nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

port 2.11.7.1 fix

Browse Source
This commit is contained in:
Marc Delisle
2008-07-15 19:03:11 +00:00
parent 6a707344eb
commit 62461e5477
8 changed files with 26 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
ChangeLog
View File

@@ -89,6 +89,11 @@ danbarry
- bug [history] Do not save too big queries in history - bug [history] Do not save too big queries in history
- [security] Do not show version info on login screen - [security] Do not show version info on login screen
2.11.7.1 (2008-07-15)
- bug [security] XSRF/CSRF by manipulating the db,
convcharset and collation_connection parameters,
thanks to YGN Ethical Hacker Group
2.11.7.0 (2008-06-23) 2.11.7.0 (2008-06-23)
- bug #1908719 [interface] New field cannot be auto-increment and primary key - bug #1908719 [interface] New field cannot be auto-increment and primary key
- [dbi] Incorrect interpretation for some mysqli field flags - [dbi] Incorrect interpretation for some mysqli field flags
@@ -279,7 +284,6 @@ danbarry
- bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group - bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group
2.11.1.0 (2007-09-20) 2.11.1.0 (2007-09-20)
- bug #1783667 [export] NO_AUTO_VALUE_ON_ZERO and MySQL version - bug #1783667 [export] NO_AUTO_VALUE_ON_ZERO and MySQL version
- bug #1780098 [GUI] Logout causes CSS loss, thanks to Juergen Wind - bug #1780098 [GUI] Logout causes CSS loss, thanks to Juergen Wind
. incorrect field ids, thanks to Michael Keck . incorrect field ids, thanks to Michael Keck
@@ -298,7 +302,6 @@ danbarry
- bug #1798627 [GUI] Wrong storage engine displayed - bug #1798627 [GUI] Wrong storage engine displayed
2.11.0.0 (2007-08-21) 2.11.0.0 (2007-08-21)
+ [import] support handling of DELIMITER to mimic mysql CLI, thanks to fb1 + [import] support handling of DELIMITER to mimic mysql CLI, thanks to fb1
+ improved PHP 6 compatibility + improved PHP 6 compatibility
- bug #1674914 [structure] changing definition of a TIMESTAMP field - bug #1674914 [structure] changing definition of a TIMESTAMP field
@@ -397,7 +400,6 @@ danbarry
- bug #1771721 Old SVN URLs - bug #1771721 Old SVN URLs
2.10.3.0 (2007-07-20) 2.10.3.0 (2007-07-20)
- bug #1734285 Copy database with VIEWs - bug #1734285 Copy database with VIEWs
- bug #1722502 DROP TABLE in export VIEW - bug #1722502 DROP TABLE in export VIEW
- bug #1729027 Sorting results of VIEW browsing - bug #1729027 Sorting results of VIEW browsing
@@ -411,7 +413,6 @@ danbarry
- Do not try to delete an internal relation if we just deleted an InnoDB one - Do not try to delete an internal relation if we just deleted an InnoDB one
2.10.2.0 (2007-06-15) 2.10.2.0 (2007-06-15)
+ [data] display all warnings, not only last one + [data] display all warnings, not only last one
- typo in fix for bug #1671813 - typo in fix for bug #1671813
- bug #1714908 Inserted Row Count is wrong - bug #1714908 Inserted Row Count is wrong
@@ -434,8 +435,6 @@ danbarry
- patch #1731280 Avoid negative exponent in gmp_pow(), thanks to anosek - patch #1731280 Avoid negative exponent in gmp_pow(), thanks to anosek
2.10.1.0 (2007-04-23) 2.10.1.0 (2007-04-23)
=====================
- bug #1541147 [js] '#' in database names not correctly handled by queywindow.js - bug #1541147 [js] '#' in database names not correctly handled by queywindow.js
- bug #1671403 [parser] using "client" as table name - bug #1671403 [parser] using "client" as table name
- bug #1672379 [core] Call to undefined function PMA_removeCookie() - bug #1672379 [core] Call to undefined function PMA_removeCookie()
@@ -468,19 +467,13 @@ danbarry
- bug #1704467 XSS vulnerability in browse_foreigners.php, thanks to sp3x SecurityReason - bug #1704467 XSS vulnerability in browse_foreigners.php, thanks to sp3x SecurityReason
2.10.0.2 (2007-03-02) 2.10.0.2 (2007-03-02)
=====================
+ bug #1671813 CVE-2006-1549 deep recursion crash + bug #1671813 CVE-2006-1549 deep recursion crash
2.10.0.1 (2007-03-01) 2.10.0.1 (2007-03-01)
=====================
. [config] set $cfg['Servers'][$i]['ssl'] default value to false, . [config] set $cfg['Servers'][$i]['ssl'] default value to false,
we got reports from some users having problems with the default value of true we got reports from some users having problems with the default value of true
2.10.0.0 (2007-02-28) 2.10.0.0 (2007-02-28)
=====================
- bug #1659176 [general] memory error displaying a table with large BLOBs - bug #1659176 [general] memory error displaying a table with large BLOBs
- bug #1668662 [install] can create the new pma_designer_coords table - bug #1668662 [install] can create the new pma_designer_coords table
+ [gui] navi logo now links to main page by default, with still the possibility + [gui] navi logo now links to main page by default, with still the possibility

