[phpMyAdmin Git] [phpmyadmin/phpmyadmin] 285e56: Strip null bytes from MySQL username
Isaac Bennetch
bennetch at gmail.com
Fri Nov 25 07:14:59 CET 2016
Branch: refs/heads/MAINT_4_0_10
Home: https://github.com/phpmyadmin/phpmyadmin
Commit: 285e5623b638cb414b3c3e5ab7c0f3126d616b54
https://github.com/phpmyadmin/phpmyadmin/commit/285e5623b638cb414b3c3e5ab7c0f3126d616b54
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/core.lib.php
M libraries/plugins/auth/AuthenticationCookie.class.php
M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message:
-----------
Strip null bytes from MySQL username
In old PHP versions this could lead to allow/deny rules bypass.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 58245cb1cc25a1b167941cf30a4cc742a27c0b5b
https://github.com/phpmyadmin/phpmyadmin/commit/58245cb1cc25a1b167941cf30a4cc742a27c0b5b
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/ip_allow_deny.lib.php
Log Message:
-----------
Use hash_equals for comparing username in allow/deny rules
The comparison should happen in constant time to avoid possible leak of
usernames in rules.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 6117ad5cef7bbe3ff080efb557bbafaff757e0ea
https://github.com/phpmyadmin/phpmyadmin/commit/6117ad5cef7bbe3ff080efb557bbafaff757e0ea
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/plugins/auth/AuthenticationCookie.class.php
M libraries/plugins/auth/AuthenticationHttp.class.php
Log Message:
-----------
Use hash_equals for checking username
This makes the comparison happen in constant time and makes it
impossible to use it to guess stored usernames.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: f2add98bd93fa96da130214e78eacb01893aa89a
https://github.com/phpmyadmin/phpmyadmin/commit/f2add98bd93fa96da130214e78eacb01893aa89a
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/Error.class.php
M test/classes/PMA_Error_test.php
Log Message:
-----------
Strip path even if openbasedir restrictions apply
This really should not be the case here as what we get here is code
executed by PHP, so it should have already passed openbasedir
restrictions.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: c2f7a898ddf69422af218718d20c7eb6af62cb88
https://github.com/phpmyadmin/phpmyadmin/commit/c2f7a898ddf69422af218718d20c7eb6af62cb88
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M js/ajax.js
Log Message:
-----------
Store copy of hash instead of working on live object
This avoids possible race conditions when doing the checks.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 096856c70c1b8b1b9a94a54ee780f7be623fd1c5
https://github.com/phpmyadmin/phpmyadmin/commit/096856c70c1b8b1b9a94a54ee780f7be623fd1c5
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/navigation/NavigationHeader.class.php
Log Message:
-----------
Stricter validation of NavigationLogoLink
It now has to be URL including scheme. Otherwise it's not really
possible to validate it for being just http/https.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: b2605ebba6ca729fd0157a0774d173e3ec04eabb
https://github.com/phpmyadmin/phpmyadmin/commit/b2605ebba6ca729fd0157a0774d173e3ec04eabb
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M js/config.js
Log Message:
-----------
Fix hash validation
- use copy of hash to avoid race condition
- stricter regex to match whole string
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 67700620db6b494c9ecab9f4268d30cf4afb01b3
https://github.com/phpmyadmin/phpmyadmin/commit/67700620db6b494c9ecab9f4268d30cf4afb01b3
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-18 (Thu, 18 Aug 2016)
Changed paths:
M libraries/DBQbe.class.php
Log Message:
-----------
Limit maximal number of rows in QBE
User would be lost in them anyway by that count and it prevents DOS.
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: d37abc38daca9c1ebc074e3b4e9b2bdfc1cf523d
https://github.com/phpmyadmin/phpmyadmin/commit/d37abc38daca9c1ebc074e3b4e9b2bdfc1cf523d
Author: Michal Čihař <michal at cihar.com>
Date: 2016-08-24 (Wed, 24 Aug 2016)
Changed paths:
M ChangeLog
M index.php
Log Message:
-----------
Do not show warning about short blowfish_secret if none is set
With empty blowfish_secret user would always get both warnings...
