nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'MAINT_3_4_4' into QA_3_4

Browse Source
This commit is contained in:
Marc Delisle
2011-08-24 12:29:30 -04:00
parent 29b694c225 f00c57bdf3
commit 3b75f549f4
10 changed files with 68 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
export.php
View File

@@ -343,6 +343,7 @@ if (!$save_on_server) {
// (avoid rewriting data containing HTML with anchors and forms; // (avoid rewriting data containing HTML with anchors and forms;
// this was reported to happen under Plesk) // this was reported to happen under Plesk)
@ini_set('url_rewriter.tags',''); @ini_set('url_rewriter.tags','');
$filename = PMA_sanitize_filename($filename);
header('Content-Type: ' . $mime_type); header('Content-Type: ' . $mime_type);
header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');

18
libraries/sanitizing.lib.php
View File

@@ -86,4 +86,22 @@ function PMA_sanitize($message, $escape = false, $safe = false)
return $message; return $message;
} }
/**
* Sanitize a filename by removing anything besides A-Za-z0-9_.-
*
* Intended usecase:
* When using a filename in a Content-Disposition header the value should not contain ; or "
*
* @param string The filename
*
* @return string the sanitized filename
*
*/
function PMA_sanitize_filename($filename) {
$filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
return $filename;
}
?> ?>

1
libraries/schema/Dia_Relation_Schema.class.php
View File

@@ -173,6 +173,7 @@ class PMA_DIA extends XMLWriter
if(ob_get_clean()){ if(ob_get_clean()){
ob_end_clean(); ob_end_clean();
} }
$fileName = PMA_sanitize_filename($fileName);
header('Content-type: application/x-dia-diagram'); header('Content-type: application/x-dia-diagram');
header('Content-Disposition: attachment; filename="'.$fileName.'.dia"'); header('Content-Disposition: attachment; filename="'.$fileName.'.dia"');
$output = $this->flush(); $output = $this->flush();

1
libraries/schema/Eps_Relation_Schema.class.php
View File

@@ -336,6 +336,7 @@ class PMA_EPS
// if(ob_get_clean()){ // if(ob_get_clean()){
//ob_end_clean(); //ob_end_clean();
//} //}
$fileName = PMA_sanitize_filename($fileName);
header('Content-type: image/x-eps'); header('Content-type: image/x-eps');
header('Content-Disposition: attachment; filename="'.$fileName.'.eps"'); header('Content-Disposition: attachment; filename="'.$fileName.'.eps"');
$output = $this->stringCommands; $output = $this->stringCommands;

2
libraries/schema/Pdf_Relation_Schema.class.php
View File

@@ -1075,6 +1075,8 @@ class PMA_Pdf_Relation_Schema extends PMA_Export_Relation_Schema
if (empty($filename)) { if (empty($filename)) {
$filename = $pageNumber . '.pdf'; $filename = $pageNumber . '.pdf';
} }
$fileName = PMA_sanitize_filename($fileName);
// instead of $pdf->Output(): // instead of $pdf->Output():
$pdfData = $pdf->getPDFData(); $pdfData = $pdf->getPDFData();
header('Content-Type: application/pdf'); header('Content-Type: application/pdf');

1
libraries/schema/Svg_Relation_Schema.class.php
View File

@@ -171,6 +171,7 @@ class PMA_SVG extends XMLWriter
function showOutput($fileName) function showOutput($fileName)
{ {
//ob_get_clean(); //ob_get_clean();
$fileName = PMA_sanitize_filename($fileName);
header('Content-type: image/svg+xml'); header('Content-type: image/svg+xml');
header('Content-Disposition: attachment; filename="'.$fileName.'.svg"'); header('Content-Disposition: attachment; filename="'.$fileName.'.svg"');
$output = $this->flush(); $output = $this->flush();

