From 09b30b8b6e462aafc24cc32a78491cd9513305c6 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Mon, 25 Jul 2011 10:15:14 -0400 Subject: [PATCH 01/10] 3.4.4-rc1 --- Documentation.html | 4 ++-- README | 2 +- libraries/Config.class.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Documentation.html b/Documentation.html index 23efaa954..057c6c905 100644 --- a/Documentation.html +++ b/Documentation.html @@ -9,7 +9,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 - phpMyAdmin 3.4.4-dev - Documentation + phpMyAdmin 3.4.4-rc1 - Documentation @@ -17,7 +17,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 diff --git a/README b/README index 06955517f..6e7197d1b 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.4.4-dev +Version 3.4.4-rc1 A set of PHP-scripts to manage MySQL over the web. diff --git a/libraries/Config.class.php b/libraries/Config.class.php index f9e10f039..a55bd025e 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -96,7 +96,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '3.4.4-dev'); + $this->set('PMA_VERSION', '3.4.4-rc1'); /** * @deprecated */ From ec848d825ffe896b96b6c3e4b8c7d4c12aadd310 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Fri, 5 Aug 2011 10:14:18 +0200 Subject: [PATCH 02/10] XSS fixes --- tbl_tracking.php | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tbl_tracking.php b/tbl_tracking.php index 99a540e75..2f714bfaf 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -281,17 +281,17 @@ if (isset($_REQUEST['snapshot'])) { ' . $field['Field'] . '' . "\n"; + echo '' . htmlspecialchars($field['Field']) . '' . "\n"; } else { - echo '' . $field['Field'] . '' . "\n"; + echo '' . htmlspecialchars($field['Field']) . '' . "\n"; } ?> - - - - - - + + + + + + - - + + - - - - - + + + + + Date: Fri, 5 Aug 2011 11:45:16 +0200 Subject: [PATCH 03/10] Make better use of PMA_generate_common_url to prevent XSS --- tbl_tracking.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tbl_tracking.php b/tbl_tracking.php index 2f714bfaf..f64750974 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -375,7 +375,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {

-
+ ' . @@ -493,7 +493,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { } ?>
-
+ '; ?>
-
+ @@ -616,7 +616,11 @@ if ($last_version > 0) { - | + + | + Date: Fri, 5 Aug 2011 11:45:35 +0200 Subject: [PATCH 04/10] XSS fixes --- tbl_tracking.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tbl_tracking.php b/tbl_tracking.php index f64750974..d9a904ef0 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -372,7 +372,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?>

[]

-
+

@@ -383,9 +383,9 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { '' . '' . ''; - $str2 = ''; - $str3 = ''; - $str4 = ''; + $str2 = ''; + $str3 = ''; + $str4 = ''; $str5 = ''; printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5); From 39edf6e1fbe4a39f6fec0919d60eca5dfc2708ff Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Fri, 5 Aug 2011 12:01:47 +0200 Subject: [PATCH 05/10] XSS fixes --- tbl_tracking.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tbl_tracking.php b/tbl_tracking.php index d9a904ef0..7cf7cd522 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -473,8 +473,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> - - + +
- - - - + + + + " . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "
