_Schema.class.php
index 5435db4..7f1c34d 100644
--- a/libraries/schema/Eps_Relation_Schema.class.php
+++ b/libraries/schema/Eps_Relation_Schema.class.php
@@ -336,6 +336,7 @@ class PMA_EPS
// if(ob_get_clean()){
//ob_end_clean();
//}
+ $fileName = PMA_sanitize_filename($fileName);
header('Content-type: image/x-eps');
header('Content-Disposition: attachment; filename="'.$fileName.'.eps"');
$output = $this->stringCommands;
diff --git a/libraries/schema/Pdf_Relation_Schema.class.php b/libraries/schema/Pdf_Relation_Schema.class.php
index 6078537..ad0fe7a 100644
--- a/libraries/schema/Pdf_Relation_Schema.class.php
+++ b/libraries/schema/Pdf_Relation_Schema.class.php
@@ -1075,6 +1075,8 @@ class PMA_Pdf_Relation_Schema extends PMA_Export_Relation_Schema
if (empty($filename)) {
$filename = $pageNumber . '.pdf';
}
+ $fileName = PMA_sanitize_filename($fileName);
+
// instead of $pdf->Output():
$pdfData = $pdf->getPDFData();
header('Content-Type: application/pdf');
diff --git a/libraries/schema/Svg_Relation_Schema.class.php b/libraries/schema/Svg_Relation_Schema.class.php
index afafda7..52eb439 100644
--- a/libraries/schema/Svg_Relation_Schema.class.php
+++ b/libraries/schema/Svg_Relation_Schema.class.php
@@ -171,6 +171,7 @@ class PMA_SVG extends XMLWriter
function showOutput($fileName)
{
//ob_get_clean();
+ $fileName = PMA_sanitize_filename($fileName);
header('Content-type: image/svg+xml');
header('Content-Disposition: attachment; filename="'.$fileName.'.svg"');
$output = $this->flush();
diff --git a/libraries/schema/Visio_Relation_Schema.class.php b/libraries/schema/Visio_Relation_Schema.class.php
index ab45b13..0c3f7ec 100644
--- a/libraries/schema/Visio_Relation_Schema.class.php
+++ b/libraries/schema/Visio_Relation_Schema.class.php
@@ -158,6 +158,7 @@ class PMA_VISIO extends XMLWriter
//if(ob_get_clean()){
//ob_end_clean();
//}
+ $fileName = PMA_sanitize_filename($fileName);
header('Content-type: application/visio');
header('Content-Disposition: attachment; filename="'.$fileName.'.vdx"');
$output = $this->flush();
diff --git a/tbl_get_field.php b/tbl_get_field.php
index a58eb51..be0bdde 100644
--- a/tbl_get_field.php
+++ b/tbl_get_field.php
@@ -39,7 +39,8 @@ if ($result === false) {
header('Content-Type: ' . PMA_detectMIME($result));
header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
-header('Content-Disposition: attachment; filename="' . $table . '-' . $transform_key . '.bin"');
+$filename = PMA_sanitize_filename($table . '-' . $transform_key . '.bin');
+header('Content-Disposition: attachment; filename="' . $filename . '"');
if (PMA_USR_BROWSER_AGENT == 'IE') {
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
diff --git a/tbl_tracking.php b/tbl_tracking.php
index 99a540e..96d5024 100644
--- a/tbl_tracking.php
+++ b/tbl_tracking.php
@@ -111,7 +111,8 @@ if (isset($_REQUEST['report_export']) && $_REQUEST['export_type'] == 'sqldumpfil
foreach($entries as $entry) {
$dump .= $entry['statement'];
}
- $filename = 'log_' . htmlspecialchars($_REQUEST['table']) . '.sql';
+ //$filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql';
+ $filename = PMA_sanitize_filename('log_' . $_REQUEST['table'] . '.sql');
header('Content-Type: text/x-sql');
header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Content-Disposition: attachment; filename="' . $filename . '"');
@@ -281,17 +282,17 @@ if (isset($_REQUEST['snapshot'])) {
<tr class="noclick <?php echo $style; ?>">
<?php
if ($field['Key'] == 'PRI') {
- echo '<td><b><u>' . $field['Field'] . '</u></b></td>' . "\n";
+ echo '<td><b><u>' . htmlspecialchars($field['Field']) . '</u></b></td>' . "\n";
} else {
- echo '<td><b>' . $field['Field'] . '</b></td>' . "\n";
+ echo '<td><b>' . htmlspecialchars($field['Field']) . '</b></td>' . "\n";
}
?>
- <td><?php echo $field['Type'];?></td>
- <td><?php echo $field['Collation'];?></td>
- <td><?php echo $field['Null'];?></td>
- <td><?php echo $field['Default'];?></td>
- <td><?php echo $field['Extra'];?></td>
- <td><?php echo $field['Comment'];?></td>
+ <td><?php echo htmlspecialchars($field['Type']);?></td>
+ <td><?php echo htmlspecialchars($field['Collation']);?></td>
+ <td><?php echo htmlspecialchars($field['Null']);?></td>
+ <td><?php echo htmlspecialchars($field['Default']);?></td>
+ <td><?php echo htmlspecialchars($field['Extra']);?></td>
+ <td><?php echo htmlspecialchars($field['Comment']);?></td>
</tr>
<?php
if ($style == 'even') {
@@ -337,15 +338,15 @@ if (isset($_REQUEST['snapshot'])) {
}
?>
<tr class="noclick <?php echo $style; ?>">
- <td><b><?php echo $index['Key_name'];?></b></td>
- <td><?php echo $index['Index_type'];?></td>
+ <td><b><?php echo htmlspecialchars($index['Key_name']);?></b></td>
+ <td><?php echo htmlspecialchars($index['Index_type']);?></td>
<td><?php echo $str_unique;?></td>
<td><?php echo $str_packed;?></td>
- <td><?php echo $index['Column_name'];?></td>
- <td><?php echo $index['Cardinality'];?></td>
- <td><?php echo $index['Collation'];?></td>
- <td><?php echo $index['Null'];?></td>
- <td><?php echo $index['Comment'];?></td>
+ <td><?php echo htmlspecialchars($index['Column_name']);?></td>
+ <td><?php echo htmlspecialchars($index['Cardinality']);?></td>
+ <td><?php echo htmlspecialchars($index['Collation']);?></td>
+ <td><?php echo htmlspecialchars($index['Null']);?></td>
+ <td><?php echo htmlspecialchars($index['Comment']);?></td>
</tr>
<?php
if ($style == 'even') {
@@ -372,10 +373,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
?>
<h3><?php echo __('Tracking report');?> [<a href="tbl_tracking.php?<?php echo $url_query;?>"><?php echo __('Close');?></a>]</h3>
- <small><?php echo __('Tracking statements') . ' ' . $data['tracking']; ?></small><br/>
+ <small><?php echo __('Tracking statements') . ' ' . htmlspecialchars($data['tracking']); ?></small><br/>
<br/>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>">
+ <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php
$str1 = '<select name="logtype">' .
