[Phpmyadmin-git] [SCM] phpMyAdmin branch, master, updated. RELEASE_3_4_1RC1-1800-g15e0b38

Fri May 20 18:57:58 CEST 2011

The branch, master has been updated
       via  15e0b38073a02c38a67459ceb3bbab4f3b935b03 (commit)
       via  20cf17923e321718aa6d19fb9dc846625c1879fb (commit)
       via  89c8f3cbfe5356995ad71e5a41438e81fa994a55 (commit)
       via  a4c168a3a35bbdbf058a2e6fd1d2673c52821279 (commit)
       via  8fd8e3efd86b119ca5be7aaa9e047c92bfd06c23 (commit)
       via  7e10c132a3887c8ebfd7a8eee356b28375f1e287 (commit)
       via  d3ccf798fdbd4f8a89d4088130637d8dee918492 (commit)
      from  fc59c64fbd94a408f0500576d97ba7d29a254d00 (commit)


- Log -----------------------------------------------------------------
commit 15e0b38073a02c38a67459ceb3bbab4f3b935b03
Merge: a4c168a3a35bbdbf058a2e6fd1d2673c52821279 20cf17923e321718aa6d19fb9dc846625c1879fb
Author: Marc Delisle <marc at infomarc.info>
Date:   Fri May 20 12:55:55 2011 -0400

    Merge branch 'QA_3_4'

commit a4c168a3a35bbdbf058a2e6fd1d2673c52821279
Merge: fc59c64fbd94a408f0500576d97ba7d29a254d00 8fd8e3efd86b119ca5be7aaa9e047c92bfd06c23
Author: Marc Delisle <marc at infomarc.info>
Date:   Fri May 20 12:51:47 2011 -0400

    Merge branch 'QA_3_4'

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                   |    4 ++++
 libraries/tbl_links.inc.php |    2 +-
 tbl_tracking.php            |   12 ++++++------
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7f90d9a..09d7c13 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,7 @@
 - bug #3285929 [privileges] Revert temporary fix
 - bug #3302872 [synchronize] Synchronize and user name
 - bug #3302733 [core] Some browsers report an insecure https connection
+- [security] Make redirector require valid token
 
 3.4.0.0 (2011-05-11)
 + rfe #2890226 [view] Enable VIEW rename 
@@ -179,6 +180,9 @@
 
 3.3.11.0 (not yet released)
 
+3.3.10.1 (2011-05-20)
+- [security] XSS on Tracking page
+
 3.3.10.0 (2011-03-19)
 - patch #3147400 [structure] Aria table size printed as unknown,
   thanks to erickoh75 - erickoh75
diff --git a/libraries/tbl_links.inc.php b/libraries/tbl_links.inc.php
index bc72d21..e31dd53 100644
--- a/libraries/tbl_links.inc.php
+++ b/libraries/tbl_links.inc.php
@@ -112,7 +112,7 @@ unset($tabs);
 
 if(PMA_Tracker::isActive() and PMA_Tracker::isTracked($GLOBALS["db"], $GLOBALS["table"]))
 {
-    $msg = PMA_Message::notice('<a href="tbl_tracking.php?'.$url_query.'">'.sprintf(__('Tracking of %s.%s is activated.'), $GLOBALS["db"], $GLOBALS["table"]).'</a>');
+    $msg = PMA_Message::notice('<a href="tbl_tracking.php?'.$url_query.'">'.sprintf(__('Tracking of %s.%s is activated.'), htmlspecialchars($GLOBALS["db"]), htmlspecialchars($GLOBALS["table"])).'</a>');
     $msg->display();
 }
 
diff --git a/tbl_tracking.php b/tbl_tracking.php
index 0534851..a708f0a 100644
--- a/tbl_tracking.php
+++ b/tbl_tracking.php
@@ -179,7 +179,7 @@ if (isset($_REQUEST['submit_create_version'])) {
     $tracking_set = rtrim($tracking_set, ',');
 
     if (PMA_Tracker::createVersion($GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'], $tracking_set )) {
-        $msg = PMA_Message::success(sprintf(__('Version %s is created, tracking for %s.%s is activated.'), $_REQUEST['version'], $GLOBALS['db'], $GLOBALS['table']));
+        $msg = PMA_Message::success(sprintf(__('Version %s is created, tracking for %s.%s is activated.'), $_REQUEST['version'], htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table'])));
         $msg->display();
     }
 }
@@ -187,7 +187,7 @@ if (isset($_REQUEST['submit_create_version'])) {
 // Deactivate tracking
 if (isset($_REQUEST['submit_deactivate_now'])) {
     if (PMA_Tracker::deactivateTracking($GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'])) {
-        $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is deactivated.'), $GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version']));
+        $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is deactivated.'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table']), $_REQUEST['version']));
         $msg->display();
     }
 }
@@ -195,7 +195,7 @@ if (isset($_REQUEST['submit_deactivate_now'])) {
 // Activate tracking
 if (isset($_REQUEST['submit_activate_now'])) {
     if (PMA_Tracker::activateTracking($GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version'])) {
-        $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is activated.'), $GLOBALS['db'], $GLOBALS['table'], $_REQUEST['version']));
+        $msg = PMA_Message::success(sprintf(__('Tracking for %s.%s , version %s is activated.'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table']), $_REQUEST['version']));
         $msg->display();
     }
 }
@@ -689,7 +689,7 @@ if ($last_version > 0) {
         <div id="div_deactivate_tracking">
         <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>">
         <fieldset>
-            <legend><?php printf(__('Deactivate tracking for %s.%s'), $GLOBALS['db'], $GLOBALS['table']); ?></legend>
+            <legend><?php printf(__('Deactivate tracking for %s.%s'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table'])); ?></legend>
             <input type="hidden" name="version" value="<?php echo $last_version; ?>" />
             <input type="submit" name="submit_deactivate_now" value="<?php echo __('Deactivate now'); ?>" />
         </fieldset>
@@ -702,7 +702,7 @@ if ($last_version > 0) {
         <div id="div_activate_tracking">
         <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>">
         <fieldset>
-            <legend><?php printf(__('Activate tracking for %s.%s'), $GLOBALS['db'], $GLOBALS['table']); ?></legend>
+            <legend><?php printf(__('Activate tracking for %s.%s'), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table'])); ?></legend>
             <input type="hidden" name="version" value="<?php echo $last_version; ?>" />
             <input type="submit" name="submit_activate_now" value="<?php echo __('Activate now'); ?>" />
         </fieldset>
@@ -717,7 +717,7 @@ if ($last_version > 0) {
 <form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>">
 <?php echo PMA_generate_common_hidden_inputs($GLOBALS['db'], $GLOBALS['table']); ?>
 <fieldset>
-    <legend><?php printf(__('Create version %s of %s.%s'), ($last_version + 1), $GLOBALS['db'], $GLOBALS['table']); ?></legend>
+    <legend><?php printf(__('Create version %s of %s.%s'), ($last_version + 1), htmlspecialchars($GLOBALS['db']), htmlspecialchars($GLOBALS['table'])); ?></legend>
 
     <input type="hidden" name="version" value="<?php echo ($last_version + 1); ?>" />
 


hooks/post-receive
-- 
phpMyAdmin