"; ?> From 0f5f2d960184db7333ecf7d52da406cae306412b Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Sat, 6 Aug 2011 15:05:59 -0400 Subject: [PATCH 06/10] XSS with IE <= 8.x (semicolon and attachment headers --- tbl_tracking.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tbl_tracking.php b/tbl_tracking.php index 7cf7cd522..5544ecdcd 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -111,7 +111,7 @@ if (isset($_REQUEST['report_export']) && $_REQUEST['export_type'] == 'sqldumpfil foreach($entries as $entry) { $dump .= $entry['statement']; } - $filename = 'log_' . htmlspecialchars($_REQUEST['table']) . '.sql'; + $filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql'; header('Content-Type: text/x-sql'); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Content-Disposition: attachment; filename="' . $filename . '"'); From b659fbeb128b3235738d6fd787cab096ddc3a591 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Mon, 8 Aug 2011 17:48:42 +0200 Subject: [PATCH 07/10] remove extraneous ? --- tbl_tracking.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tbl_tracking.php b/tbl_tracking.php index 5544ecdcd..36e5f668a 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -618,7 +618,7 @@ if ($last_version > 0) { - | 'true', 'version' => $version['version']) );?>"> From c547703b1089bff62b238a908d8559ca3ad845f1 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Mon, 8 Aug 2011 20:07:09 +0200 Subject: [PATCH 08/10] Sanitize filenames before using in Content-Disposition header --- export.php | 1 + libraries/sanitizing.lib.php | 18 ++++++++++++++++++ libraries/schema/Dia_Relation_Schema.class.php | 1 + libraries/schema/Eps_Relation_Schema.class.php | 1 + libraries/schema/Pdf_Relation_Schema.class.php | 2 ++ libraries/schema/Svg_Relation_Schema.class.php | 1 + .../schema/Visio_Relation_Schema.class.php | 1 + tbl_get_field.php | 3 ++- tbl_tracking.php | 3 ++- 9 files changed, 29 insertions(+), 2 deletions(-) diff --git a/export.php b/export.php index 7da25fc05..100269f5a 100644 --- a/export.php +++ b/export.php @@ -343,6 +343,7 @@ if (!$save_on_server) { // (avoid rewriting data containing HTML with anchors and forms; // this was reported to happen under Plesk) @ini_set('url_rewriter.tags',''); + $filename = PMA_sanitize_filename($filename); header('Content-Type: ' . $mime_type); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php index a362ebdea..a65f8ba7c 100644 --- a/libraries/sanitizing.lib.php +++ b/libraries/sanitizing.lib.php @@ -86,4 +86,22 @@ function PMA_sanitize($message, $escape = false, $safe = false) return $message; } + + +/** + * Sanitize a filename by removing anything besides A-Za-z0-9_.- + * + * Intended usecase: + * When using a filename in a Content-Disposition header the value should not contain ; or " + * + * @param string The filename + * + * @return string the sanitized filename + * + */ +function PMA_sanitize_filename($filename) { + $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename); + return $filename; +} + ?> diff --git a/libraries/schema/Dia_Relation_Schema.class.php b/libraries/schema/Dia_Relation_Schema.class.php index e58381e91..2f6373e63 100644 --- a/libraries/schema/Dia_Relation_Schema.class.php +++ b/libraries/schema/Dia_Relation_Schema.class.php @@ -173,6 +173,7 @@ class PMA_DIA extends XMLWriter if(ob_get_clean()){ ob_end_clean(); } + $fileName = PMA_sanitize_filename($fileName); header('Content-type: application/x-dia-diagram'); header('Content-Disposition: attachment; filename="'.$fileName.'.dia"'); $output = $this->flush(); diff --git a/libraries/schema/Eps_Relation_Schema.class.php b/libraries/schema/Eps_Relation_Schema.class.php index 5435db447..7f1c34d33 100644 --- a/libraries/schema/Eps_Relation_Schema.class.php +++ b/libraries/schema/Eps_Relation_Schema.class.php @@ -336,6 +336,7 @@ class PMA_EPS // if(ob_get_clean()){ //ob_end_clean(); //} + $fileName = PMA_sanitize_filename($fileName); header('Content-type: image/x-eps'); header('Content-Disposition: attachment; filename="'.$fileName.'