@@ -383,9 +384,9 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
'<option value="data"' . ($selection_data ? ' selected="selected"' : ''). '>' . __('Data only') . '</option>' .
'<option value="schema_and_data"' . ($selection_both ? ' selected="selected"' : '') . '>' . __('Structure and data') . '</option>' .
'</select>';
- $str2 = '<input type="text" name="date_from" value="' . $_REQUEST['date_from'] . '" size="19" />';
- $str3 = '<input type="text" name="date_to" value="' . $_REQUEST['date_to'] . '" size="19" />';
- $str4 = '<input type="text" name="users" value="' . $_REQUEST['users'] . '" />';
+ $str2 = '<input type="text" name="date_from" value="' . htmlspecialchars($_REQUEST['date_from']) . '" size="19" />';
+ $str3 = '<input type="text" name="date_to" value="' . htmlspecialchars($_REQUEST['date_to']) . '" size="19" />';
+ $str4 = '<input type="text" name="users" value="' . htmlspecialchars($_REQUEST['users']) . '" />';
$str5 = '<input type="submit" name="list_report" value="' . __('Go') . '" />';
printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
@@ -422,8 +423,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
?>
<tr class="noclick <?php echo $style; ?>">
<td><small><?php echo $i;?></small></td>
- <td><small><?php echo $entry['date'];?></small></td>
- <td><small><?php echo $entry['username']; ?></small></td>
+ <td><small><?php echo htmlspecialchars($entry['date']);?></small></td>
+ <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
<td><?php echo $statement; ?></td>
</tr>
<?php
@@ -473,8 +474,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
?>
<tr class="noclick <?php echo $style; ?>">
<td><small><?php echo $i; ?></small></td>
- <td><small><?php echo $entry['date']; ?></small></td>
- <td><small><?php echo $entry['username']; ?></small></td>
+ <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td>
+ <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
<td><?php echo $statement; ?></td>
</tr>
<?php
@@ -493,7 +494,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
}
?>
</form>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>">
+ <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php
printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
@@ -506,11 +507,11 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
$str_export2 = '<input type="submit" name="report_export" value="' . __('Go') .'" />';
?>
</form>
- <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&report=true&version=<?php echo $_REQUEST['version'];?>">
- <input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" />
- <input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" />
- <input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" />
- <input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" />
+ <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
+ <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" />
+ <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" />
+ <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" />
+ <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" />
<?php
echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>";
?>
@@ -612,11 +613,15 @@ if ($last_version > 0) {
<tr class="noclick <?php echo $style;?>">
<td><?php echo htmlspecialchars($version['db_name']);?></td>
<td><?php echo htmlspecialchars($version['table_name']);?></td>
- <td><?php echo $version['version'];?></td>
- <td><?php echo $version['date_created'];?></td>
- <td><?php echo $version['date_updated'];?></td>
+ <td><?php echo htmlspecialchars($version['version']);?></td>
+ <td><?php echo htmlspecialchars($version['date_created']);?></td>
+ <td><?php echo htmlspecialchars($version['date_updated']);?></td>
<td><?php echo $version_status;?></td>
- <td> <a href="tbl_tracking.php?<?php echo $url_query;?>&report=true&version=<?php echo $version['version'];?>"><?php echo __('Tracking report');?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&snapshot=true&version=<?php echo $version['version'];?>"><?php echo __('Structure snapshot');?></a></td>
+ <td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version'])
+);?>"><?php echo __('Tracking report');?></a>
+ | <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version'])
+);?>"><?php echo __('Structure snapshot');?></a>
+ </td>
</tr>
<?php
if ($style == 'even') {
diff --git a/transformation_wrapper.php b/transformation_wrapper.php
index 3699dd0..f04c8ac 100644
--- a/transformation_wrapper.php
+++ b/transformation_wrapper.php
@@ -68,7 +68,7 @@ if (isset($ct) && !empty($ct)) {
header($content_type);
if (isset($cn) && !empty($cn)) {
- header('Content-Disposition: attachment; filename=' . $cn);
+ header('Content-Disposition: attachment; filename=' . PMA_sanitize_filename($cn));
}
if (!isset($resize)) {
hooks/post-receive
--
phpMyAdmin
More information about the Git
mailing list