[phpMyAdmin Git] [phpmyadmin/phpmyadmin] b39c02: [Security] Fix path disclosure, items 1.4.x, 1.5 a...
Isaac Bennetch
bennetch at gmail.com
Thu Jan 28 07:05:11 CET 2016
Branch: refs/heads/MAINT_4_4_15
Home: https://github.com/phpmyadmin/phpmyadmin
Commit: b39c02b0a82b13d2198276d228051139e6b838d9
https://github.com/phpmyadmin/phpmyadmin/commit/b39c02b0a82b13d2198276d228051139e6b838d9
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-15 (Fri, 15 Jan 2016)
Changed paths:
M setup/frames/form.inc.php
M setup/index.php
M setup/validate.php
Log Message:
-----------
[Security] Fix path disclosure, items 1.4.x, 1.5 and 1.6
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: 2b3f915f72bfe7eb9ae60a69582f041ddc55f663
https://github.com/phpmyadmin/phpmyadmin/commit/2b3f915f72bfe7eb9ae60a69582f041ddc55f663
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M libraries/DbSearch.class.php
Log Message:
-----------
Fix XSS in DB_search.php
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: 8f86713de6163ccd0f8bd9987251a9d17feaee18
https://github.com/phpmyadmin/phpmyadmin/commit/8f86713de6163ccd0f8bd9987251a9d17feaee18
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M js/normalization.js
Log Message:
-----------
Fix XSS in normalization.php
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: 75de41635d387e1c3c8d71a746241502a90c8422
https://github.com/phpmyadmin/phpmyadmin/commit/75de41635d387e1c3c8d71a746241502a90c8422
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M libraries/TableSearch.class.php
Log Message:
-----------
Fix XSS in zoom search
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: 8b6737735be5787d0b98c6cdfe2c7e3131b1bc95
https://github.com/phpmyadmin/phpmyadmin/commit/8b6737735be5787d0b98c6cdfe2c7e3131b1bc95
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M js/functions.js
Log Message:
-----------
Use secure RNG if available
Recent browsers come with better RNG, so let's use it for generating
password instead of Math.random if available.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 5530a72e162fab442218486a90ff3365c96fde98
https://github.com/phpmyadmin/phpmyadmin/commit/5530a72e162fab442218486a90ff3365c96fde98
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M js/functions.js
Log Message:
-----------
Use full alphabet to generate random passwords
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 91638c04d1f2c3977560a5b9db3ac3879a38691b
https://github.com/phpmyadmin/phpmyadmin/commit/91638c04d1f2c3977560a5b9db3ac3879a38691b
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/session.inc.php
Log Message:
-----------
Use phpseclib's Crypt::Random to generate CSRF token
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 13384f7f47dadb02cfe950af0413c7d3e136df8e
https://github.com/phpmyadmin/phpmyadmin/commit/13384f7f47dadb02cfe950af0413c7d3e136df8e
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Base.php
M libraries/phpseclib/Crypt/Random.php
M libraries/phpseclib/Crypt/Rijndael.php
Log Message:
-----------
Update phpseclib to 2.0.1
New version uses PHP 7.0 random_bytes to generate cryptographically secure
pseudo-random bytes.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 3303b3d6c304d71da4a7d242307bf449aaa955c5
https://github.com/phpmyadmin/phpmyadmin/commit/3303b3d6c304d71da4a7d242307bf449aaa955c5
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/common.inc.php
M libraries/core.lib.php
Log Message:
-----------
Use hash_equals for comparing token
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 1414d60cbfe01a2d08ab9d5e6a7178a6323fca68
https://github.com/phpmyadmin/phpmyadmin/commit/1414d60cbfe01a2d08ab9d5e6a7178a6323fca68
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/core.lib.php
Log Message:
-----------
Escape javascript variable content
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: 470cd68344e86915679356dcc2cdb88c63a1d91d
https://github.com/phpmyadmin/phpmyadmin/commit/470cd68344e86915679356dcc2cdb88c63a1d91d
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/common.inc.php
Log Message:
-----------
Include common libraries in setup
We use PMA_fatalError which in turn needs Response and related objects.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: b95360334d69b032b58cafb7d29db6670e9c7224
https://github.com/phpmyadmin/phpmyadmin/commit/b95360334d69b032b58cafb7d29db6670e9c7224
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M setup/lib/common.inc.php
Log Message:
-----------
Can not use PMA_fatalError when including fails
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: d63a8ab7e028925707902266fc989760118a4c72
https://github.com/phpmyadmin/phpmyadmin/commit/d63a8ab7e028925707902266fc989760118a4c72
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/common.inc.php
Log Message:
-----------
Do not process subforms with PMA_MINIMUM_COMMON
In such case needed infrastructure is not loaded, so related code won't
work anyway.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 879a14ad165b475ec58ceab33687d7cc5913a63b
https://github.com/phpmyadmin/phpmyadmin/commit/879a14ad165b475ec58ceab33687d7cc5913a63b
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/DatabaseInterface.class.php
Log Message:
-----------
Fallback to default collation connection
If user supplied wrong string we should gracefully fallback.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: ccf3c36f474f8b202c7d3b167b2477d23fd5b8e6
https://github.com/phpmyadmin/phpmyadmin/commit/ccf3c36f474f8b202c7d3b167b2477d23fd5b8e6
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M .travis.yml
M libraries/VersionInformation.php
Log Message:
-----------
Merge branch 'MAINT_4_4_15' into MAINT_4_4_15-security
Commit: d0a9baef3728a37120d53dc0a96abf04ace139da
https://github.com/phpmyadmin/phpmyadmin/commit/d0a9baef3728a37120d53dc0a96abf04ace139da
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M libraries/common.inc.php
Log Message:
-----------
Enable localization before redirect
This is needed in case of IIS which needs full HTML response.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 3b96f3600651163b8c1d9b6ff7ebd0b142412993
https://github.com/phpmyadmin/phpmyadmin/commit/3b96f3600651163b8c1d9b6ff7ebd0b142412993
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Rijndael.php
Log Message:
-----------
Avoid execution outside phpMyAdmin
This is hacky, but avoids path disclossure on direct access to the
scripts.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 11eeed0c0577acc256ad1a331cda7e65d51d3a41
https://github.com/phpmyadmin/phpmyadmin/commit/11eeed0c0577acc256ad1a331cda7e65d51d3a41
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Rijndael.php
Log Message:
-----------
Move security check behind namespace
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: c21937440af0b0b2ed752f229c3d2523ac178d85
https://github.com/phpmyadmin/phpmyadmin/commit/c21937440af0b0b2ed752f229c3d2523ac178d85
Author: Isaac Bennetch <bennetch at gmail.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M README
M doc/conf.py
M libraries/Config.class.php
Log Message:
-----------
Release 4.4.15.3
Signed-off-by: Isaac Bennetch <bennetch at gmail.com>
Compare: https://github.com/phpmyadmin/phpmyadmin/compare/01d0e0975f68...c21937440af0
More information about the Git
mailing list