[phpMyAdmin Git] [phpmyadmin/phpmyadmin] 75a558: Fix XSS in DB_search.php
Michal Čihař
michal at cihar.com
Thu Jan 28 09:25:09 CET 2016
Branch: refs/heads/master
Home: https://github.com/phpmyadmin/phpmyadmin
Commit: 75a55824012406a08c4debf5ddb7ae41c32a7dbc
https://github.com/phpmyadmin/phpmyadmin/commit/75a55824012406a08c4debf5ddb7ae41c32a7dbc
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M libraries/DbSearch.class.php
Log Message:
-----------
Fix XSS in DB_search.php
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: 5aee5035646c4fc617564cb0d3d58c0435d64d81
https://github.com/phpmyadmin/phpmyadmin/commit/5aee5035646c4fc617564cb0d3d58c0435d64d81
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M setup/frames/form.inc.php
M setup/index.php
M setup/validate.php
Log Message:
-----------
Fix path disclosure, items 1.4.x, 1.5 and 1.6
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: 019c4f25d500ec5db9ba3b84cc961a7e4e850738
https://github.com/phpmyadmin/phpmyadmin/commit/019c4f25d500ec5db9ba3b84cc961a7e4e850738
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M js/normalization.js
Log Message:
-----------
Fix XSS in normalization.php
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: edffb52884b09562490081c3b8666ef46c296418
https://github.com/phpmyadmin/phpmyadmin/commit/edffb52884b09562490081c3b8666ef46c296418
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M templates/table/search/rows_zoom.phtml
Log Message:
-----------
Fix XSS in zoom search
Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
Commit: ec0e88e37ef30a66eada1c072953f4ec385a3e49
https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e49
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M libraries/common.inc.php
M libraries/core.lib.php
Log Message:
-----------
Use hash_equals for comparing token
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 0a24f92d081033576bfdd9d4bdec1a54501734c1
https://github.com/phpmyadmin/phpmyadmin/commit/0a24f92d081033576bfdd9d4bdec1a54501734c1
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M import_status.php
M libraries/Response.class.php
M libraries/core.lib.php
M libraries/display_import_ajax.lib.php
M lint.php
M normalization.php
M setup/validate.php
M version_check.php
Log Message:
-----------
Set correct content type for JSON responses
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: f20970d32c3dfdf82aef7b6c244da1f769043813
https://github.com/phpmyadmin/phpmyadmin/commit/f20970d32c3dfdf82aef7b6c244da1f769043813
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M libraries/session.inc.php
Log Message:
-----------
Use phpseclib's Crypt::Random to generate CSRF token
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: cb7748ac9cffcd1cd0f3081499cd4aafa9d1065e
https://github.com/phpmyadmin/phpmyadmin/commit/cb7748ac9cffcd1cd0f3081499cd4aafa9d1065e
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Base.php
M libraries/phpseclib/Crypt/Random.php
M libraries/phpseclib/Crypt/Rijndael.php
Log Message:
-----------
Update phpseclib to 2.0.1
New version uses PHP 7.0 random_bytes to generate cryptographically secure
pseudo-random bytes.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 11496890d7e21786cbfd9fd17ab968f498116b3f
https://github.com/phpmyadmin/phpmyadmin/commit/11496890d7e21786cbfd9fd17ab968f498116b3f
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-19 (Tue, 19 Jan 2016)
Changed paths:
M js/codemirror/addon/lint/sql-lint.js
Log Message:
-----------
Tell jQuery we're expecting JSON here
It's better to be explicit rather than relying on autodetection.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: aca42efa01917cc0fe8cfdb2927a6399ca1742f2
https://github.com/phpmyadmin/phpmyadmin/commit/aca42efa01917cc0fe8cfdb2927a6399ca1742f2
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-25 (Mon, 25 Jan 2016)
Changed paths:
M templates/header_location.phtml
Log Message:
-----------
Escape javascript variable content
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 671d61830417101352fd8153f276f8854bb17fd0
https://github.com/phpmyadmin/phpmyadmin/commit/671d61830417101352fd8153f276f8854bb17fd0
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-25 (Mon, 25 Jan 2016)
Changed paths:
M ChangeLog
M db_create.php
M db_designer.php
M export.php
M gis_data_editor.php
M js/server_status_monitor.js
M js/server_status_variables.js
M js/server_variables.js
M libraries/sql.lib.php
M schema_export.php
M test/libraries/PMA_operations_test.php
Log Message:
-----------
Merge branch 'MAINT_4_5_4' into MAINT_4_5_4-security
