port 2.11.7.1 fix

This commit is contained in:
Marc Delisle
2008-07-15 18:42:50 +00:00
parent c221da970d
commit d7e910e296
8 changed files with 26 additions and 21 deletions

View File

@@ -23,6 +23,11 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug [history] Do not save too big queries in history
- [security] Do not show version info on login screen
2.11.7.1 (2008-07-15)
- bug [security] XSRF/CSRF by manipulating the db,
convcharset and collation_connection parameters,
thanks to YGN Ethical Hacker Group
2.11.7.0 (2008-06-23)
- bug #1908719 [interface] New field cannot be auto-increment and primary key
- [dbi] Incorrect interpretation for some mysqli field flags
@@ -212,7 +217,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1810629 [setup] XSS in setup.php, thanks to Omer Singer, The DigiTrust Group
2.11.1.0 (2007-09-20)
- bug #1783667 [export] NO_AUTO_VALUE_ON_ZERO and MySQL version
- bug #1780098 [GUI] Logout causes CSS loss, thanks to Juergen Wind
. incorrect field ids, thanks to Michael Keck
@@ -231,7 +235,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1798627 [GUI] Wrong storage engine displayed
2.11.0.0 (2007-08-21)
+ [import] support handling of DELIMITER to mimic mysql CLI, thanks to fb1
+ improved PHP 6 compatibility
- bug #1674914 [structure] changing definition of a TIMESTAMP field
@@ -330,7 +333,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1771721 Old SVN URLs
2.10.3.0 (2007-07-20)
- bug #1734285 Copy database with VIEWs
- bug #1722502 DROP TABLE in export VIEW
- bug #1729027 Sorting results of VIEW browsing
@@ -344,7 +346,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- Do not try to delete an internal relation if we just deleted an InnoDB one
2.10.2.0 (2007-06-15)
+ [data] display all warnings, not only last one
- typo in fix for bug #1671813
- bug #1714908 Inserted Row Count is wrong
@@ -367,8 +368,6 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- patch #1731280 Avoid negative exponent in gmp_pow(), thanks to anosek
2.10.1.0 (2007-04-23)
=====================
- bug #1541147 [js] '#' in database names not correctly handled by queywindow.js
- bug #1671403 [parser] using "client" as table name
- bug #1672379 [core] Call to undefined function PMA_removeCookie()
@@ -401,19 +400,13 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1704467 XSS vulnerability in browse_foreigners.php, thanks to sp3x SecurityReason
2.10.0.2 (2007-03-02)
=====================
+ bug #1671813 CVE-2006-1549 deep recursion crash
2.10.0.1 (2007-03-01)
=====================
. [config] set $cfg['Servers'][$i]['ssl'] default value to false,
we got reports from some users having problems with the default value of true
2.10.0.0 (2007-02-28)
=====================
- bug #1659176 [general] memory error displaying a table with large BLOBs
- bug #1668662 [install] can create the new pma_designer_coords table
+ [gui] navi logo now links to main page by default, with still the possibility

View File

@@ -2750,7 +2750,8 @@ SetInputFilter PHP
<a href="#faq1_34">1.34 Can I access directly to database or table pages?</a></h4>
<p> Yes. Out of the box, you can use <abbr title="Uniform Resource Locator">URL</abbr>s like
http://server/phpMyAdmin/index.php?db=database&amp;table=table&amp;target=script.
http://server/phpMyAdmin/index.php?server=X&amp;db=database&amp;table=table&amp;target=script. For <tt>server</tt> you use the server number which refers to
the order of the server paragraph in <tt>config.inc.php</tt>.
Table and script parts are optional. If you want
http://server/phpMyAdmin/database[/table][/script] <abbr title="Uniform Resource Locator">URL</abbr>s, you need to do
some configuration. Following lines apply only for <a

View File

@@ -12,7 +12,7 @@ require_once './libraries/common.inc.php';
$js_to_run = 'functions.js';
require_once './libraries/mysql_charsets.lib.php';
PMA_checkParameters(array('db'));
PMA_checkParameters(array('new_db'));
/**
* Defines the url to return to in case of error in a sql statement
@@ -22,7 +22,7 @@ $err_url = 'main.php?' . PMA_generate_common_url();
/**
* Builds and executes the db creation sql query
*/
$sql_query = 'CREATE DATABASE ' . PMA_backquote($db);
$sql_query = 'CREATE DATABASE ' . PMA_backquote($new_db);
if (!empty($db_collation) && PMA_MYSQL_INT_VERSION >= 40101) {
list($db_charset) = explode('_', $db_collation);
if (in_array($db_charset, $mysql_charsets) && in_array($db_collation, $mysql_collations[$db_charset])) {
@@ -42,7 +42,8 @@ if (! $result) {
require_once './libraries/header.inc.php';
require_once './main.php';
} else {
$message = $strDatabase . ' ' . htmlspecialchars($db) . ' ' . $strHasBeenCreated;
$message = $strDatabase . ' ' . htmlspecialchars($new_db) . ' ' . $strHasBeenCreated;
$GLOBALS['db'] = $new_db;
require_once './libraries/header.inc.php';
require_once './' . $cfg['DefaultTabDatabase'];
}

