From 7ebd958b2bf59f96fecd5b3322bdbd0b244a7967 Mon Sep 17 00:00:00 2001
From: Herman van Rink <rink@initfour.nl>
Date: Thu, 30 Jun 2011 12:30:58 +0200
Subject: [PATCH 1/5] Fixed possible session manipulation in swekey
 authentication, see PMASA-2011-5

---
 ChangeLog                                 | 3 +++
 libraries/auth/swekey/swekey.auth.lib.php | 5 ++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index cb3ba9aa9..3ce317d40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+3.4.3.1 (not yet released)
+- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
+
 3.4.3.0 (2011-06-27)
 - bug #3311170 [sync] Missing helper icons in Synchronize
 - patch #3304473 [setup] Redefine a lable that was wrong
diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php
index d2ec1b155..c5f613bbd 100644
--- a/libraries/auth/swekey/swekey.auth.lib.php
+++ b/libraries/auth/swekey/swekey.auth.lib.php
@@ -263,11 +263,10 @@ function Swekey_login($input_name, $input_go)
 	}
 }
 
-if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
+if (!empty($_GET['session_to_unset']))
 {
-    parse_str($_SERVER['QUERY_STRING']);
 	session_write_close();
-	session_id($session_to_unset);
+	session_id($_GET['session_to_unset']);
 	session_start();
 	$_SESSION = array();
 	session_write_close();

From 0fbedaf5fd7a771d0885c6b7385d934fc90d0d7f Mon Sep 17 00:00:00 2001
From: Herman van Rink <rink@initfour.nl>
Date: Thu, 30 Jun 2011 13:21:31 +0200
Subject: [PATCH 2/5] Fixed possible code injection incase session variables
 are compromised, see PMASA-2011-6

---
 ChangeLog                           | 1 +
 setup/lib/ConfigGenerator.class.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 3ce317d40..da43382e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@ phpMyAdmin - ChangeLog
 
 3.4.3.1 (not yet released)
 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
+- [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
 
 3.4.3.0 (2011-06-27)
 - bug #3311170 [sync] Missing helper icons in Synchronize
diff --git a/setup/lib/ConfigGenerator.class.php b/setup/lib/ConfigGenerator.class.php
index 95c33251d..e33775ed3 100644
--- a/setup/lib/ConfigGenerator.class.php
+++ b/setup/lib/ConfigGenerator.class.php
@@ -39,7 +39,7 @@ class ConfigGenerator
         if ($cf->getServerCount() > 0) {
             $ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf;
             foreach ($c['Servers'] as $id => $server) {
-                $ret .= '/* Server: ' . strtr($cf->getServerName($id), '*/', '-') . " [$id] */" . $crlf
+                $ret .= '/* Server: ' . strtr($cf->getServerName($id) . " [$id] ", '*/', '-') . "*/" . $crlf
                     . '$i++;' . $crlf;
                 foreach ($server as $k => $v) {
                     $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);

From 69fb0f8e7dc38075427aceaf09bcac697d0590ff Mon Sep 17 00:00:00 2001
From: Herman van Rink <rink@initfour.nl>
Date: Thu, 30 Jun 2011 09:59:43 +0200
Subject: [PATCH 3/5] Fixed regexp quoting issue in Synchronize code, see
 PMASA-2011-7

---
 ChangeLog                            | 1 +
 libraries/server_synchronize.lib.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index da43382e0..e3db9229c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@ phpMyAdmin - ChangeLog
 3.4.3.1 (not yet released)
 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
+- [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7
 
 3.4.3.0 (2011-06-27)
 - bug #3311170 [sync] Missing helper icons in Synchronize
diff --git a/libraries/server_synchronize.lib.php b/libraries/server_synchronize.lib.php
index ba6f81338..c9f1242d1 100644
--- a/libraries/server_synchronize.lib.php
+++ b/libraries/server_synchronize.lib.php
@@ -624,7 +624,7 @@ function PMA_createTargetTables($src_db, $trg_db, $src_link, $trg_link, &$uncomm
         $Create_Query = PMA_DBI_fetch_value("SHOW CREATE TABLE " . PMA_backquote($src_db) . '.' . PMA_backquote($uncommon_tables[$table_index]), 0, 1, $src_link);
 
         // Replace the src table name with a `dbname`.`tablename`
-        $Create_Table_Query = preg_replace('/' . PMA_backquote($uncommon_tables[$table_index]) . '/', 
+        $Create_Table_Query = preg_replace('/' . preg_quote(PMA_backquote($uncommon_tables[$table_index]), '/') . '/', 
                                             PMA_backquote($trg_db) . '.' .PMA_backquote($uncommon_tables[$table_index]),
                                             $Create_Query,
                                             $limit = 1

From b434320eff8ca9c2fc1b043c1804f868341af9a7 Mon Sep 17 00:00:00 2001
From: Herman van Rink <rink@initfour.nl>
Date: Thu, 30 Jun 2011 20:26:08 +0200
Subject: [PATCH 4/5] Fixed filtering of a file path, which allowed for
 directory traversal, see PMASA-2011-8

---
 ChangeLog                     | 13 +++++++------
 libraries/display_tbl.lib.php |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e3db9229c..ae6147c27 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@ phpMyAdmin - ChangeLog
 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
 - [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7
+- [security] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8
 
