[Phpmyadmin-git] [SCM] phpMyAdmin branch, QA_3_4, updated. RELEASE_3_4_3_1-53-g3534dda

Marc Delisle lem9 at users.sourceforge.net
Sat Jul 23 14:33:42 CEST 2011 

The branch, QA_3_4 has been updated
       via  3534dda30a587eafe3bf5016f2fb302dbc224c2e (commit)
       via  bd63726ee3daf32799f499b61d7cde973d8e8660 (commit)
       via  09c0f7ae557e40102fbfd23c4bea4939e19f0f29 (commit)
       via  571cdc6ff4bf375871b594f4e06f8ad3159d1754 (commit)
       via  e7bb42c002885c2aca7aba4d431b8c63ae4de9b7 (commit)
       via  3ae58f0cd6b89ad4767920f9b214c38d3f6d4393 (commit)
       via  3caa6cbb7ed1b1933c3bded493a2fbc8273d746f (commit)
       via  f63e1bb42a37401b2fdfcd2e66cce92b7ea2025c (commit)
       via  951fb4dd79253a3aca8b6e386db77c1affcfc3a9 (commit)
       via  4bd27166c314faa37cada91533b86377f4d4d214 (commit)
       via  a0823be05aa5835f207c0838b9cca67d2d9a050a (commit)
       via  d7cffc5dbde68342d46e891ea2c8bd72de134f43 (commit)
      from  06bfdd7ca6d76335f45d53134770979d7d25d739 (commit)


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                 |   18 ++++++++++++------
 libraries/auth/swekey/swekey.auth.lib.php |   12 +++++++-----
 libraries/schema/User_Schema.class.php    |    7 +++++--
 schema_export.php                         |    4 +++-
 sql.php                                   |    2 +-
 tbl_printview.php                         |    4 ++--
 6 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 021c2cc..02db31c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,12 @@ phpMyAdmin - ChangeLog
 - bug #3372807 [interface] Fix security warning link in setup
 - bug #3374347 [display] Backquotes in normal text on import page
 
+3.4.3.2 (2011-07-23)
+- [security] Fixed XSS vulnerability, see PMASA-2011-9
+- [security] Fixed local file inclusion vulnerability, see PMASA-2011-10
+- [security] Fixed local file inclusion vulnerability and code execution, see PMASA-2011-11
+- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12
+
 3.4.3.1 (2011-07-02)
 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
@@ -113,7 +119,7 @@ phpMyAdmin - ChangeLog
 + patch #2974341 [structure] Clicking on table name in db Structure should 
   Browse the table if possible, thanks to bhdouglass - dougboybhd
 + patch #2975533 [search] New search operators, thanks to
-  Martynas Mickevičius
+  Martynas Mickevičius
 + patch #2967320 [designer] Colored relations based on the primary key,
   thanks to GreenRover - greenrover
 - [core] Provide way for vendors to easily change paths to config files.
@@ -267,7 +273,7 @@ phpMyAdmin - ChangeLog
 
 3.3.7.0 (2010-09-07)
 - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after
-  a page size increase, thanks to Martin Schönberger - mad05
+  a page size increase, thanks to Martin Schönberger - mad05
 
 3.3.6.0 (2010-08-28)
 - bug #3033063 [core] Navi gets wrong db name
@@ -288,7 +294,7 @@ phpMyAdmin - ChangeLog
 
 3.3.5.0 (2010-07-26)
 - patch #2932113 [information_schema] Slow export when having lots of
-  databases, thanks to Stéphane Pontier - shadow_walker
+  databases, thanks to Stéphane Pontier - shadow_walker
 - bug #3022705 [import] Import button does not work in Catalan when there
   is no progress bar possible
 - bug [replication] Do not offer information_schema in the list of databases
@@ -328,9 +334,9 @@ phpMyAdmin - ChangeLog
 - patch #2984893 [engines] InnoDB storage page emits a warning,
   thanks to Madhura Jayaratne - madhuracj
 - bug #2974687, bug #2974692 [compatibility] PHPExcel : IBM AIX iconv() does not work,
-  thanks to Björn Wiberg - bwiberg
+  thanks to Björn Wiberg - bwiberg
 - bug #2983066 [interface] Flush table on table operations shows the query twice, 
-  thanks to Martynas Mickevičius - BlinK_
+  thanks to Martynas Mickevičius - BlinK_
 - bug #2983060, patch #2987900 [interface] Fix initial state of tables in
   designer, thanks to Sutharshan Balachandren.
 - bug #2983062, patch #2989408 [engines] Fix warnings when changing table
@@ -409,7 +415,7 @@ phpMyAdmin - ChangeLog
 + rfe #2839504 [engines] Support InnoDB plugin's new row formats 
 + [core] Added ability for synchronizing databases among servers.
 + [lang] #2843101 Dutch update, thanks to scavenger2008
-+ [lang] Galician update, thanks to Xosé Calvo - xosecalvo
++ [lang] Galician update, thanks to Xosé Calvo - xosecalvo
 + [export] Added MediaWiki export module,
   thanks to Derek Schaefer - drummingds1
 + [lang] Turkish update, thanks to Burak Yavuz
diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php
index c5f613b..8ec5ab4 100644
--- a/libraries/auth/swekey/swekey.auth.lib.php
+++ b/libraries/auth/swekey/swekey.auth.lib.php
@@ -143,7 +143,9 @@ function Swekey_auth_error()
         return "Internal Error: CA File $caFile not found";
 