1
libraries/schema/Visio_Relation_Schema.class.php
View File

@@ -158,6 +158,7 @@ class PMA_VISIO extends XMLWriter
//if(ob_get_clean()){ //if(ob_get_clean()){
//ob_end_clean(); //ob_end_clean();
//} //}
$fileName = PMA_sanitize_filename($fileName);
header('Content-type: application/visio'); header('Content-type: application/visio');
header('Content-Disposition: attachment; filename="'.$fileName.'.vdx"'); header('Content-Disposition: attachment; filename="'.$fileName.'.vdx"');
$output = $this->flush(); $output = $this->flush();

3
tbl_get_field.php
View File

@@ -39,7 +39,8 @@ if ($result === false) {
header('Content-Type: ' . PMA_detectMIME($result)); header('Content-Type: ' . PMA_detectMIME($result));
header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Content-Disposition: attachment; filename="' . $table . '-' . $transform_key . '.bin"'); $filename = PMA_sanitize_filename($table . '-' . $transform_key . '.bin');
header('Content-Disposition: attachment; filename="' . $filename . '"');
if (PMA_USR_BROWSER_AGENT == 'IE') { if (PMA_USR_BROWSER_AGENT == 'IE') {
header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public'); header('Pragma: public');

75
tbl_tracking.php
View File

@@ -111,7 +111,8 @@ if (isset($_REQUEST['report_export']) && $_REQUEST['export_type'] == 'sqldumpfil
foreach($entries as $entry) { foreach($entries as $entry) {
$dump .= $entry['statement']; $dump .= $entry['statement'];
} }
$filename = 'log_' . htmlspecialchars($_REQUEST['table']) . '.sql'; //$filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql';
$filename = PMA_sanitize_filename('log_' . $_REQUEST['table'] . '.sql');
header('Content-Type: text/x-sql'); header('Content-Type: text/x-sql');
header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Content-Disposition: attachment; filename="' . $filename . '"'); header('Content-Disposition: attachment; filename="' . $filename . '"');
@@ -281,17 +282,17 @@ if (isset($_REQUEST['snapshot'])) {
<tr class="noclick <?php echo $style; ?>"> <tr class="noclick <?php echo $style; ?>">
<?php <?php
if ($field['Key'] == 'PRI') { if ($field['Key'] == 'PRI') {
echo '<td><b><u>' . $field['Field'] . '</u></b></td>' . "\n"; echo '<td><b><u>' . htmlspecialchars($field['Field']) . '</u></b></td>' . "\n";
} else { } else {
echo '<td><b>' . $field['Field'] . '</b></td>' . "\n"; echo '<td><b>' . htmlspecialchars($field['Field']) . '</b></td>' . "\n";
} }
?> ?>
<td><?php echo $field['Type'];?></td> <td><?php echo htmlspecialchars($field['Type']);?></td>
<td><?php echo $field['Collation'];?></td> <td><?php echo htmlspecialchars($field['Collation']);?></td>
<td><?php echo $field['Null'];?></td> <td><?php echo htmlspecialchars($field['Null']);?></td>
<td><?php echo $field['Default'];?></td> <td><?php echo htmlspecialchars($field['Default']);?></td>
<td><?php echo $field['Extra'];?></td> <td><?php echo htmlspecialchars($field['Extra']);?></td>
<td><?php echo $field['Comment'];?></td> <td><?php echo htmlspecialchars($field['Comment']);?></td>
</tr> </tr>
<?php <?php
if ($style == 'even') { if ($style == 'even') {
@@ -337,15 +338,15 @@ if (isset($_REQUEST['snapshot'])) {
} }
?> ?>
<tr class="noclick <?php echo $style; ?>"> <tr class="noclick <?php echo $style; ?>">
<td><b><?php echo $index['Key_name'];?></b></td> <td><b><?php echo htmlspecialchars($index['Key_name']);?></b></td>
<td><?php echo $index['Index_type'];?></td> <td><?php echo htmlspecialchars($index['Index_type']);?></td>
<td><?php echo $str_unique;?></td> <td><?php echo $str_unique;?></td>
<td><?php echo $str_packed;?></td> <td><?php echo $str_packed;?></td>
<td><?php echo $index['Column_name'];?></td> <td><?php echo htmlspecialchars($index['Column_name']);?></td>
<td><?php echo $index['Cardinality'];?></td> <td><?php echo htmlspecialchars($index['Cardinality']);?></td>
