security fix (XSRF) -- will do other branches later
This commit is contained in:
Marc Delisle
@@ -5,6 +5,11 @@ phpMyAdmin - ChangeLog
|
|||||||
$Id$
|
$Id$
|
||||||
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
|
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
|
||||||
|
|
||||||
|
2.11.7.1 ()
|
||||||
|
- bug #1908719 [security] XSRF/CSRF by manipulating the db,
|
||||||
|
convcharset and collation_connection parameters,
|
||||||
|
thanks to YGN Ethical Hacker Group
|
||||||
|
|
||||||
2.11.7.0 (2008-06-23)
|
2.11.7.0 (2008-06-23)
|
||||||
- bug #1908719 [interface] New field cannot be auto-increment and primary key
|
- bug #1908719 [interface] New field cannot be auto-increment and primary key
|
||||||
- [dbi] Incorrect interpretation for some mysqli field flags
|
- [dbi] Incorrect interpretation for some mysqli field flags
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ require_once './libraries/common.inc.php';
|
|||||||
$js_to_run = 'functions.js';
|
$js_to_run = 'functions.js';
|
||||||
require_once './libraries/mysql_charsets.lib.php';
|
require_once './libraries/mysql_charsets.lib.php';
|
||||||
|
|
||||||
PMA_checkParameters(array('db'));
|
PMA_checkParameters(array('new_db'));
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Defines the url to return to in case of error in a sql statement
|
* Defines the url to return to in case of error in a sql statement
|
||||||
@@ -22,7 +22,7 @@ $err_url = 'main.php?' . PMA_generate_common_url();
|
|||||||
/**
|
/**
|
||||||
* Builds and executes the db creation sql query
|
* Builds and executes the db creation sql query
|
||||||
*/
|
*/
|
||||||
$sql_query = 'CREATE DATABASE ' . PMA_backquote($db);
|
$sql_query = 'CREATE DATABASE ' . PMA_backquote($new_db);
|
||||||
if (!empty($db_collation) && PMA_MYSQL_INT_VERSION >= 40101) {
|
if (!empty($db_collation) && PMA_MYSQL_INT_VERSION >= 40101) {
|
||||||
list($db_charset) = explode('_', $db_collation);
|
list($db_charset) = explode('_', $db_collation);
|
||||||
if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) {
|
if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) {
|
||||||
@@ -42,7 +42,8 @@ if (! $result) {
|
|||||||
require_once './libraries/header.inc.php';
|
require_once './libraries/header.inc.php';
|
||||||
require_once './main.php';
|
require_once './main.php';
|
||||||
} else {
|
} else {
|
||||||
$message = $strDatabase . ' ' . htmlspecialchars($db) . ' ' . $strHasBeenCreated;
|
$message = $strDatabase . ' ' . htmlspecialchars($new_db) . ' ' . $strHasBeenCreated;
|
||||||
|
$GLOBALS['db'] = $new_db;
|
||||||
require_once './libraries/header.inc.php';
|
require_once './libraries/header.inc.php';
|
||||||
require_once './' . $cfg['DefaultTabDatabase'];
|
require_once './' . $cfg['DefaultTabDatabase'];
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -124,6 +124,7 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
|
|||||||
var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
|
var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
|
||||||
var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
|
var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
|
||||||
var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
|
var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
|
||||||
|
var token = '<?php echo PMA_escapeJsString($_SESSION[' PMA_token ']); ?>';
|
||||||
var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
|
var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
|
||||||
var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
|
var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
|
||||||
|
|
||||||
|
|||||||
@@ -75,6 +75,7 @@ function setTable(new_table) {
|
|||||||
*
|
*
|
||||||
* @uses goTo()
|
* @uses goTo()
|
||||||
* @uses opendb_url
|
* @uses opendb_url
|
||||||
|
* @uses token
|
||||||
* @uses db
|
* @uses db
|
||||||
* @uses server
|
* @uses server
|
||||||
* @uses table
|
* @uses table
|
||||||
@@ -92,6 +93,7 @@ function refreshMain(url) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
goTo(url + '?server=' + encodeURIComponent(server) +
|
goTo(url + '?server=' + encodeURIComponent(server) +
|
||||||
|
'&token=' + encodeURIComponent(token) +
|
||||||
'&db=' + encodeURIComponent(db) +
|
'&db=' + encodeURIComponent(db) +
|
||||||
'&table=' + encodeURIComponent(table) +
|
'&table=' + encodeURIComponent(table) +
|
||||||
'&lang=' + encodeURIComponent(lang) +
|
'&lang=' + encodeURIComponent(lang) +
|
||||||
@@ -103,6 +105,7 @@ function refreshMain(url) {
|
|||||||
* reloads navigation frame
|
* reloads navigation frame
|
||||||
*
|
*
|
||||||
* @uses goTo()
|
* @uses goTo()
|
||||||
|
* @uses token