     $result = null;
-    parse_str($_SERVER['QUERY_STRING']);
+	$swekey_id = $_GET['swekey_id'];
+	$swekey_otp = $_GET['swekey_otp'];
+
     if (isset($swekey_id)) {
         unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']);
         if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) {
@@ -166,7 +168,7 @@ function Swekey_auth_error()
                 $result = __('No valid authentication key plugged');
                 if ($_SESSION['SWEKEY']['CONF_DEBUG'])
                 {
-                    $result .= "<br>".$swekey_id;
+                    $result .= "<br>" . htmlspecialchars($swekey_id);
                 }
                 unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file
              }
@@ -186,16 +188,16 @@ function Swekey_auth_error()
         <script>
 	    if (key.length != 32)
 	    {
-	        window.location.search="?swekey_id=" + key;
+	        window.location.search="?swekey_id=" + key + "&token=<?php echo $_SESSION[' PMA_token ']; ?>";
 	    }
 	    else
 	    {
 	        var url = "" + window.location;
 	        if (url.indexOf("?") > 0)
 	            url = url.substr(0, url.indexOf("?"));
-	        Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>");
+	        Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>&token=<?php echo $_SESSION[' PMA_token ']; ?>");
 	     	var otp = Swekey_GetOtp(key, <?php echo '"'.$_SESSION['SWEKEY']['RND_TOKEN'].'"';?>);
-	        window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp;
+	        window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp + "&token=<?php echo $_SESSION[' PMA_token ']; ?>";
 	    }
         </script>
         <?php
diff --git a/libraries/schema/User_Schema.class.php b/libraries/schema/User_Schema.class.php
index fbec138..cb42dde 100644
--- a/libraries/schema/User_Schema.class.php
+++ b/libraries/schema/User_Schema.class.php
@@ -567,10 +567,13 @@ class PMA_User_Schema
         require_once './libraries/transformations.lib.php';
         require_once './libraries/Index.class.php';
         /**
-         * default is PDF
+         * default is PDF, otherwise validate it's only letters a-z
          */
         global  $db,$export_type;
-        $export_type            = isset($export_type) ? $export_type : 'pdf';
+        if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) {
+            $export_type = 'pdf';
+        }
+
         PMA_DBI_select_db($db);
 
         include("./libraries/schema/".ucfirst($export_type)."_Relation_Schema.class.php");
diff --git a/schema_export.php b/schema_export.php
index 0a21d32..3e1067d 100644
--- a/schema_export.php
+++ b/schema_export.php
@@ -37,7 +37,9 @@ include_once("./libraries/schema/Export_Relation_Schema.class.php");
  * default is PDF
  */
 global  $db,$export_type;
-$export_type = isset($export_type) ? $export_type : 'pdf';
+if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) {
+    $export_type = 'pdf';
+}
 PMA_DBI_select_db($db);
 
 $path = PMA_securePath(ucfirst($export_type));
diff --git a/sql.php b/sql.php
index 10e472a..83900ab 100644
--- a/sql.php
+++ b/sql.php
@@ -719,7 +719,7 @@ if (0 == $num_rows || $is_affected) {
             parse_str($_REQUEST['transform_fields_list'], $edited_values);
 
             foreach($mime_map as $transformation) {
-                $include_file = $transformation['transformation'];
+                $include_file = PMA_securePath($transformation['transformation']);
                 $column_name = $transformation['column_name'];
                 $column_data = $edited_values[$column_name];
 
diff --git a/tbl_printview.php b/tbl_printview.php
index 74b6818..ce007d1 100644
--- a/tbl_printview.php
+++ b/tbl_printview.php
@@ -69,7 +69,7 @@ if ($multi_tables) {
         $tbl_list .= (empty($tbl_list) ? '' : ', ')
                   . PMA_backquote($table);
     }
-    echo '<strong>'.  __('Show tables') . ': ' . $tbl_list . '</strong>' . "\n";
+    echo '<strong>'.  __('Show tables') . ': ' . htmlspecialchars($tbl_list) . '</strong>' . "\n";
     echo '<hr />' . "\n";
 } // end if
 
@@ -84,7 +84,7 @@ foreach ($the_tables as $key => $table) {
     }
     $counter++;
     echo '<div' . $breakstyle . '>' . "\n";
-    echo '<h1>' . $table . '</h1>' . "\n";
+    echo '<h1>' . htmlspecialchars($table) . '</h1>' . "\n";
 
     /**
      * Gets table informations


hooks/post-receive
-- 
phpMyAdmin

More information about the Git mailing list