<td><?php echo $index['Collation'];?></td> <td><?php echo htmlspecialchars($index['Collation']);?></td>
<td><?php echo $index['Null'];?></td> <td><?php echo htmlspecialchars($index['Null']);?></td>
<td><?php echo $index['Comment'];?></td> <td><?php echo htmlspecialchars($index['Comment']);?></td>
</tr> </tr>
<?php <?php
if ($style == 'even') { if ($style == 'even') {
@@ -372,10 +373,10 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
?> ?>
<h3><?php echo __('Tracking report');?> [<a href="tbl_tracking.php?<?php echo $url_query;?>"><?php echo __('Close');?></a>]</h3> <h3><?php echo __('Tracking report');?> [<a href="tbl_tracking.php?<?php echo $url_query;?>"><?php echo __('Close');?></a>]</h3>
<small><?php echo __('Tracking statements') . ' ' . $data['tracking']; ?></small><br/> <small><?php echo __('Tracking statements') . ' ' . htmlspecialchars($data['tracking']); ?></small><br/>
<br/> <br/>
<form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>"> <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php <?php
$str1 = '<select name="logtype">' . $str1 = '<select name="logtype">' .
@@ -383,9 +384,9 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
'<option value="data"' . ($selection_data ? ' selected="selected"' : ''). '>' . __('Data only') . '</option>' . '<option value="data"' . ($selection_data ? ' selected="selected"' : ''). '>' . __('Data only') . '</option>' .
'<option value="schema_and_data"' . ($selection_both ? ' selected="selected"' : '') . '>' . __('Structure and data') . '</option>' . '<option value="schema_and_data"' . ($selection_both ? ' selected="selected"' : '') . '>' . __('Structure and data') . '</option>' .
'</select>'; '</select>';
$str2 = '<input type="text" name="date_from" value="' . $_REQUEST['date_from'] . '" size="19" />'; $str2 = '<input type="text" name="date_from" value="' . htmlspecialchars($_REQUEST['date_from']) . '" size="19" />';
$str3 = '<input type="text" name="date_to" value="' . $_REQUEST['date_to'] . '" size="19" />'; $str3 = '<input type="text" name="date_to" value="' . htmlspecialchars($_REQUEST['date_to']) . '" size="19" />';
$str4 = '<input type="text" name="users" value="' . $_REQUEST['users'] . '" />'; $str4 = '<input type="text" name="users" value="' . htmlspecialchars($_REQUEST['users']) . '" />';
$str5 = '<input type="submit" name="list_report" value="' . __('Go') . '" />'; $str5 = '<input type="submit" name="list_report" value="' . __('Go') . '" />';
printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5); printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
@@ -422,8 +423,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
?> ?>
<tr class="noclick <?php echo $style; ?>"> <tr class="noclick <?php echo $style; ?>">
<td><small><?php echo $i;?></small></td> <td><small><?php echo $i;?></small></td>
<td><small><?php echo $entry['date'];?></small></td> <td><small><?php echo htmlspecialchars($entry['date']);?></small></td>
<td><small><?php echo $entry['username']; ?></small></td> <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
<td><?php echo $statement; ?></td> <td><?php echo $statement; ?></td>
</tr> </tr>
<?php <?php
@@ -473,8 +474,8 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
?> ?>
<tr class="noclick <?php echo $style; ?>"> <tr class="noclick <?php echo $style; ?>">
<td><small><?php echo $i; ?></small></td> <td><small><?php echo $i; ?></small></td>
<td><small><?php echo $entry['date']; ?></small></td> <td><small><?php echo htmlspecialchars($entry['date']); ?></small></td>
<td><small><?php echo $entry['username']; ?></small></td> <td><small><?php echo htmlspecialchars($entry['username']); ?></small></td>
<td><?php echo $statement; ?></td> <td><?php echo $statement; ?></td>