Commit: 8dedcc1a175eb07debd4fe116407c43694c60b22
https://github.com/phpmyadmin/phpmyadmin/commit/8dedcc1a175eb07debd4fe116407c43694c60b22
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-25 (Mon, 25 Jan 2016)
Changed paths:
M js/functions.js
Log Message:
-----------
Use secure RNG if available
Recent browsers come with better RNG, so let's use it for generating
password instead of Math.random if available.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 912856b432d794201884c36e5f390d446339b6e4
https://github.com/phpmyadmin/phpmyadmin/commit/912856b432d794201884c36e5f390d446339b6e4
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-25 (Mon, 25 Jan 2016)
Changed paths:
M js/functions.js
Log Message:
-----------
Use full alphabet to generate random passwords
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 3bb784045b7d75e530bdb34522e59d7ad233ba15
https://github.com/phpmyadmin/phpmyadmin/commit/3bb784045b7d75e530bdb34522e59d7ad233ba15
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Base.php
M libraries/phpseclib/Crypt/Random.php
M libraries/phpseclib/Crypt/Rijndael.php
M libraries/session.inc.php
Log Message:
-----------
Merge pull request #4 from phpmyadmin/random
Improve token generation
Commit: 8aa28962f14b5fc6aba8cf018b7e347d4854f427
https://github.com/phpmyadmin/phpmyadmin/commit/8aa28962f14b5fc6aba8cf018b7e347d4854f427
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M import_status.php
M js/codemirror/addon/lint/sql-lint.js
M libraries/Response.class.php
M libraries/core.lib.php
M libraries/display_import_ajax.lib.php
M lint.php
M normalization.php
M setup/validate.php
M version_check.php
Log Message:
-----------
Merge pull request #6 from phpmyadmin/json-header
Set correct content type for JSON responses
Commit: c8615de52a8ad0ec235c6c6efcab1e7a6f8914df
https://github.com/phpmyadmin/phpmyadmin/commit/c8615de52a8ad0ec235c6c6efcab1e7a6f8914df
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M templates/header_location.phtml
Log Message:
-----------
Merge pull request #7 from phpmyadmin/iis-escape
Escape javascript variable content
Commit: 1d885f90bc35cae54e348260e8a960754c6c3155
https://github.com/phpmyadmin/phpmyadmin/commit/1d885f90bc35cae54e348260e8a960754c6c3155
Author: Madhura Jayaratne <madhura.cj at gmail.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M js/functions.js
Log Message:
-----------
Merge pull request #8 from phpmyadmin/js-password
Improve JS password generating
Commit: 7ffd8d69a17fab5eee144a7e68990da35e45f089
https://github.com/phpmyadmin/phpmyadmin/commit/7ffd8d69a17fab5eee144a7e68990da35e45f089
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/common.inc.php
M libraries/core.lib.php
Log Message:
-----------
Merge pull request #5 from phpmyadmin/hash_equals
Use hash_equals for comparing token
Commit: 85ccdbb5b9c6c7a9830e5cb468662837a59a7aa3
https://github.com/phpmyadmin/phpmyadmin/commit/85ccdbb5b9c6c7a9830e5cb468662837a59a7aa3
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/common.inc.php
Log Message:
-----------
Include common libraries in setup
We use PMA_fatalError which in turn needs Response and related objects.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 447c88f4884fe30a25d38c331c31d820a19f8c93
https://github.com/phpmyadmin/phpmyadmin/commit/447c88f4884fe30a25d38c331c31d820a19f8c93
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M setup/lib/common.inc.php
Log Message:
-----------
Can not use PMA_fatalError when including fails
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: f83b52737e321005959497d8e8f59f8aaedc9048
https://github.com/phpmyadmin/phpmyadmin/commit/f83b52737e321005959497d8e8f59f8aaedc9048
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/common.inc.php
Log Message:
-----------
Do not process subforms with PMA_MINIMUM_COMMON
In such case needed infrastructure is not loaded, so related code won't
work anyway.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 76b10187c38634a29d6780f99f6dcd796191073b
https://github.com/phpmyadmin/phpmyadmin/commit/76b10187c38634a29d6780f99f6dcd796191073b
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/DatabaseInterface.class.php
Log Message:
-----------
Fallback to default collation connection
If user supplied wrong string we should gracefully fallback.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: c57d3cc7b97b5f32801032f7bb222297aa97dfea
https://github.com/phpmyadmin/phpmyadmin/commit/c57d3cc7b97b5f32801032f7bb222297aa97dfea
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M libraries/sql-parser/autoload.php