3
Documentation.html
View File

@@ -2764,7 +2764,8 @@ SetInputFilter PHP
<a href="#faq1_34">1.34 Can I access directly to database or table pages?</a></h4> <a href="#faq1_34">1.34 Can I access directly to database or table pages?</a></h4>
<p> Yes. Out of the box, you can use <abbr title="Uniform Resource Locator">URL</abbr>s like <p> Yes. Out of the box, you can use <abbr title="Uniform Resource Locator">URL</abbr>s like
http://server/phpMyAdmin/index.php?db=database&amp;table=table&amp;target=script. http://server/phpMyAdmin/index.php?server=X&amp;db=database&amp;table=table&amp;target=script. For <tt>server</tt> you use the server number which refers to
the order of the server paragraph in <tt>config.inc.php</tt>.
Table and script parts are optional. If you want Table and script parts are optional. If you want
http://server/phpMyAdmin/database[/table][/script] <abbr title="Uniform Resource Locator">URL</abbr>s, you need to do http://server/phpMyAdmin/database[/table][/script] <abbr title="Uniform Resource Locator">URL</abbr>s, you need to do
some configuration. Following lines apply only for <a some configuration. Following lines apply only for <a

7
db_create.php
View File

@@ -12,7 +12,7 @@ require_once './libraries/common.inc.php';
$GLOBALS['js_include'][] = 'functions.js'; $GLOBALS['js_include'][] = 'functions.js';
require_once './libraries/mysql_charsets.lib.php'; require_once './libraries/mysql_charsets.lib.php';
PMA_checkParameters(array('db')); PMA_checkParameters(array('new_db'));
/** /**
* Defines the url to return to in case of error in a sql statement * Defines the url to return to in case of error in a sql statement
@@ -22,7 +22,7 @@ $err_url = 'main.php?' . PMA_generate_common_url();
/** /**
* Builds and executes the db creation sql query * Builds and executes the db creation sql query
*/ */
$sql_query = 'CREATE DATABASE ' . PMA_backquote($db); $sql_query = 'CREATE DATABASE ' . PMA_backquote($new_db);
if (!empty($db_collation)) { if (!empty($db_collation)) {
list($db_charset) = explode('_', $db_collation); list($db_charset) = explode('_', $db_collation);
if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) { if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) {
@@ -43,7 +43,8 @@ if (! $result) {
require_once './main.php'; require_once './main.php';
} else { } else {
$message = PMA_Message::success('strDatabaseHasBeenCreated'); $message = PMA_Message::success('strDatabaseHasBeenCreated');
$message->addParam($db); $message->addParam($new_db);
$GLOBALS['db'] = $new_db;
require_once './libraries/header.inc.php'; require_once './libraries/header.inc.php';
require_once './' . $cfg['DefaultTabDatabase']; require_once './' . $cfg['DefaultTabDatabase'];

1
index.php
View File

@@ -124,6 +124,7 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>'; var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>'; var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>'; var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
var token = '<?php echo PMA_escapeJsString($_SESSION[' PMA_token ']); ?>';
var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>'; var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>'; var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';