.eps"'); $output = $this->stringCommands; diff --git a/libraries/schema/Pdf_Relation_Schema.class.php b/libraries/schema/Pdf_Relation_Schema.class.php index 607853709..ad0fe7a11 100644 --- a/libraries/schema/Pdf_Relation_Schema.class.php +++ b/libraries/schema/Pdf_Relation_Schema.class.php @@ -1075,6 +1075,8 @@ class PMA_Pdf_Relation_Schema extends PMA_Export_Relation_Schema if (empty($filename)) { $filename = $pageNumber . '.pdf'; } + $fileName = PMA_sanitize_filename($fileName); + // instead of $pdf->Output(): $pdfData = $pdf->getPDFData(); header('Content-Type: application/pdf'); diff --git a/libraries/schema/Svg_Relation_Schema.class.php b/libraries/schema/Svg_Relation_Schema.class.php index afafda7fb..52eb4394b 100644 --- a/libraries/schema/Svg_Relation_Schema.class.php +++ b/libraries/schema/Svg_Relation_Schema.class.php @@ -171,6 +171,7 @@ class PMA_SVG extends XMLWriter function showOutput($fileName) { //ob_get_clean(); + $fileName = PMA_sanitize_filename($fileName); header('Content-type: image/svg+xml'); header('Content-Disposition: attachment; filename="'.$fileName.'.svg"'); $output = $this->flush(); diff --git a/libraries/schema/Visio_Relation_Schema.class.php b/libraries/schema/Visio_Relation_Schema.class.php index ab45b13b9..0c3f7eca6 100644 --- a/libraries/schema/Visio_Relation_Schema.class.php +++ b/libraries/schema/Visio_Relation_Schema.class.php @@ -158,6 +158,7 @@ class PMA_VISIO extends XMLWriter //if(ob_get_clean()){ //ob_end_clean(); //} + $fileName = PMA_sanitize_filename($fileName); header('Content-type: application/visio'); header('Content-Disposition: attachment; filename="'.$fileName.'.vdx"'); $output = $this->flush(); diff --git a/tbl_get_field.php b/tbl_get_field.php index a58eb5117..be0bdded6 100644 --- a/tbl_get_field.php +++ b/tbl_get_field.php @@ -39,7 +39,8 @@ if ($result === false) { header('Content-Type: ' . PMA_detectMIME($result)); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); -header('Content-Disposition: attachment; filename="' . $table . '-' . $transform_key . '.bin"'); +$filename = PMA_sanitize_filename($table . '-' . $transform_key . '.bin'); +header('Content-Disposition: attachment; filename="' . $filename . '"'); if (PMA_USR_BROWSER_AGENT == 'IE') { header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); diff --git a/tbl_tracking.php b/tbl_tracking.php index 36e5f668a..047066384 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -111,7 +111,8 @@ if (isset($_REQUEST['report_export']) && $_REQUEST['export_type'] == 'sqldumpfil foreach($entries as $entry) { $dump .= $entry['statement']; } - $filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql'; + //$filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql'; + $filename = PMA_sanitize_filename('log_' . $_REQUEST['table'] . '.sql'); header('Content-Type: text/x-sql'); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Content-Disposition: attachment; filename="' . $filename . '"'); From 4e5c583dcfdd6307f1093f80a9e1d1ff0480cc7d Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Mon, 8 Aug 2011 17:28:54 -0400 Subject: [PATCH 09/10] Sanitize filenames before using in Content-Disposition header --- transformation_wrapper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/transformation_wrapper.php b/transformation_wrapper.php index 3699dd091..f04c8acac 100644 --- a/transformation_wrapper.php +++ b/transformation_wrapper.php @@ -68,7 +68,7 @@ if (isset($ct) && !empty($ct)) { header($content_type); if (isset($cn) && !empty($cn)) { - header('Content-Disposition: attachment; filename=' . $cn); + header('Content-Disposition: attachment; filename=' . PMA_sanitize_filename($cn)); } if (!isset($resize)) { From f00c57bdf3669d7471b30e6750f6762d2e01947b Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Fri, 19 Aug 2011 11:01:45 +0200 Subject: [PATCH 10/10] Slightly far fetched XSS prevention --- tbl_tracking.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tbl_tracking.php b/tbl_tracking.php index 047066384..96d502418 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -423,8 +423,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { ?> - - + + 0) { - - - + + +