From b289fe082441dc739939b0ba15dae0d9dc6cee92 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Mon, 21 Nov 2011 17:53:10 -0500
Subject: [PATCH 1/5] [security] Self-XSS on database names (Synchronize), see
 PMASA-2011-18

---
 ChangeLog                            | 1 +
 libraries/server_synchronize.lib.php | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c4817ff03..e1bae5965 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,7 @@ phpMyAdmin - ChangeLog
 - bug #3439292 [core] Fail to synchronize column with name of keyword
 - bug #3425156 [interface] Add column after drop
 - [interface] Avoid showing the password in phpinfo()'s output
+- [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import
diff --git a/libraries/server_synchronize.lib.php b/libraries/server_synchronize.lib.php
index c1b9159a7..53ad9d788 100644
--- a/libraries/server_synchronize.lib.php
+++ b/libraries/server_synchronize.lib.php
@@ -1335,7 +1335,7 @@ function PMA_syncDisplayHeaderSource($src_db) {
 
     echo '<table id="serverstatusconnections" class="data" width="55%">';
     echo '<tr>';
-    echo '<th>' . __('Source database') . ':  ' . $src_db . '<br />(';
+    echo '<th>' . __('Source database') . ':  ' . htmlspecialchars($src_db) . '<br />(';
     if ('cur' == $_SESSION['src_type']) {
         echo __('Current server');
     } else {
@@ -1358,7 +1358,7 @@ function PMA_syncDisplayHeaderSource($src_db) {
 function PMA_syncDisplayHeaderTargetAndMatchingTables($trg_db, $matching_tables) {
     echo '<table id="serverstatusconnections" class="data" width="43%">';
     echo '<tr>';
-    echo '<th>' . __('Target database') . ':  '. $trg_db . '<br />(';
+    echo '<th>' . __('Target database') . ':  '. htmlspecialchars($trg_db) . '<br />(';
     if ('cur' == $_SESSION['trg_type']) {
         echo __('Current server');
     } else {

From 1490533d91e9d3820e78ca4eac7981886eaea2cb Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Mon, 21 Nov 2011 18:08:49 -0500
Subject: [PATCH 2/5] [security] Self-XSS on database names
 (Operations/rename), see PMASA-2011-18

---
 ChangeLog           | 1 +
 js/db_operations.js | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index e1bae5965..be1e9ead4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,7 @@ phpMyAdmin - ChangeLog
 - bug #3425156 [interface] Add column after drop
 - [interface] Avoid showing the password in phpinfo()'s output
 - [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
+- [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import
diff --git a/js/db_operations.js b/js/db_operations.js
index b0536942c..ad3963535 100644
--- a/js/db_operations.js
+++ b/js/db_operations.js
@@ -32,7 +32,7 @@ $(document).ready(function() {
 
         var $form = $(this);
 
-        var question = 'CREATE DATABASE ' + $('#new_db_name').val() + ' / DROP DATABASE ' + window.parent.db;
+        var question = escapeHtml('CREATE DATABASE ' + $('#new_db_name').val() + ' / DROP DATABASE ' + window.parent.db);
 
         PMA_prepareForAjaxRequest($form);
         /**

From bc45a1048d2f5ca8a532f774ddb1dd80985dff3d Mon Sep 17 00:00:00 2001
From: Rouslan Placella <rouslan@placella.com>
Date: Tue, 22 Nov 2011 12:38:22 -0500
Subject: [PATCH 3/5] [security] Self-XSS on column type (Create index), see
 PMASA-2011-18

