diff --git a/ChangeLog b/ChangeLog index 6248aae4e..6806bf195 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,40 @@ phpMyAdmin - ChangeLog $Id$ $Source$ +2006-11-17 Michal Čihař + * sql.php, libraries/display_tbl.lib.php: Force pos to be integer to avoid + XSS. + +2006-11-09 Marc Delisle + ### 2.9.1 released from MAINT_2_9_1 + +2006-11-03 Michal Čihař + * config.sample.inc.php: Make it use CRLF to make Windows users happy. + +2006-11-02 Michal Čihař + * Documentation.html: Mention problems with Hardened-PHP. + * lang/dutch: Fix typo, thanks to Thijs Kinkhorst - kink. + +2006-11-01 Marc Delisle + ### 2.9.1-rc2 released from QA_2_9 + +2006-10-27 Marc Delisle + * libraries/fpdf/font: replace broken binary files + +2006-10-26 Marc Delisle + * error.php, libraries/common.lib.php, /database_interface.lib.php, + /session.inc.php: force utf-8 charset to avoid XSS with crafted URL + and utf-7 in charset; error messages won't display correctly + if the chosen lang is not utf-8 + +2006-10-26 Michal Čihař + * libraries/import/csv.php: Fix wrong import when ;; is at buffer boundary + (bug #1584836). + * tbl_properties_operations.php: Fix duplicate ID for checkbox (bug + #1584770). + * libraries/tbl_properties.inc.php: Check form only when saving table + fields (bug #1566222). + 2006-10-25 Michal Čihař * libraries/export/csv.php: Fix cvs/csv typo (bug #1583509). diff --git a/Documentation.html b/Documentation.html index 7108d872e..d8838cbfa 100644 --- a/Documentation.html +++ b/Documentation.html @@ -11,7 +11,7 @@ - phpMyAdmin 2.9.1-dev - Documentation + phpMyAdmin 2.9.1 - Documentation @@ -33,7 +33,7 @@
  • Glossary
    • -

    phpMyAdmin 2.9.1-dev Documentation

    +

    phpMyAdmin 2.9.1 Documentation

    • phpMyAdmin homepage
      • @@ -2826,6 +2826,10 @@ RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
    • In the php.ini directive arg_separator.input, a value of ";" will cause this error. Replace it with "&;".
      • +
    • If you are using Hardened-PHP, + you might want to increase + request limits. +

