fixed possible XSS in database name - thanks to Omer Singer, The DigiTrust Group

2007-11-09 19:27:37 +00:00
parent fc6f7a909a
commit 116fe9e050
2 changed files with 17 additions and 12 deletions
--- a/1
+++ b/1
@@ -36,6 +36,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA

 2.11.2.1 (not yet released)
 - fixed possible SQL injection using database name
+- fixed possible XSS in database name - thanks to Omer Singer, The DigiTrust Group

 2.11.2.0 (2007-10-27)
 - patch #1791576 HTTP auth: support REDIRECT_REMOTE_USER, thanks to Allard
--- a/libraries/List_Database.class.php
+++ b/libraries/List_Database.class.php
@@ -340,25 +340,29 @@ require_once './libraries/List.class.php';
            $selected = $this->getDefault();
        }

-    $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n";
+        $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n";
        foreach ($this->getGroupedDetails($offset, $count) as $group => $dbs) {
            if (count($dbs) > 1) {
-                $return .= '<li>' . $group . '<ul>' . "\n";
+                $return .= '<li>' . htmlspecialchars($group) . '<ul>' . "\n";
                // wether display db_name cuted by the group part
-                $cut = true;
+                $cut = htmlspecialchars($db['disp_name_cut']);
            } else {
                // .. or full
-                $cut = false;
+                $cut = htmlspecialchars($db['disp_name']);
            }
            foreach ($dbs as $db) {
-            $return .= '<li';
-            if ($db['name'] == $selected) {
-                $return .= ' class="selected"';
-            }
-        $return .= '><a' . (! empty($db['comment']) ? ' title="' . $db['comment'] . '"' : '') . ' href="index.php?' . PMA_generate_common_url($db['name']) . '" target="_parent">';
-                $return .= ($cut ? $db['disp_name_cut'] : $db['disp_name'])
-            .' (' . $db['num_tables'] . ')';
-        $return .= '</a></li>' . "\n";
+                $return .= '<li';
+                if ($db['name'] == $selected) {
+                    $return .= ' class="selected"';
+                }
+                $return .= '><a';
+                if (! empty($db['comment'])) {
+                    $return .= ' title="' . htmlspecialchars($db['comment']) . '"';
+                }
+                $return .= ' href="index.php?' . PMA_generate_common_url($db['name'])
+                    . '" target="_parent">';
+                $return .= $cut .' (' . $db['num_tables'] . ')';
+                $return .= '</a></li>' . "\n";
            }
            if (count($dbs) > 1) {
                $return .= '</ul></li>' . "\n";