View File

@@ -124,6 +124,7 @@ header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
var db = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
var token = '<?php echo PMA_escapeJsString($_SESSION[' PMA_token ']); ?>';
var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';

View File

@@ -75,6 +75,7 @@ function setTable(new_table) {
*
* @uses goTo()
* @uses opendb_url
* @uses token
* @uses db
* @uses server
* @uses table
@@ -92,6 +93,7 @@ function refreshMain(url) {
}
}
goTo(url + '?server=' + encodeURIComponent(server) +
'&token=' + encodeURIComponent(token) +
'&db=' + encodeURIComponent(db) +
'&table=' + encodeURIComponent(table) +
'&lang=' + encodeURIComponent(lang) +
@@ -103,6 +105,7 @@ function refreshMain(url) {
* reloads navigation frame
*
* @uses goTo()
* @uses token
* @uses db
* @uses server
* @uses table
@@ -112,6 +115,7 @@ function refreshMain(url) {
*/
function refreshNavigation() {
goTo('navigation.php?server=' + encodeURIComponent(server) +
'&token=' + encodeURIComponent(token) +
'&db=' + encodeURIComponent(db) +
'&table=' + encodeURIComponent(table) +
'&lang=' + encodeURIComponent(lang) +
@@ -185,8 +189,8 @@ function markDbTable(db, table)
/**
* sets current selected server, table and db (called from libraries/footer.inc.php)
*/
function setAll( new_lang, new_collation_connection, new_server, new_db, new_table ) {
//alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ' )');
function setAll( new_lang, new_collation_connection, new_server, new_db, new_table, new_token ) {
//alert('setAll( ' + new_lang + ', ' + new_collation_connection + ', ' + new_server + ', ' + new_db + ', ' + new_table + ', ' + new_token + ' )');
if (new_server != server || new_lang != lang
|| new_collation_connection != collation_connection) {
// something important has changed
@@ -195,6 +199,7 @@ function setAll( new_lang, new_collation_connection, new_server, new_db, new_tab
table = new_table;
collation_connection = new_collation_connection;
lang = new_lang;
token = new_token;
refreshNavigation();
} else if (new_db != db || new_table != table) {
// save new db and table

View File

@@ -398,7 +398,10 @@ if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['
* List of parameters which are allowed from unsafe source
*/
$allow_list = array(
'db', 'table', 'lang', 'server', 'convcharset', 'collation_connection', 'target',
/* needed for direct access, see FAQ 1.34
* also, server needed for cookie login screen (multi-server)
*/
'server', 'db', 'table', 'target',
/* Session ID */
'phpMyAdmin',
/* Cookie preferences */

View File

@@ -21,7 +21,7 @@ if ($is_create_db_priv) {
<?php echo '<label for="text_create_db">' . $strCreateNewDatabase . '</label>&nbsp;' . PMA_showMySQLDocu('SQL-Syntax', 'CREATE_DATABASE'); ?></b><br />
<?php echo PMA_generate_common_hidden_inputs('', '', 5); ?>
<input type="hidden" name="reload" value="1" />
<input type="text" name="db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/>
<input type="text" name="new_db" value="<?php echo $db_to_create; ?>" maxlength="64" class="textfield" id="text_create_db"/>
<?php
if (PMA_MYSQL_INT_VERSION >= 40101) {
require_once './libraries/mysql_charsets.lib.php';

View File

@@ -74,7 +74,8 @@ if (window.parent.setAll) {
echo PMA_escapeJsString($GLOBALS['collation_connection']) . "', '";
echo PMA_escapeJsString($GLOBALS['server']) . "', '";
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['db'], '')) . "', '";
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')); ?>');
echo PMA_escapeJsString(PMA_ifSetOr($GLOBALS['table'], '')) . "', '";
echo PMA_escapeJsString($_SESSION[' PMA_token ']);?>');
}
<?php
if (! empty($GLOBALS['reload'])) {