    Known limitations

    diff --git a/README b/README index eb005fb6c..4f7ad828d 100644 --- a/README +++ b/README @@ -5,8 +5,8 @@ phpMyAdmin - Readme A set of PHP-scripts to manage MySQL over the web. - Version 2.9.1-dev - ----------------- + Version 2.9.1 + ------------- http://www.phpmyadmin.net/ Copyright (C) 1998-2000 Tobias Ratschiller diff --git a/config.sample.inc.php b/config.sample.inc.php index 2237d2521..08ecf4e9a 100644 --- a/config.sample.inc.php +++ b/config.sample.inc.php @@ -1,60 +1,60 @@ -. - */ - -/* - * This is needed for cookie based authentication to encrypt password in - * cookie - */ -$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ - -/* - * Servers configuration - */ -$i = 0; - -/* - * First server - */ -$i++; -/* Authentication type */ -$cfg['Servers'][$i]['auth_type'] = 'cookie'; -/* Server parameters */ -$cfg['Servers'][$i]['host'] = 'localhost'; -$cfg['Servers'][$i]['connect_type'] = 'tcp'; -$cfg['Servers'][$i]['compress'] = false; -/* Select mysqli if your server has it */ -$cfg['Servers'][$i]['extension'] = 'mysql'; -/* User for advanced features */ -$cfg['Servers'][$i]['controluser'] = 'pmausr'; -$cfg['Servers'][$i]['controlpass'] = 'pmapass'; -/* Advanced phpMyAdmin features */ -$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; -$cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark'; -$cfg['Servers'][$i]['relation'] = 'pma_relation'; -$cfg['Servers'][$i]['table_info'] = 'pma_table_info'; -$cfg['Servers'][$i]['table_coords'] = 'pma_table_coords'; -$cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages'; -$cfg['Servers'][$i]['column_info'] = 'pma_column_info'; -$cfg['Servers'][$i]['history'] = 'pma_history'; - -/* - * End of servers configuration - */ - -/* - * Directories for saving/loading files from server - */ -$cfg['UploadDir'] = ''; -$cfg['SaveDir'] = ''; - -?> +. + */ + +/* + * This is needed for cookie based authentication to encrypt password in + * cookie + */ +$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ + +/* + * Servers configuration + */ +$i = 0; + +/* + * First server + */ +$i++; +/* Authentication type */ +$cfg['Servers'][$i]['auth_type'] = 'cookie'; +/* Server parameters */ +$cfg['Servers'][$i]['host'] = 'localhost'; +$cfg['Servers'][$i]['connect_type'] = 'tcp'; +$cfg['Servers'][$i]['compress'] = false; +/* Select mysqli if your server has it */ +$cfg['Servers'][$i]['extension'] = 'mysql'; +/* User for advanced features */ +$cfg['Servers'][$i]['controluser'] = 'pmausr'; +$cfg['Servers'][$i]['controlpass'] = 'pmapass'; +/* Advanced phpMyAdmin features */ +$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; +$cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark'; +$cfg['Servers'][$i]['relation'] = 'pma_relation'; +$cfg['Servers'][$i]['table_info'] = 'pma_table_info'; +$cfg['Servers'][$i]['table_coords'] = 'pma_table_coords'; +$cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages'; +$cfg['Servers'][$i]['column_info'] = 'pma_column_info'; +$cfg['Servers'][$i]['history'] = 'pma_history'; + +/* + * End of servers configuration + */ + +/* + * Directories for saving/loading files from server + */ +$cfg['UploadDir'] = ''; +$cfg['SaveDir'] = ''; + +?