nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS on username.

Browse Source
This commit is contained in:
Michal Čihař
2010-08-18 12:25:35 +02:00
parent 1fe1aa6c0e
commit 8b7f07cd95
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
server_privileges.php
View File

@@ -602,7 +602,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
. $spaces . ' <option value="userdefined"' . ((!isset($GLOBALS['pred_username']) || $GLOBALS['pred_username'] == 'userdefined') ? ' selected="selected"' : '') . '>' . $GLOBALS['strUseTextField'] . ':</option>' . "\n" . $spaces . ' <option value="userdefined"' . ((!isset($GLOBALS['pred_username']) || $GLOBALS['pred_username'] == 'userdefined') ? ' selected="selected"' : '') . '>' . $GLOBALS['strUseTextField'] . ':</option>' . "\n"
. $spaces . ' </select>' . "\n" . $spaces . ' </select>' . "\n"
. $spaces . '</span>' . "\n" . $spaces . '</span>' . "\n"
. $spaces . '<input type="text" name="username" maxlength="' . $username_length . '" title="' . $GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username']) ? '' : ' value="' . (isset($GLOBALS['new_username']) ? $GLOBALS['new_username'] : $GLOBALS['username']) . '"') . ' onchange="pred_username.value = \'userdefined\';" />' . "\n" . $spaces . '<input type="text" name="username" maxlength="' . $username_length . '" title="' . $GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username']) ? '' : ' value="' . htmlspecialchars(isset($GLOBALS['new_username']) ? $GLOBALS['new_username'] : $GLOBALS['username']) . '"') . ' onchange="pred_username.value = \'userdefined\';" />' . "\n"
. $spaces . '</div>' . "\n" . $spaces . '</div>' . "\n"
. $spaces . '<div class="item">' . "\n" . $spaces . '<div class="item">' . "\n"
. $spaces . '<label for="select_pred_hostname">' . "\n" . $spaces . '<label for="select_pred_hostname">' . "\n"
@@ -757,7 +757,7 @@ if (!empty($adduser_submit) || !empty($change_copy)) {
if (PMA_DBI_num_rows($res) == 1) { if (PMA_DBI_num_rows($res) == 1) {
PMA_DBI_free_result($res); PMA_DBI_free_result($res);
$message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . $username . '\'@\'' . $hostname . '\'[/i]'); $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'[/i]');
$adduser = 1; $adduser = 1;
} else { } else {
PMA_DBI_free_result($res); PMA_DBI_free_result($res);
@@ -1048,7 +1048,7 @@ if (!empty($update_privs)) {
$sql_query = (isset($sql_query0) ? $sql_query0 . ' ' : '') $sql_query = (isset($sql_query0) ? $sql_query0 . ' ' : '')
. (isset($sql_query1) ? $sql_query1 . ' ' : '') . (isset($sql_query1) ? $sql_query1 . ' ' : '')
. $sql_query2; . $sql_query2;
$message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . $username . '\'@\'' . $hostname . '\''); $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
} }
@@ -1080,7 +1080,7 @@ if (!empty($revokeall)) {
unset($sql_query1); unset($sql_query1);
} }
$sql_query = $sql_query0 . (isset($sql_query1) ? ' ' . $sql_query1 : ''); $sql_query = $sql_query0 . (isset($sql_query1) ? ' ' . $sql_query1 : '');
$message = sprintf($GLOBALS['strRevokeMessage'], '\'' . $username . '\'@\'' . $hostname . '\''); $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
if (! isset($tablename) || ! strlen($tablename)) { if (! isset($tablename) || ! strlen($tablename)) {
unset($dbname); unset($dbname);
} else { } else {
@@ -1115,7 +1115,7 @@ if (!empty($change_pw)) {
$sql_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')'); $sql_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); $local_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
$message = sprintf($GLOBALS['strPasswordChanged'], '\'' . $username . '\'@\'' . $hostname . '\''); $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
} }
} }
@@ -1588,7 +1588,7 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) {
echo '<h2>' . "\n" echo '<h2>' . "\n"
. ($GLOBALS['cfg']['PropertiesIconic'] ? '<img class="icon" src="' . $pmaThemeImage . 'b_usredit.png" width="16" height="16" alt="" />' : '') . ($GLOBALS['cfg']['PropertiesIconic'] ? '<img class="icon" src="' . $pmaThemeImage . 'b_usredit.png" width="16" height="16" alt="" />' : '')
. $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&amp;username=' . urlencode($username) . '&amp;hostname=' . urlencode($hostname) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n"; . $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&amp;username=' . htmlspecialchars(urlencode($username)) . '&amp;hostname=' . urlencode($hostname) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n";
if (isset($dbname) && strlen($dbname)) { if (isset($dbname) && strlen($dbname)) {
if ($dbname_is_wildcard) { if ($dbname_is_wildcard) {
echo ' - ' . $GLOBALS['strDatabases']; echo ' - ' . $GLOBALS['strDatabases'];
@@ -1839,14 +1839,14 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) {
} }
echo '</td>' . "\n" echo '</td>' . "\n"
. ' <td>'; . ' <td>';
printf($link_edit, urlencode($username), printf($link_edit, htmlspecialchars(urlencode($username)),
urlencode($hostname), urlencode($hostname),
htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)), htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name'])); urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));
echo '</td>' . "\n" echo '</td>' . "\n"
. ' <td>'; . ' <td>';
if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
printf($link_revoke, urlencode($username), printf($link_revoke, htmlspecialchars(urlencode($username)),
urlencode($hostname), urlencode($hostname),
htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)), htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name'])); urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));