---
 ChangeLog       | 1 +
 tbl_indexes.php | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index be1e9ead4..f7eb3e5d8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,7 @@ phpMyAdmin - ChangeLog
 - [interface] Avoid showing the password in phpinfo()'s output
 - [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
 - [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
+- [security] Self-XSS on column type (Create index), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import
diff --git a/tbl_indexes.php b/tbl_indexes.php
index 54923a0f8..ac3238721 100644
--- a/tbl_indexes.php
+++ b/tbl_indexes.php
@@ -200,7 +200,7 @@ foreach ($index->getColumns() as $column) {
          || preg_match('/(char|text)/i', $field_type)) {
             echo '<option value="' . htmlspecialchars($field_name) . '"'
                  . (($field_name == $column->getName()) ? ' selected="selected"' : '') . '>'
-                 . htmlspecialchars($field_name) . ' [' . $field_type . ']'
+                 . htmlspecialchars($field_name) . ' [' . htmlspecialchars($field_type) . ']'
                  . '</option>' . "\n";
         }
     } // end foreach $fields
@@ -222,7 +222,7 @@ for ($i = 0; $i < $add_fields; $i++) {
     <?php
     foreach ($fields as $field_name => $field_type) {
         echo '<option value="' . htmlspecialchars($field_name) . '">'
-             . htmlspecialchars($field_name) . ' [' . $field_type . ']'
+             . htmlspecialchars($field_name) . ' [' . htmlspecialchars($field_type) . ']'
              . '</option>' . "\n";
     } // end foreach $fields
     ?>

From dac8d6ce256333ff45b5f46270304b8657452740 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Tue, 22 Nov 2011 12:46:46 -0500
Subject: [PATCH 4/5] [security] Self-XSS on column type (table Search), see
 PMASA-2011-18

---
 ChangeLog      | 1 +
 tbl_select.php | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f7eb3e5d8..b8f159afe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,7 @@ phpMyAdmin - ChangeLog
 - [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
 - [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
 - [security] Self-XSS on column type (Create index), see PMASA-2011-18
+- [security] Self-XSS on column type (table Search), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import
diff --git a/tbl_select.php b/tbl_select.php
index 2cb008629..841422292 100644
--- a/tbl_select.php
+++ b/tbl_select.php
@@ -124,7 +124,7 @@ if (!isset($param) || $param[0] == '') {
         ?>
         <tr class="noclick <?php echo $odd_row ? 'odd' : 'even'; $odd_row = ! $odd_row; ?>">
             <th><?php echo htmlspecialchars($fields_list[$i]); ?></th>
-            <td><?php echo $fields_type[$i]; ?></td>
+            <td><?php echo htmlspecialchars($fields_type[$i]); ?></td>
             <td><?php echo $fields_collation[$i]; ?></td>
             <td><select name="func[]">
         <?php
@@ -190,7 +190,7 @@ if (!isset($param) || $param[0] == '') {
             <?php
         } elseif (strncasecmp($fields_type[$i], 'enum', 4) == 0) {
             // e n u m s
-            $enum_value=explode(', ', str_replace("'", '', substr($fields_type[$i], 5, -1)));
+            $enum_value=explode(', ', str_replace("'", '', substr(htmlspecialchars($fields_type[$i]), 5, -1)));
             $cnt_enum_value = count($enum_value);
             echo '            <select name="fields[' . $i . '][]"'
                 .' multiple="multiple" size="' . min(3, $cnt_enum_value) . '">' . "\n";

From 077c10020e349e8c1beb46309098992fde616913 Mon Sep 17 00:00:00 2001
From: Dieter Adriaenssens <ruleant@users.sourceforge.net>
Date: Tue, 22 Nov 2011 21:59:19 +0100
Subject: [PATCH 5/5] [security] Self-XSS on invalid query (table overview),
 see PMASA-2011-18

---
 ChangeLog                | 1 +
 libraries/common.lib.php | 5 +----
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b8f159afe..c9445154f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,7 @@ phpMyAdmin - ChangeLog
 - [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
 - [security] Self-XSS on column type (Create index), see PMASA-2011-18
 - [security] Self-XSS on column type (table Search), see PMASA-2011-18
+- [security] Self-XSS on invalid query (table overview), see PMASA-2011-18
 
 3.4.7.1 (2011-11-10)
 - [security] Fixed possible local file inclusion in XML import
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index ad382663a..caeeee200 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -1059,13 +1059,10 @@ function PMA_showMessage($message, $sql_query = null, $type = 'notice', $is_view
         } else {
             // Parse SQL if needed
             $parsed_sql = PMA_SQP_parse($query_base);
-            if (PMA_SQP_isError()) {
-                unset($parsed_sql);
-            }
         }
 
         // Analyze it
-        if (isset($parsed_sql)) {
+        if (isset($parsed_sql) && ! PMA_SQP_isError()) {
             $analyzed_display_query = PMA_SQP_analyze($parsed_sql);
             // Here we append the LIMIT added for navigation, to
             // enable its display. Adding it higher in the code