> diff --git a/error.php b/error.php index fc8cbfa16..a4f18fd0e 100644 --- a/error.php +++ b/error.php @@ -14,7 +14,8 @@ require_once('./libraries/sanitizing.lib.php'); /* Get variables */ $lang = isset( $_REQUEST['lang'] ) ? htmlspecialchars($_REQUEST['lang']) : 'en'; $dir = isset( $_REQUEST['dir'] ) ? htmlspecialchars($_REQUEST['dir']) : 'ltr'; -$charset = isset( $_REQUEST['charset'] ) ? htmlspecialchars($_REQUEST['charset']) : 'utf-8'; +// force utf-8 to avoid XSS with crafted URL and utf-7 in charset parameter +$charset = 'utf-8'; $type = isset( $_REQUEST['type'] ) ? htmlspecialchars($_REQUEST['type']) : 'error'; header('Content-Type: text/html; charset=' . $charset); diff --git a/lang/dutch-iso-8859-1.inc.php b/lang/dutch-iso-8859-1.inc.php index ef9d0c059..10908cacc 100644 --- a/lang/dutch-iso-8859-1.inc.php +++ b/lang/dutch-iso-8859-1.inc.php @@ -346,7 +346,7 @@ $strLogin = 'Inloggen'; $strLogout = 'Uitloggen'; $strLogPassword = 'Wachtwoord:'; $strLogServer = 'Server'; -$strLogUsername = 'Gebruikers naam:'; +$strLogUsername = 'Gebruikersnaam:'; $strMaximumSize = 'Maximale grootte: %s%s'; $strMbExtensionMissing = 'De mbstring PHP extensie werd niet gevonden en u lijkt een multibyte charset te gebruiken. Zonder de mbstring extensie kan phpMyAdmin strings niet correct splitsen wat tot onverwachte resultaten kan leiden.'; diff --git a/lang/dutch-iso-8859-15.inc.php b/lang/dutch-iso-8859-15.inc.php index 838ca3b8f..5cc195826 100644 --- a/lang/dutch-iso-8859-15.inc.php +++ b/lang/dutch-iso-8859-15.inc.php @@ -346,7 +346,7 @@ $strLogin = 'Inloggen'; $strLogout = 'Uitloggen'; $strLogPassword = 'Wachtwoord:'; $strLogServer = 'Server'; -$strLogUsername = 'Gebruikers naam:'; +$strLogUsername = 'Gebruikersnaam:'; $strMaximumSize = 'Maximale grootte: %s%s'; $strMbExtensionMissing = 'De mbstring PHP extensie werd niet gevonden en u lijkt een multibyte charset te gebruiken. Zonder de mbstring extensie kan phpMyAdmin strings niet correct splitsen wat tot onverwachte resultaten kan leiden.'; diff --git a/lang/dutch-utf-8.inc.php b/lang/dutch-utf-8.inc.php index f01f2cebc..fee3152d6 100644 --- a/lang/dutch-utf-8.inc.php +++ b/lang/dutch-utf-8.inc.php @@ -347,7 +347,7 @@ $strLogin = 'Inloggen'; $strLogout = 'Uitloggen'; $strLogPassword = 'Wachtwoord:'; $strLogServer = 'Server'; -$strLogUsername = 'Gebruikers naam:'; +$strLogUsername = 'Gebruikersnaam:'; $strMaximumSize = 'Maximale grootte: %s%s'; $strMbExtensionMissing = 'De mbstring PHP extensie werd niet gevonden en u lijkt een multibyte charset te gebruiken. Zonder de mbstring extensie kan phpMyAdmin strings niet correct splitsen wat tot onverwachte resultaten kan leiden.'; diff --git a/lang/japanese-sjis.inc.php b/lang/japanese-sjis.inc.php index 21a1df6aa..c23678540 100644 --- a/lang/japanese-sjis.inc.php +++ b/lang/japanese-sjis.inc.php @@ -142,7 +142,7 @@ $strCheckPrivs = ' $strCheckPrivsLong = 'f[^x[X "%s" ̓`FbNB'; $strCheckTable = 'e[u`FbN'; $strChoosePage = 'ҏWy[WIĂB'; -$strColComFeat = 'Rg\@\'; +$strColComFeat = 'Rg\@\\'; $strCollation = 'ƍ'; $strColumnNames = '(J)'; $strColumnPrivileges = 'Jw̓'; @@ -174,7 +174,7 @@ $strCreateIndexTopic = ' $strCreateNewDatabase = 'VKf[^x[X쐬'; $strCreateNewTable = 'f[^x[Xu%sɃe[uVK쐬'; $strCreatePage = 'VKy[W쐬'; -$strCreatePdfFeat = 'PDF 쐬@\'; +$strCreatePdfFeat = 'PDF 쐬@\\'; $strCreateUserDatabase = '[Upf[^x[X'; $strCreateUserDatabaseName = '̃f[^x[X쐬ĂׂĂ̓^܂'; $strCreateUserDatabaseNone = 'Ȃ'; @@ -239,7 +239,7 @@ $strDictionary = ' $strDirtyPages = 'ȃy[W'; $strDisabled = ''; $strDisableForeignChecks = 'OL[̌𖳌ɂ'; -$strDisplayFeat = 'e[u\@\'; +$strDisplayFeat = 'e[u\@\\'; $strDisplayOrder = '\:'; $strDisplayPDF = 'PDF XL[}̕\'; $strDoAQuery = '"QUERY"s (ChJ[h: "%")'; @@ -317,7 +317,7 @@ $strFunction = ' $strFunctions = '֐'; $strGenBy = '‹'; -$strGeneralRelationFeat = '[V@\'; +$strGeneralRelationFeat = '[V@\\'; $strGenerate = ''; $strGeneratePassword = 'pX[h𐶐'; $strGenTime = '쐬̎'; diff --git a/libraries/Config.class.php b/libraries/Config.class.php index 5d3c8694a..28283d5d6 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -80,7 +80,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '2.9.1-dev'); + $this->set('PMA_VERSION', '2.9.1'); /** * @deprecated */ diff --git a/libraries/common.lib.php b/libraries/common.lib.php index b522cfaff..7d3462787 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -2971,7 +2971,6 @@ if (empty($_SESSION['PMA_Config'])) { if (!function_exists('preg_replace')) { header('Location: error.php' . '?lang=' . urlencode($available_languages[$lang][2]) - . '&charset=' . urlencode($charset) . '&dir=' . urlencode($text_dir) . '&type=' . urlencode($strError) . '&error=' . urlencode( @@ -3180,7 +3179,6 @@ if (! defined('PMA_MINIMUM_COMMON')) { if (!file_exists('./libraries/auth/' . $cfg['Server']['auth_type'] . '.auth.lib.php')) { header('Location: error.php' . '?lang=' . urlencode($available_languages[$lang][2]) - . '&charset=' . urlencode($charset) . '&dir=' . urlencode($text_dir) . '&type=' . urlencode($strError) . '&error=' . urlencode( diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index fcf74dc71..0dcae5c1b 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -56,7 +56,6 @@ if ( ! PMA_DBI_checkAndLoadMysqlExtension( $GLOBALS['cfg']['Server']['extension' // if alternativ fails too ... header( 'Location: error.php' . '?lang=' . urlencode( $available_languages[$lang][2] ) - . '&charset=' . urlencode( $charset ) . '&dir=' . urlencode( $text_dir ) . '&type=' . urlencode( $strError ) . '&error=' . urlencode( diff --git a/libraries/display_tbl.lib.php b/libraries/display_tbl.lib.php index d1f828877..b70f3a0ae 100644 --- a/libraries/display_tbl.lib.php +++ b/libraries/display_tbl.lib.php @@ -13,6 +13,9 @@ require_once './libraries/Table.class.php'; */ if (!isset($pos)) { $pos = 0; +} else { + /* We need this to be a integer */ + $pos = (int)$pos } /** diff --git a/libraries/fpdf/font/FreeSans.ctg.z b/libraries/fpdf/font/FreeSans.ctg.z index 164785c1f..7f541a631 100644 Binary files a/libraries/fpdf/font/FreeSans.ctg.z and b/libraries/fpdf/font/FreeSans.ctg.z differ diff --git a/libraries/fpdf/font/FreeSans.z b/libraries/fpdf/font/FreeSans.z index 579bfdd27..a8e8e634b 100644 Binary files a/libraries/fpdf/font/FreeSans.z and b/libraries/fpdf/font/FreeSans.z differ diff --git a/libraries/fpdf/font/FreeSansBold.ctg.z b/libraries/fpdf/font/FreeSansBold.ctg.z index 93e09b99b..f8d288a0e 100644 Binary files a/libraries/fpdf/font/FreeSansBold.ctg.z and b/libraries/fpdf/font/FreeSansBold.ctg.z differ diff --git a/libraries/fpdf/font/FreeSansBold.z b/libraries/fpdf/font/FreeSansBold.z index 1c7073a30..5499c1794 100644 Binary files a/libraries/fpdf/font/FreeSansBold.z and b/libraries/fpdf/font/FreeSansBold.z differ diff --git a/libraries/import/csv.php b/libraries/import/csv.php index 243dc1b4f..31d29d82b 100644 --- a/libraries/import/csv.php +++ b/libraries/import/csv.php @@ -142,10 +142,10 @@ if ($plugin_param == 'table') { if (!