 3.4.3.0 (2011-06-27)
 - bug #3311170 [sync] Missing helper icons in Synchronize
@@ -94,7 +95,7 @@ phpMyAdmin - ChangeLog
 + patch #2974341 [structure] Clicking on table name in db Structure should 
   Browse the table if possible, thanks to bhdouglass - dougboybhd
 + patch #2975533 [search] New search operators, thanks to
-  Martynas Mickevičius
+  Martynas Mickevičius
 + patch #2967320 [designer] Colored relations based on the primary key,
   thanks to GreenRover - greenrover
 - [core] Provide way for vendors to easily change paths to config files.
@@ -248,7 +249,7 @@ phpMyAdmin - ChangeLog
 
 3.3.7.0 (2010-09-07)
 - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after
-  a page size increase, thanks to Martin Schönberger - mad05
+  a page size increase, thanks to Martin Schönberger - mad05
 
 3.3.6.0 (2010-08-28)
 - bug #3033063 [core] Navi gets wrong db name
@@ -269,7 +270,7 @@ phpMyAdmin - ChangeLog
 
 3.3.5.0 (2010-07-26)
 - patch #2932113 [information_schema] Slow export when having lots of
-  databases, thanks to Stéphane Pontier - shadow_walker
+  databases, thanks to Stéphane Pontier - shadow_walker
 - bug #3022705 [import] Import button does not work in Catalan when there
   is no progress bar possible
 - bug [replication] Do not offer information_schema in the list of databases
@@ -309,9 +310,9 @@ phpMyAdmin - ChangeLog
 - patch #2984893 [engines] InnoDB storage page emits a warning,
   thanks to Madhura Jayaratne - madhuracj
 - bug #2974687, bug #2974692 [compatibility] PHPExcel : IBM AIX iconv() does not work,
-  thanks to Björn Wiberg - bwiberg
+  thanks to Björn Wiberg - bwiberg
 - bug #2983066 [interface] Flush table on table operations shows the query twice, 
-  thanks to Martynas Mickevičius - BlinK_
+  thanks to Martynas Mickevičius - BlinK_
 - bug #2983060, patch #2987900 [interface] Fix initial state of tables in
   designer, thanks to Sutharshan Balachandren.
 - bug #2983062, patch #2989408 [engines] Fix warnings when changing table
@@ -390,7 +391,7 @@ phpMyAdmin - ChangeLog
 + rfe #2839504 [engines] Support InnoDB plugin's new row formats 
 + [core] Added ability for synchronizing databases among servers.
 + [lang] #2843101 Dutch update, thanks to scavenger2008
-+ [lang] Galician update, thanks to Xosé Calvo - xosecalvo
++ [lang] Galician update, thanks to Xosé Calvo - xosecalvo
 + [export] Added MediaWiki export module,
   thanks to Derek Schaefer - drummingds1
 + [lang] Turkish update, thanks to Burak Yavuz
diff --git a/libraries/display_tbl.lib.php b/libraries/display_tbl.lib.php
index 64a0383cd..c7d74ef44 100644
--- a/libraries/display_tbl.lib.php
+++ b/libraries/display_tbl.lib.php
@@ -1308,7 +1308,7 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
             if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) {
 
                 if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) {
-                    $include_file = $GLOBALS['mime_map'][$meta->name]['transformation'];
+                    $include_file = PMA_securePath($GLOBALS['mime_map'][$meta->name]['transformation']);
 
                     if (file_exists('./libraries/transformations/' . $include_file)) {
                         $transformfunction_name = str_replace('.inc.php', '', $GLOBALS['mime_map'][$meta->name]['transformation']);

From e214683f9fe4955dcbf0ffce045983728c7fa9d3 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Sat, 2 Jul 2011 20:49:01 -0400
Subject: [PATCH 5/5] 3.4.3.1 release

---
 ChangeLog                  | 2 +-
 Documentation.html         | 4 ++--
 README                     | 2 +-
 libraries/Config.class.php | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ae6147c27..fe7103128 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,7 @@
 phpMyAdmin - ChangeLog
 ======================
 
-3.4.3.1 (not yet released)
+3.4.3.1 (2011-07-02)
 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
 - [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7
diff --git a/Documentation.html b/Documentation.html
index 576c1f088..25b973143 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -9,7 +9,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78
     <link rel="icon" href="./favicon.ico" type="image/x-icon" />
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-    <title>phpMyAdmin 3.4.3 - Documentation</title>
+    <title>phpMyAdmin 3.4.3.1 - Documentation</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 
@@ -17,7 +17,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78
 <div id="header">
     <h1>
         <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a>
-        3.4.3
+        3.4.3.1
         Documentation
     </h1>
 </div>
diff --git a/README b/README
index 02ad01675..e57152a29 100644
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 3.4.3
+Version 3.4.3.1
 
 A set of PHP-scripts to manage MySQL over the web.
 
diff --git a/libraries/Config.class.php b/libraries/Config.class.php
index cd1a0bf14..28625f289 100644
--- a/libraries/Config.class.php
+++ b/libraries/Config.class.php
@@ -96,7 +96,7 @@ class PMA_Config
      */
     function checkSystem()
     {
-        $this->set('PMA_VERSION', '3.4.3');
+        $this->set('PMA_VERSION', '3.4.3.1');
         /**
          * @deprecated
          */