</tr> </tr>
<?php <?php
@@ -493,7 +494,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
} }
?> ?>
</form> </form>
<form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>"> <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<?php <?php
printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5); printf(__('Show %s with dates from %s to %s by user %s %s'), $str1, $str2, $str3, $str4, $str5);
@@ -506,11 +507,11 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) {
$str_export2 = '<input type="submit" name="report_export" value="' . __('Go') .'" />'; $str_export2 = '<input type="submit" name="report_export" value="' . __('Go') .'" />';
?> ?>
</form> </form>
<form method="post" action="tbl_tracking.php?<?php echo $url_query; ?>&amp;report=true&amp;version=<?php echo $_REQUEST['version'];?>"> <form method="post" action="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $_REQUEST['version'])); ?>">
<input type="hidden" name="logtype" value="<?php echo $_REQUEST['logtype'];?>" /> <input type="hidden" name="logtype" value="<?php echo htmlspecialchars($_REQUEST['logtype']);?>" />
<input type="hidden" name="date_from" value="<?php echo $_REQUEST['date_from'];?>" /> <input type="hidden" name="date_from" value="<?php echo htmlspecialchars($_REQUEST['date_from']);?>" />
<input type="hidden" name="date_to" value="<?php echo $_REQUEST['date_to'];?>" /> <input type="hidden" name="date_to" value="<?php echo htmlspecialchars($_REQUEST['date_to']);?>" />
<input type="hidden" name="users" value="<?php echo $_REQUEST['users'];?>" /> <input type="hidden" name="users" value="<?php echo htmlspecialchars($_REQUEST['users']);?>" />
<?php <?php
echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>"; echo "<br/>" . sprintf(__('Export as %s'), $str_export1) . $str_export2 . "<br/>";
?> ?>
@@ -612,11 +613,15 @@ if ($last_version > 0) {
<tr class="noclick <?php echo $style;?>"> <tr class="noclick <?php echo $style;?>">
<td><?php echo htmlspecialchars($version['db_name']);?></td> <td><?php echo htmlspecialchars($version['db_name']);?></td>
<td><?php echo htmlspecialchars($version['table_name']);?></td> <td><?php echo htmlspecialchars($version['table_name']);?></td>
<td><?php echo $version['version'];?></td> <td><?php echo htmlspecialchars($version['version']);?></td>
<td><?php echo $version['date_created'];?></td> <td><?php echo htmlspecialchars($version['date_created']);?></td>
<td><?php echo $version['date_updated'];?></td> <td><?php echo htmlspecialchars($version['date_updated']);?></td>
<td><?php echo $version_status;?></td> <td><?php echo $version_status;?></td>
<td> <a href="tbl_tracking.php?<?php echo $url_query;?>&amp;report=true&amp;version=<?php echo $version['version'];?>"><?php echo __('Tracking report');?></a> | <a href="tbl_tracking.php?<?php echo $url_query;?>&amp;snapshot=true&amp;version=<?php echo $version['version'];?>"><?php echo __('Structure snapshot');?></a></td> <td> <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('report' => 'true', 'version' => $version['version'])
);?>"><?php echo __('Tracking report');?></a>
| <a href="tbl_tracking.php<?php echo PMA_generate_common_url($url_params + array('snapshot' => 'true', 'version' => $version['version'])
);?>"><?php echo __('Structure snapshot');?></a>
</td>
</tr> </tr>
<?php <?php
if ($style == 'even') { if ($style == 'even') {

2
transformation_wrapper.php
View File

@@ -68,7 +68,7 @@ if (isset($ct) && !empty($ct)) {
header($content_type); header($content_type);
if (isset($cn) && !empty($cn)) { if (isset($cn) && !empty($cn)) {
header('Content-Disposition: attachment; filename=' . $cn); header('Content-Disposition: attachment; filename=' . PMA_sanitize_filename($cn));
} }
if (!isset($resize)) { if (!isset($resize)) {