nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS on username.

Browse Source
This commit is contained in:
Michal Čihař
2010-08-18 12:12:09 +02:00
parent 7dc6cea065
commit cd205cc55a
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
server_privileges.php
View File

@@ -1151,7 +1151,7 @@ if (!empty($update_privs)) {
} }
$sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2;
$message = PMA_Message::success('strUpdatePrivMessage'); $message = PMA_Message::success('strUpdatePrivMessage');
$message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
} }
@@ -1175,7 +1175,7 @@ if (isset($_REQUEST['revokeall'])) {
} }
$sql_query = $sql_query0 . ' ' . $sql_query1; $sql_query = $sql_query0 . ' ' . $sql_query1;
$message = PMA_Message::success('strRevokeMessage'); $message = PMA_Message::success('strRevokeMessage');
$message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
if (! isset($tablename)) { if (! isset($tablename)) {
unset($dbname); unset($dbname);
} else { } else {
@@ -1211,7 +1211,7 @@ if (isset($_REQUEST['change_pw'])) {
PMA_DBI_try_query($local_query) PMA_DBI_try_query($local_query)
or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
$message = PMA_Message::success('strPasswordChanged'); $message = PMA_Message::success('strPasswordChanged');
$message->addParam('\'' . $username . '\'@\'' . $hostname . '\''); $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
} }
} }
@@ -1590,7 +1590,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
if (isset($dbname)) { if (isset($dbname)) {
echo ' <i><a href="server_privileges.php?' echo ' <i><a href="server_privileges.php?'
. $GLOBALS['url_query'] . '&amp;username=' . urlencode($username) . $GLOBALS['url_query'] . '&amp;username=' . htmlspecialchars(urlencode($username))
. '&amp;hostname=' . urlencode($hostname) . '&amp;dbname=&amp;tablename=">\'' . '&amp;hostname=' . urlencode($hostname) . '&amp;dbname=&amp;tablename=">\''
. htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname)
. '\'</a></i>' . "\n"; . '\'</a></i>' . "\n";
@@ -1599,7 +1599,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] ); echo ' - ' . ($dbname_is_wildcard ? $GLOBALS['strDatabases'] : $GLOBALS['strDatabase'] );
if (isset($tablename)) { if (isset($tablename)) {
echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] echo ' <i><a href="server_privileges.php?' . $GLOBALS['url_query']
. '&amp;username=' . urlencode($username) . '&amp;hostname=' . urlencode($hostname) . '&amp;username=' . htmlspecialchars(urlencode($username)) . '&amp;hostname=' . urlencode($hostname)
. '&amp;dbname=' . htmlspecialchars($url_dbname) . '&amp;tablename=">' . htmlspecialchars($dbname) . '</a></i>'; . '&amp;dbname=' . htmlspecialchars($url_dbname) . '&amp;tablename=">' . htmlspecialchars($dbname) . '</a></i>';
echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>'; echo ' - ' . $GLOBALS['strTable'] . ' <i>' . htmlspecialchars($tablename) . '</i>';
} else { } else {
@@ -1834,14 +1834,14 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
} }
echo '</td>' . "\n" echo '</td>' . "\n"
. ' <td>'; . ' <td>';
printf($link_edit, urlencode($username), printf($link_edit, htmlspecialchars(urlencode($username)),
urlencode($hostname), urlencode($hostname),
urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
urlencode((! isset($dbname)) ? '' : $row['Table_name'])); urlencode((! isset($dbname)) ? '' : $row['Table_name']));
echo '</td>' . "\n" echo '</td>' . "\n"
. ' <td>'; . ' <td>';
if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) { if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
printf($link_revoke, urlencode($username), printf($link_revoke, htmlspecialchars(urlencode($username)),
urlencode($hostname), urlencode($hostname),
urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)), urlencode((! isset($dbname)) ? $row['Db'] : htmlspecialchars($dbname)),
urlencode((! isset($dbname)) ? '' : $row['Table_name'])); urlencode((! isset($dbname)) ? '' : $row['Table_name']));