From 62461e5477f3edd06ca8132abbccb09ae5fc1cfc Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Tue, 15 Jul 2008 19:03:11 +0000 Subject: [PATCH] port 2.11.7.1 fix --- ChangeLog | 17 +++++------------ Documentation.html | 3 ++- db_create.php | 7 ++++--- index.php | 1 + js/common.js | 9 +++++++-- libraries/common.inc.php | 5 ++++- libraries/display_create_database.lib.php | 2 +- libraries/footer.inc.php | 3 ++- 8 files changed, 26 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index a1ebd5ea0..e242164f7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -89,6 +89,11 @@ danbarry - bug [history] Do not save too big queries in history - [security] Do not show version info on login screen +2.11.7.1 (2008-07-15) +- bug [security] XSRF/CSRF by manipulating the db, + convcharset and collation_connection parameters, + thanks to YGN Ethical Hacker Group + 2.11.7.0 (2008-06-23) - bug #1908719 [interface] New field cannot be auto-increment and primary key - [dbi] Incorrect interpretation for some mysqli field flags @@ -279,7 +284,6 @@ danbarry - bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group 2.11.1.0 (2007-09-20) - - bug #1783667 [export] NO_AUTO_VALUE_ON_ZERO and MySQL version - bug #1780098 [GUI] Logout causes CSS loss, thanks to Juergen Wind . incorrect field ids, thanks to Michael Keck @@ -298,7 +302,6 @@ danbarry - bug #1798627 [GUI] Wrong storage engine displayed 2.11.0.0 (2007-08-21) - + [import] support handling of DELIMITER to mimic mysql CLI, thanks to fb1 + improved PHP 6 compatibility - bug #1674914 [structure] changing definition of a TIMESTAMP field @@ -397,7 +400,6 @@ danbarry - bug #1771721 Old SVN URLs 2.10.3.0 (2007-07-20) - - bug #1734285 Copy database with VIEWs - bug #1722502 DROP TABLE in export VIEW - bug #1729027 Sorting results of VIEW browsing @@ -411,7 +413,6 @@ danbarry - Do not try to delete an internal relation if we just deleted an InnoDB one 2.10.2.0 (2007-06-15) - + [data] display all warnings, not only last one - typo in fix for bug #1671813 - bug #1714908 Inserted Row Count is wrong @@ -434,8 +435,6 @@ danbarry - patch #1731280 Avoid negative exponent in gmp_pow(), thanks to anosek 2.10.1.0 (2007-04-23) -===================== - - bug #1541147 [js] '#' in database names not correctly handled by queywindow.js - bug #1671403 [parser] using "client" as table name - bug #1672379 [core] Call to undefined function PMA_removeCookie() @@ -468,19 +467,13 @@ danbarry - bug #1704467 XSS vulnerability in browse_foreigners.php, thanks to sp3x SecurityReason 2.10.0.2 (2007-03-02) -===================== - + bug #1671813 CVE-2006-1549 deep recursion crash 2.10.0.1 (2007-03-01) -===================== - . [config] set $cfg['Servers'][$i]['ssl'] default value to false, we got reports from some users having problems with the default value of true 2.10.0.0 (2007-02-28) -===================== - - bug #1659176 [general] memory error displaying a table with large BLOBs - bug #1668662 [install] can create the new pma_designer_coords table + [gui] navi logo now links to main page by default, with still the possibility diff --git a/Documentation.html b/Documentation.html index 389bd4774..0dd544407 100644 --- a/Documentation.html +++ b/Documentation.html @@ -2764,7 +2764,8 @@ SetInputFilter PHP 1.34 Can I access directly to database or table pages?

Yes. Out of the box, you can use URLs like - http://server/phpMyAdmin/index.php?db=database&table=table&target=script. +http://server/phpMyAdmin/index.php?server=X&db=database&table=table&target=script. For server you use the server number which refers to +the order of the server paragraph in config.inc.php. Table and script parts are optional. If you want http://server/phpMyAdmin/database[/table][/script] URLs, you need to do some configuration. Following lines apply only for addParam($db); + $message->addParam($new_db); + $GLOBALS['db'] = $new_db; require_once './libraries/header.inc.php'; require_once './' . $cfg['DefaultTabDatabase']; diff --git a/index.php b/index.php index 007fb5296..4ea0a4f36 100644 --- a/index.php +++ b/index.php @@ -124,6 +124,7 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']); var server = ''; var table = ''; var db = ''; + var token = ''; var text_dir = ''; var pma_absolute_uri = ''; diff --git a/js/common.js b/js/common.js index 99c43fb92..a8c4115c6 100644 --- a/js/common.js +++ b/js/common.js @@ -147,6 +147,7 @@ function setTable(new_table) { * * @uses goTo() * @uses opendb_url + * @uses token * @uses db * @uses server * @uses table @@ -165,6 +166,7 @@ function refreshMain(url) { } //alert(db); goTo(url + '?server=' + encodeURIComponent(server) + + '&token=' + encodeURIComponent(token) + '&db=' + encodeURIComponent(db) + '&table=' + encodeURIComponent(table) + '&lang=' + encodeURIComponent(lang) + @@ -176,6 +178,7 @@ function refreshMain(url) { * reloads navigation frame * * @uses goTo() + * @uses token * @uses db * @uses server * @uses table @@ -185,6 +188,7 @@ function refreshMain(url) { */ function refreshNavigation() { goTo('navigation.php?server=' + encodeURIComponent(server) + + '&token=' + encodeURIComponent(token) + '&db=' + encodeURIComponent(db) + '&table=' + encodeURIComponent(table) + '&lang=' + encodeURIComponent(lang) + @@ -258,8 +262,8 @@ function markDbTable(db, table) /** * sets current selected server, table and db (called from libraries/footer.inc.php) */ -function setAll( new_lang, new_collation_connection, new_server, new_db, new_table ) { - //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ' )'); +function setAll( new_lang, new_collation_connection, new_server, new_db, new_table, new_token ) { + //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ', ' + new_token + ' )'); if (new_server != server || new_lang != lang || new_collation_connection != collation_connection) { // something important has changed @@ -268,6 +272,7 @@ function setAll( new_lang, new_collation_connection, new_server, new_db, new_tab table = new_table; collation_connection = new_collation_connection; lang = new_lang; + token = new_token; refreshNavigation(); } else if (new_db != db || new_table != table) { // save new db and table diff --git a/libraries/common.inc.php b/libraries/common.inc.php index 0e15240ed..91cbcf131 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -399,7 +399,10 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST[' * List of parameters which are allowed from unsafe source */ $allow_list = array( - 'db', 'table', 'lang', 'server', 'convcharset', 'collation_connection', 'target', + /* needed for direct access, see FAQ 1.34 + * also, server needed for cookie login screen (multi-server) + */ + 'server', 'db', 'table', 'target', /* Session ID */ 'phpMyAdmin', /* Cookie preferences */ diff --git a/libraries/display_create_database.lib.php b/libraries/display_create_database.lib.php index 2b4e9520e..7bf4e613b 100644 --- a/libraries/display_create_database.lib.php +++ b/libraries/display_create_database.lib.php @@ -21,7 +21,7 @@ if ($is_create_db_priv) { ' . $strCreateNewDatabase . ' ' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?>
- + '); + echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')) . "', '"; + echo PMA_escapeJsString($_SESSION[' PMA_token ']);?>'); }