From 4039683ab3ca63c979948e02345b6d38452f8dee Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Fri, 2 Sep 2011 12:40:33 -0400 Subject: [PATCH 1/3] Preparing 3.4.5-rc1 --- Documentation.html | 4 ++-- README | 2 +- libraries/Config.class.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Documentation.html b/Documentation.html index 1e11f8d6e..019939ecc 100644 --- a/Documentation.html +++ b/Documentation.html @@ -9,7 +9,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 - phpMyAdmin 3.4.5-dev - Documentation + phpMyAdmin 3.4.5-rc1 - Documentation @@ -17,7 +17,7 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78 diff --git a/README b/README index 9c627c577..a83606811 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.4.5-dev +Version 3.4.5-rc1 A set of PHP-scripts to manage MySQL over the web. diff --git a/libraries/Config.class.php b/libraries/Config.class.php index f76d545ac..96fd61d5f 100644 --- a/libraries/Config.class.php +++ b/libraries/Config.class.php @@ -96,7 +96,7 @@ class PMA_Config */ function checkSystem() { - $this->set('PMA_VERSION', '3.4.5-dev'); + $this->set('PMA_VERSION', '3.4.5-rc1'); /** * @deprecated */ From 2f28ce9c800274190418da0945ce3647d36e1db6 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Fri, 19 Aug 2011 13:12:04 +0200 Subject: [PATCH 2/3] [security] Fixed XSS in Inline Edit on save action --- ChangeLog | 1 + js/sql.js | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 20e175148..137616921 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ phpMyAdmin - ChangeLog - bug #3374347 [display] Backquotes in normal text on import page - bug #3358750 [core] With Suhosin, urls are too long in edit links - [security] Missing sanitization on the table, column and index names leads to XSS vulnerabilities, see PMASA-2011-13 +- [security] Fixed XSS in Inline Edit on save action 3.4.3.2 (2011-07-23) - [security] Fixed XSS vulnerability, see PMASA-2011-9 diff --git a/js/sql.js b/js/sql.js index dbba44136..842b6c6b9 100644 --- a/js/sql.js +++ b/js/sql.js @@ -1111,7 +1111,7 @@ function PMA_unInlineEditRow($del_hide, $chg_submit, $this_td, $input_siblings, } } } - $this_sibling.html(new_html); + $this_sibling.text(new_html); } }) } From bda213c58aec44925be661acb0e76c19483ea170 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 8 Sep 2011 15:38:40 -0400 Subject: [PATCH 3/3] Escape HTML in js-generated confirmation messages --- ChangeLog | 3 ++- js/functions.js | 15 +++++++++++++-- js/tbl_structure.js | 4 ++-- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 137616921..326c8c0ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ phpMyAdmin - ChangeLog - [export] Remove native Excel export modules (xls and xlsx formats) - [import] Remove native Excel import modules (xls and xlsx formats) - bug #3392920 [edit] BLOB emptied after editing another column +- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14 +- [security] Fixed XSS with db/table/column names, see PMASA-2011-14 3.4.4.0 (2011-08-24) - bug #3323060 [parser] SQL parser breaks AJAX requests if query has unclosed quotes @@ -31,7 +33,6 @@ phpMyAdmin - ChangeLog - bug #3374347 [display] Backquotes in normal text on import page - bug #3358750 [core] With Suhosin, urls are too long in edit links - [security] Missing sanitization on the table, column and index names leads to XSS vulnerabilities, see PMASA-2011-13 -- [security] Fixed XSS in Inline Edit on save action 3.4.3.2 (2011-07-23) - [security] Fixed XSS vulnerability, see PMASA-2011-9 diff --git a/js/functions.js b/js/functions.js index 75fd6776d..b07666186 100644 --- a/js/functions.js +++ b/js/functions.js @@ -172,7 +172,7 @@ function selectContent( element, lock, only_once ) { } /** - * Displays a confirmation box before to submit a "DROP/DELETE/ALTER" query. + * Displays a confirmation box before submitting a "DROP/DELETE/ALTER" query. * This function is called while clicking links * * @param object the link @@ -1657,7 +1657,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + window.parent.db; + var question = PMA_messages['strDropDatabaseStrongWarning'] + '\n' + PMA_messages['strDoYouReally'] + ' :\n' + 'DROP DATABASE ' + escapeHtml(window.parent.db); $(this).PMA_confirm(question, $(this).attr('href') ,function(url) { @@ -2287,3 +2287,14 @@ $(document).ready(function() { }) // end of $(document).ready() +/** + * HTML escaping + */ +function escapeHtml(unsafe) { + return unsafe + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); +} diff --git a/js/tbl_structure.js b/js/tbl_structure.js index 352848cb6..493f0eb4e 100644 --- a/js/tbl_structure.js +++ b/js/tbl_structure.js @@ -44,7 +44,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` DROP `' + curr_column_name + '`'; + var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` DROP `' + escapeHtml(curr_column_name) + '`'; $(this).PMA_confirm(question, $(this).attr('href'), function(url) { @@ -83,7 +83,7 @@ $(document).ready(function() { /** * @var question String containing the question to be asked for confirmation */ - var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + curr_table_name + '` ADD PRIMARY KEY(`' + curr_column_name + '`)'; + var question = PMA_messages['strDoYouReally'] + ' :\n ALTER TABLE `' + escapeHtml(curr_table_name) + '` ADD PRIMARY KEY(`' + escapeHtml(curr_column_name) + '`)'; $(this).PMA_confirm(question, $(this).attr('href'), function(url) {