$csv_finish) { // Grab empty field if ($ch == $csv_terminated) { - $values[] = ''; if ($i == $len - 1) { break; } + $values[] = ''; $i++; $ch = $buffer[$i]; continue; @@ -154,10 +154,10 @@ if ($plugin_param == 'table') { // Grab one field $fallbacki = $i; if ($ch == $csv_enclosed) { - $need_end = TRUE; if ($i == $len - 1) { break; } + $need_end = TRUE; $i++; $ch = $buffer[$i]; } else { diff --git a/libraries/session.inc.php b/libraries/session.inc.php index 57b4d3754..c1146d091 100644 --- a/libraries/session.inc.php +++ b/libraries/session.inc.php @@ -25,7 +25,6 @@ if (!@function_exists('session_name')) { // (do not use & for parameters sent by header) header('Location: error.php' . '?lang=' . urlencode($available_languages[$lang][2]) - . '&charset=' . urlencode($charset) . '&dir=' . urlencode($text_dir) . '&type=' . urlencode($strError) . '&error=' . urlencode(sprintf($strCantLoad, 'session'))); diff --git a/libraries/tbl_properties.inc.php b/libraries/tbl_properties.inc.php index 91629ab70..91a0895e6 100644 --- a/libraries/tbl_properties.inc.php +++ b/libraries/tbl_properties.inc.php @@ -43,7 +43,7 @@ function display_field_options(field_type, i) { -
    +
    - + ' ); ?> diff --git a/scripts/create-release.sh b/scripts/create-release.sh index 1879339f1..a14cf830c 100755 --- a/scripts/create-release.sh +++ b/scripts/create-release.sh @@ -68,61 +68,39 @@ # - added release todo list # -cvsserver=${cvsserver:-phpmyadmin.cvs.sourceforge.net} KITS="all-languages-utf-8-only all-languages english" COMPRESSIONS="zip-7z tbz tgz 7z" -# third param is the user; when creating a release we don't want -# to suffer from the delay between anonymous cvs and developer cvs - if [ $# = 0 ] then - echo "Usage: create-release.sh version from_branch devname" + echo "Usages:" + echo " create-release.sh [from_branch]" + echo " create-release.sh snapshot [sf]" echo " (no spaces allowed!)" echo "" - echo "Example: create-release.sh 2.9.0-rc1 QA_2_9 lem9" + echo "Examples:" + echo " create-release.sh 2.9.0-rc1 branches/QA_2_9" + echo " create-release.sh 2.9.0 tags/RELEASE_2_9_0" exit 65 fi -if [ "$1" = "snapshot" ] -then - branch='' -elif [ "$#" -ge 2 ] -then - branch="-r $2" -fi +branch='trunk' -user="anonymous" -if [ "$#" -eq 3 ] -then - user=$3 -fi - - -if [ $1 = "snapshot" ] -then - mode="snapshot" - date_snapshot=`date +%Y%m%d-%H%M%S` -fi - -# Set target name -if [ "$mode" != "snapshot" ] -then - target=$1 +if [ "$1" = "snapshot" ] ; then + mode="snapshot" + date_snapshot=`date +%Y%m%d-%H%M%S` + target=$date_snapshot else - target=$date_snapshot -fi - - -if [ "$mode" != "snapshot" ] -then - - cat <set( 'PMA_VERSION', '2.7.1-dev' ); " + " \$this->set( 'PMA_VERSION', '$1' ); " - in Documentation.html the 2 lines " phpMyAdmin $1 - Documentation " "