Fixes #12485
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 0c3dfd186c281710516805f97a9875149abeb3ce
https://github.com/phpmyadmin/phpmyadmin/commit/0c3dfd186c281710516805f97a9875149abeb3ce
Author: Michal Čihař <michal at cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M import.php
Log Message:
-----------
Fix possible DOS on too big skip value
- loop only as long as long we have data to skip
- convert skip parameter to integer
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: af7c58939155d407233c8c3bf6f2ad3e540f489a
https://github.com/phpmyadmin/phpmyadmin/commit/af7c58939155d407233c8c3bf6f2ad3e540f489a
Author: Michal Čihař <michal at cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M index.php
M libraries/core.lib.php
Log Message:
-----------
Stricter URL validation
- do not use empty() as empty('0') is true
- do not lowercase the strings, use them as they are
- lowercase all domains in our codebase
- do not allow to specify port
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 63b7f6c0a94af5d7402c4f198846dc0c066f5413
https://github.com/phpmyadmin/phpmyadmin/commit/63b7f6c0a94af5d7402c4f198846dc0c066f5413
Author: Michal Čihař <michal at cihar.com>
Date: 2016-09-02 (Fri, 02 Sep 2016)
Changed paths:
M libraries/ip_allow_deny.lib.php
Log Message:
-----------
Use hash_equals when comparing IPv6 allow rules
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: 773f126c89aca6588258753218e600c5764857c2
https://github.com/phpmyadmin/phpmyadmin/commit/773f126c89aca6588258753218e600c5764857c2
Author: Deven Bansod <devenbansod.bits at gmail.com>
Date: 2016-10-02 (Sun, 02 Oct 2016)
Changed paths:
M prefs_manage.php
Log Message:
-----------
Don't assume the default arg_separator in URL
Respect the value for arg_separator.input too.
Signed-off-by: Deven Bansod <devenbansod.bits at gmail.com>
Commit: 5e108a340f3eac6b6c488439343b6c1a7454787c
https://github.com/phpmyadmin/phpmyadmin/commit/5e108a340f3eac6b6c488439343b6c1a7454787c
Author: Michal Čihař <michal at cihar.com>
Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths:
M libraries/core.lib.php
M test/libraries/core/PMA_safeUnserialize_test.php
Log Message:
-----------
Correctly parse string length when checking serialized data
Signed-off-by: Michal Čihař <michal at cihar.com>
Commit: be5196ba44e6f029de11abe32cea72161c698533
https://github.com/phpmyadmin/phpmyadmin/commit/be5196ba44e6f029de11abe32cea72161c698533
Author: Michal Čihař <michal at cihar.com>
Date: 2016-10-04 (Tue, 04 Oct 2016)
Changed paths:
M prefs_manage.php
Log Message:
-----------
Merge branch 'MAINT_4_0_10-security' of github.com:phpmyadmin/phpmyadmin-security into MAINT_4_0_10-security
Commit: 54875fffc12da0f1c0c2b6042e638b08fc337e2a
https://github.com/phpmyadmin/phpmyadmin/commit/54875fffc12da0f1c0c2b6042e638b08fc337e2a
Author: Deven Bansod <devenbansod.bits at gmail.com>
Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths:
M tbl_tracking.php
Log Message:
-----------
Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod <devenbansod.bits at gmail.com>
Commit: 337b38044ddfe74d334831390c6cb40cd2f001f1
https://github.com/phpmyadmin/phpmyadmin/commit/337b38044ddfe74d334831390c6cb40cd2f001f1
Author: Deven Bansod <devenbansod.bits at gmail.com>
Date: 2016-10-11 (Tue, 11 Oct 2016)
Changed paths:
M libraries/Tracker.class.php
Log Message:
-----------
Manage new-lines and extra whitespaces properly
Signed-off-by: Deven Bansod <devenbansod.bits at gmail.com>
Commit: 670359777263517b92908677fafc7e8dcd377ec5
https://github.com/phpmyadmin/phpmyadmin/commit/670359777263517b92908677fafc7e8dcd377ec5
Author: Deven Bansod <devenbansod.bits at gmail.com>
Date: 2016-11-08 (Tue, 08 Nov 2016)
Changed paths:
M libraries/core.lib.php
M test/libraries/core/PMA_sanitizeMySQLHost_test.php
Log Message:
-----------
Handle multiple `:p` while sanitizing MySQL hosts
Signed-off-by: Deven Bansod <devenbansod.bits at gmail.com>
Commit: 8783113cec408ad9a81f17e3a97db6c4732e6164
https://github.com/phpmyadmin/phpmyadmin/commit/8783113cec408ad9a81f17e3a97db6c4732e6164
Author: Isaac Bennetch <bennetch at gmail.com>
Date: 2016-11-24 (Thu, 24 Nov 2016)
Changed paths:
M ChangeLog
M README
M doc/conf.py
M libraries/Config.class.php
Log Message:
-----------
4.0.10.18 release and ChangeLog
Signed-off-by: Isaac Bennetch <bennetch at gmail.com>
Compare: https://github.com/phpmyadmin/phpmyadmin/compare/5ba96c8804d9...8783113cec40
More information about the Git
mailing list