Log Message:
-----------
Avoid invalid invocation of SQL parser
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 0cade5712a719f15c44a436895fff3802f1169a5
https://github.com/phpmyadmin/phpmyadmin/commit/0cade5712a719f15c44a436895fff3802f1169a5
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M test/libraries/core/PMA_headerLocation_test.php
Log Message:
-----------
Fix test expectations
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 60530a1df9f71870d045eef6ae3a845aa58f7973
https://github.com/phpmyadmin/phpmyadmin/commit/60530a1df9f71870d045eef6ae3a845aa58f7973
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-26 (Tue, 26 Jan 2016)
Changed paths:
M .travis.yml
Log Message:
-----------
Merge branch 'MAINT_4_5_4' into MAINT_4_5_4-security
Commit: d4b9c22c1f8465bda5b6a83dc7e2cf59c3fe44e1
https://github.com/phpmyadmin/phpmyadmin/commit/d4b9c22c1f8465bda5b6a83dc7e2cf59c3fe44e1
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M libraries/common.inc.php
Log Message:
-----------
Enable localization before redirect
This is needed in case of IIS which needs full HTML response.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 5a3de108f26e4b0dddadddbe8ccdb1dd5526771f
https://github.com/phpmyadmin/phpmyadmin/commit/5a3de108f26e4b0dddadddbe8ccdb1dd5526771f
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Rijndael.php
Log Message:
-----------
Avoid execution outside phpMyAdmin
This is hacky, but avoids path disclossure on direct access to the
scripts.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: c9536a88e9d49a67bcfed4873e476aff4b0782b1
https://github.com/phpmyadmin/phpmyadmin/commit/c9536a88e9d49a67bcfed4873e476aff4b0782b1
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Rijndael.php
Log Message:
-----------
Move security check behind namespace
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 2870a797f366589d89bc23c6cf29681f17ce3a89
https://github.com/phpmyadmin/phpmyadmin/commit/2870a797f366589d89bc23c6cf29681f17ce3a89
Author: Isaac Bennetch <bennetch at gmail.com>
Date: 2016-01-27 (Wed, 27 Jan 2016)
Changed paths:
M README
M doc/conf.py
M libraries/Config.class.php
Log Message:
-----------
Release 4.5.4
Signed-off-by: Isaac Bennetch <bennetch at gmail.com>
Commit: 1d6efadaeac366a11b430bd70935d1a75d9bfbb8
https://github.com/phpmyadmin/phpmyadmin/commit/1d6efadaeac366a11b430bd70935d1a75d9bfbb8
Author: Isaac Bennetch <bennetch at gmail.com>
Date: 2016-01-28 (Thu, 28 Jan 2016)
Changed paths:
M import_status.php
M js/codemirror/addon/lint/sql-lint.js
M js/functions.js
M js/normalization.js
M libraries/DatabaseInterface.class.php
M libraries/DbSearch.class.php
M libraries/Response.class.php
M libraries/common.inc.php
M libraries/core.lib.php
M libraries/display_import_ajax.lib.php
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Base.php
M libraries/phpseclib/Crypt/Random.php
M libraries/phpseclib/Crypt/Rijndael.php
M libraries/session.inc.php
M libraries/sql-parser/autoload.php
M lint.php
M normalization.php
M setup/frames/form.inc.php
M setup/index.php
M setup/lib/common.inc.php
M setup/validate.php
M templates/header_location.phtml
M templates/table/search/rows_zoom.phtml
M test/libraries/core/PMA_headerLocation_test.php
M version_check.php
Log Message:
-----------
Fix merge conflicts
Signed-off-by: Isaac Bennetch <bennetch at gmail.com>
Commit: ed96969ff991005899916f95590761addb38a31c
https://github.com/phpmyadmin/phpmyadmin/commit/ed96969ff991005899916f95590761addb38a31c
Author: Michal Čihař <michal at cihar.com>
Date: 2016-01-28 (Thu, 28 Jan 2016)
Changed paths:
M import_status.php
M js/codemirror/addon/lint/sql-lint.js
M js/functions.js
M js/normalization.js
M libraries/DatabaseInterface.php
M libraries/DbSearch.php
M libraries/Response.php
M libraries/common.inc.php
M libraries/core.lib.php
M libraries/display_import_ajax.lib.php
M libraries/phpseclib/Crypt/AES.php
M libraries/phpseclib/Crypt/Base.php
M libraries/phpseclib/Crypt/Random.php
M libraries/phpseclib/Crypt/Rijndael.php
M libraries/session.inc.php
M libraries/session.lib.php
M libraries/sql-parser/autoload.php
M lint.php
M normalization.php
M setup/frames/form.inc.php
M setup/index.php
M setup/lib/common.inc.php
M setup/validate.php
M templates/header_location.phtml
M templates/table/search/rows_zoom.phtml
M test/libraries/core/PMA_headerLocation_test.php
M version_check.php
Log Message:
-----------
Merge branch 'QA_4_5'
Compare: https://github.com/phpmyadmin/phpmyadmin/compare/439feae865fd...ed96969ff991
More information about the Git
mailing list