    phpMyAdmin $1 Documentation

    " @@ -136,76 +114,40 @@ Please ensure you have: Continue (y/n)? END - printf "\a" - read do_release + read do_release - if [ "$do_release" != 'y' ]; then - exit - fi + if [ "$do_release" != 'y' ]; then + exit + fi fi -if [ "$mode" = "snapshot" -a "$2" != "local" ] ; then -# Goto project dir +if [ "$mode" = "snapshot" -a "$2" = "sf" ] ; then + # Goto project dir cd /home/groups/p/ph/phpmyadmin/htdocs -## Move old cvs dir -#if [ -e cvs ]; -#then -# mv cvs cvs-`date +%s` -#fi - -# Keep one previous version of the cvs directory - if [ -e cvs-prev ]; - then - rm -rf cvs-prev + # Keep one previous version of the cvs directory + if [ -e svn-prev ] ; then + rm -rf svn-prev fi - mv cvs cvs-prev + mv svn svn-prev fi -# Do CVS checkout -mkdir cvs -cd cvs +# Do SVNcheckout +mkdir -p ./svn +cd svn -if [ "$mode" != "snapshot" ] ; then - if grep -Fq ':pserver:anonymous@phpmyadmin.cvs.sourceforge.net:2401/cvsroot/phpmyadmin' ~/.cvspass ; then - echo "You seem to be already logged into phpMyAdmin CVS, skipping that" - else - if [ $user = "anonymous" ] ; then - echo "Press [ENTER]!" - cvs -q -d:pserver:anonymous@$cvsserver:/cvsroot/phpmyadmin login - if [ $? -ne 0 ] ; then - echo "CVS login failed, bailing out" - exit 1 - fi - fi - fi -fi +echo "Exporting repository from subversion" -if [ $user = "anonymous" ] ; then - cvs -q -z3 -d:pserver:anonymous@$cvsserver:/cvsroot/phpmyadmin co -P $branch phpMyAdmin -else - cvs -q -z3 -d:ext:$user@$cvsserver:/cvsroot/phpmyadmin co -P $branch phpMyAdmin -fi +svn export -q https://svn.sourceforge.net/svnroot/phpmyadmin/$branch/phpMyAdmin if [ $? -ne 0 ] ; then - echo "CVS checkout failed, bailing out" + echo "Subversion checkout failed, bailing out" exit 2 fi # Cleanup release dir LC_ALL=C date -u > phpMyAdmin/RELEASE-DATE-${target} -# Olivier asked to keep those in the cvs release, to allow testers to use -# cvs update on it -if [ "$mode" != "snapshot" ] -then - find phpMyAdmin \( -name .cvsignore -o -name CVS \) -print0 | xargs -0 rm -rf -fi - -find phpMyAdmin -type d -print0 | xargs -0 chmod 755 -find phpMyAdmin -type f -print0 | xargs -0 chmod 644 -find phpMyAdmin \( -name '*.sh' -o -name '*.pl' \) -print0 | xargs -0 chmod 755 - # Building Documentation.txt LC_ALL=C w3m -dump phpMyAdmin/Documentation.html > phpMyAdmin/Documentation.txt @@ -296,8 +238,8 @@ cat <set( 'PMA_VERSION', '2.7.1-dev' ); " - in Documentation.html the 2 lines @@ -339,12 +281,6 @@ END fi -if [ "$mode" = "snapshot" -a "$2" != "local" ] ; then - cd .. - find cvs -type d -print0 | xargs -0 chmod 775 - find cvs -type f -print0 | xargs -0 chmod 664 -fi - # Removed due to not needed thanks to clever scripting by Robbat2 # 9. update the demo subdirectory: # - in htdocs, cvs update phpMyAdmin diff --git a/sql.php b/sql.php index 0de583e50..7c35b6867 100644 --- a/sql.php +++ b/sql.php @@ -110,6 +110,9 @@ if (isset($find_real_end) && $find_real_end) { */ elseif (!isset($pos)) { $pos = 0; +} else { + /* We need this to be a integer */ + $pos = (int)$pos } /** diff --git a/tbl_properties_operations.php b/tbl_properties_operations.php index 40ea86096..b13806248 100644 --- a/tbl_properties_operations.php +++ b/tbl_properties_operations.php @@ -201,8 +201,8 @@ value="" />
    // starting with MySQL 5.0.24, SHOW CREATE TABLE includes the AUTO_INCREMENT // next value but users can decide if they want it or not for the operation ?> - -
    + +
    @@ -370,8 +370,8 @@ foreach ($dblist as $each_db) {
    - -
    + +
    - phpMyAdmin 2.9.1-dev - Official translators + phpMyAdmin 2.9.1 - Official translators @@ -31,7 +31,7 @@
  • Glossary
    • -

    phpMyAdmin 2.9.1-dev official translators list

    +

    phpMyAdmin 2.9.1 official translators list

    Here is the list of the "official translators" of phpMyAdmin.