9
js/common.js
View File

@@ -147,6 +147,7 @@ function setTable(new_table) {
* *
* @uses goTo() * @uses goTo()
* @uses opendb_url * @uses opendb_url
* @uses token
* @uses db * @uses db
* @uses server * @uses server
* @uses table * @uses table
@@ -165,6 +166,7 @@ function refreshMain(url) {
} }
//alert(db); //alert(db);
goTo(url + '?server=' + encodeURIComponent(server) + goTo(url + '?server=' + encodeURIComponent(server) +
'&token=' + encodeURIComponent(token) +
'&db=' + encodeURIComponent(db) + '&db=' + encodeURIComponent(db) +
'&table=' + encodeURIComponent(table) + '&table=' + encodeURIComponent(table) +
'&lang=' + encodeURIComponent(lang) + '&lang=' + encodeURIComponent(lang) +
@@ -176,6 +178,7 @@ function refreshMain(url) {
* reloads navigation frame * reloads navigation frame
* *
* @uses goTo() * @uses goTo()
* @uses token
* @uses db * @uses db
* @uses server * @uses server
* @uses table * @uses table
@@ -185,6 +188,7 @@ function refreshMain(url) {
*/ */
function refreshNavigation() { function refreshNavigation() {
goTo('navigation.php?server=' + encodeURIComponent(server) + goTo('navigation.php?server=' + encodeURIComponent(server) +
'&token=' + encodeURIComponent(token) +
'&db=' + encodeURIComponent(db) + '&db=' + encodeURIComponent(db) +
'&table=' + encodeURIComponent(table) + '&table=' + encodeURIComponent(table) +
'&lang=' + encodeURIComponent(lang) + '&lang=' + encodeURIComponent(lang) +
@@ -258,8 +262,8 @@ function markDbTable(db, table)
/** /**
* sets current selected server, table and db (called from libraries/footer.inc.php) * sets current selected server, table and db (called from libraries/footer.inc.php)
*/ */
function setAll( new_lang, new_collation_connection, new_server, new_db, new_table ) { function setAll( new_lang, new_collation_connection, new_server, new_db, new_table, new_token ) {
//alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ' )'); //alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ', ' + new_token + ' )');
if (new_server != server || new_lang != lang if (new_server != server || new_lang != lang
|| new_collation_connection != collation_connection) { || new_collation_connection != collation_connection) {
// something important has changed // something important has changed
@@ -268,6 +272,7 @@ function setAll( new_lang, new_collation_connection, new_server, new_db, new_tab
table = new_table; table = new_table;
collation_connection = new_collation_connection; collation_connection = new_collation_connection;
lang = new_lang; lang = new_lang;
token = new_token;
refreshNavigation(); refreshNavigation();
} else if (new_db != db || new_table != table) { } else if (new_db != db || new_table != table) {
// save new db and table // save new db and table

5
libraries/common.inc.php
View File

@@ -399,7 +399,10 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['
* List of parameters which are allowed from unsafe source * List of parameters which are allowed from unsafe source
*/ */
$allow_list = array( $allow_list = array(
'db', 'table', 'lang', 'server', 'convcharset', 'collation_connection', 'target', /* needed for direct access, see FAQ 1.34
* also, server needed for cookie login screen (multi-server)
*/
'server', 'db', 'table', 'target',
/* Session ID */ /* Session ID */
'phpMyAdmin', 'phpMyAdmin',
/* Cookie preferences */ /* Cookie preferences */

2
libraries/display_create_database.lib.php
View File

@@ -21,7 +21,7 @@ if ($is_create_db_priv) {
<?php echo '<label for="text_create_db">' . $strCreateNewDatabase . '</label>&nbsp;' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?></strong><br /> <?php echo '<label for="text_create_db">' . $strCreateNewDatabase . '</label>&nbsp;' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?></strong><br />
<?php echo PMA_generate_common_hidden_inputs('', '', 5); ?> <?php echo PMA_generate_common_hidden_inputs('', '', 5); ?>
<input type="hidden" name="reload" value="1" /> <input type="hidden" name="reload" value="1" />
<input type="text" name="db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/> <input type="text" name="new_db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/>
<?php <?php
require_once './libraries/mysql_charsets.lib.php'; require_once './libraries/mysql_charsets.lib.php';
echo PMA_generateCharsetDropdownBox(PMA_CSDROPDOWN_COLLATION, 'db_collation', null, null, TRUE, 5); echo PMA_generateCharsetDropdownBox(PMA_CSDROPDOWN_COLLATION, 'db_collation', null, null, TRUE, 5);

3
libraries/footer.inc.php
View File

@@ -106,7 +106,8 @@ if (window.parent.setAll) {
echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '"; echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '";
echo PMA_escapeJsString($GLOBALS['server']) . "', '"; echo PMA_escapeJsString($GLOBALS['server']) . "', '";
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '"; echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '";
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')); ?>'); echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')) . "', '";
echo PMA_escapeJsString($_SESSION[' PMA_token ']);?>');
} }
<?php <?php
if (! empty($GLOBALS['reload'])) { if (! empty($GLOBALS['reload'])) {