|
||||||
* @uses db
|
* @uses db
|
||||||
* @uses server
|
* @uses server
|
||||||
* @uses table
|
* @uses table
|
||||||
@@ -112,6 +115,7 @@ function refreshMain(url) {
|
|||||||
*/
|
*/
|
||||||
function refreshNavigation() {
|
function refreshNavigation() {
|
||||||
goTo('navigation.php?server=' + encodeURIComponent(server) +
|
goTo('navigation.php?server=' + encodeURIComponent(server) +
|
||||||
|
'&token=' + encodeURIComponent(token) +
|
||||||
'&db=' + encodeURIComponent(db) +
|
'&db=' + encodeURIComponent(db) +
|
||||||
'&table=' + encodeURIComponent(table) +
|
'&table=' + encodeURIComponent(table) +
|
||||||
'&lang=' + encodeURIComponent(lang) +
|
'&lang=' + encodeURIComponent(lang) +
|
||||||
@@ -185,8 +189,8 @@ function markDbTable(db, table)
|
|||||||
/**
|
/**
|
||||||
* sets current selected server, table and db (called from libraries/footer.inc.php)
|
* sets current selected server, table and db (called from libraries/footer.inc.php)
|
||||||
*/
|
*/
|
||||||
function setAll( new_lang, new_collation_connection, new_server, new_db, new_table ) {
|
function setAll( new_lang, new_collation_connection, new_server, new_db, new_table, new_token ) {
|
||||||
//alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ' )');
|
//alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ', ' + new_token + ' )');
|
||||||
if (new_server != server || new_lang != lang
|
if (new_server != server || new_lang != lang
|
||||||
|| new_collation_connection != collation_connection) {
|
|| new_collation_connection != collation_connection) {
|
||||||
// something important has changed
|
// something important has changed
|
||||||
@@ -195,6 +199,7 @@ function setAll( new_lang, new_collation_connection, new_server, new_db, new_tab
|
|||||||
table = new_table;
|
table = new_table;
|
||||||
collation_connection = new_collation_connection;
|
collation_connection = new_collation_connection;
|
||||||
lang = new_lang;
|
lang = new_lang;
|
||||||
|
token = new_token;
|
||||||
refreshNavigation();
|
refreshNavigation();
|
||||||
} else if (new_db != db || new_table != table) {
|
} else if (new_db != db || new_table != table) {
|
||||||
// save new db and table
|
// save new db and table
|
||||||
|
|||||||
@@ -398,7 +398,8 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['
|
|||||||
* List of parameters which are allowed from unsafe source
|
* List of parameters which are allowed from unsafe source
|
||||||
*/
|
*/
|
||||||
$allow_list = array(
|
$allow_list = array(
|
||||||
'db', 'table', 'lang', 'server', 'convcharset', 'collation_connection', 'target',
|
/* needed for direct access, see FAQ 1.34 */
|
||||||
|
'db', 'table', 'target',
|
||||||
/* Session ID */
|
/* Session ID */
|
||||||
'phpMyAdmin',
|
'phpMyAdmin',
|
||||||
/* Cookie preferences */
|
/* Cookie preferences */
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ if ($is_create_db_priv) {
|
|||||||
<?php echo '<label for="text_create_db">' . $strCreateNewDatabase . '</label> ' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?></b><br />
|
<?php echo '<label for="text_create_db">' . $strCreateNewDatabase . '</label> ' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?></b><br />
|
||||||
<?php echo PMA_generate_common_hidden_inputs('', '', 5); ?>
|
<?php echo PMA_generate_common_hidden_inputs('', '', 5); ?>
|
||||||
<input type="hidden" name="reload" value="1" />
|
<input type="hidden" name="reload" value="1" />
|
||||||
<input type="text" name="db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/>
|
<input type="text" name="new_db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/>
|
||||||
<?php
|
<?php
|
||||||
if (PMA_MYSQL_INT_VERSION >= 40101) {
|
if (PMA_MYSQL_INT_VERSION >= 40101) {
|
||||||
require_once './libraries/mysql_charsets.lib.php';
|
require_once './libraries/mysql_charsets.lib.php';
|
||||||
|
|||||||
@@ -74,7 +74,8 @@ if (window.parent.setAll) {
|
|||||||
echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '";
|
echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '";
|
||||||
echo PMA_escapeJsString($GLOBALS['server']) . "', '";
|
echo PMA_escapeJsString($GLOBALS['server']) . "', '";
|
||||||
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '";
|
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '";
|
||||||
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')); ?>');
|
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')) . "', '";
|
||||||
|
echo PMA_escapeJsString($_SESSION[' PMA_token ']);?>');
|
||||||
}
|
}
|
||||||
<?php
|
<?php
|
||||||
if (! empty($GLOBALS['reload'])) {
|
if (! empty($GLOBALS['reload'])) {
|
||||||
|
|||||||
Reference in New Issue
Block a user