From a5e206fbd2ca814042cfc1bb7dd3b40c28ce3fb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@suse.cz>
Date: Mon, 7 Nov 2011 14:47:54 +0100
Subject: [PATCH 1/4] Disable loading of external XML entities when loading XML

Fixes CVE-2011-4107
---
 libraries/import/ods.php |  7 +++++++
 libraries/import/xml.php | 45 +++++++++++++++++++++++-----------------
 2 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/libraries/import/ods.php b/libraries/import/ods.php
index 4bf520016..49408f652 100644
--- a/libraries/import/ods.php
+++ b/libraries/import/ods.php
@@ -63,6 +63,13 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) {
 
 unset($data);
 
+/**
+ * Disable loading of external XML entities.
+ */
+if (function_exists('libxml_disable_entity_loader')) {
+    libxml_disable_entity_loader();
+}
+
 /**
  * Load the XML string
  *
diff --git a/libraries/import/xml.php b/libraries/import/xml.php
index 640aac811..e152a9587 100644
--- a/libraries/import/xml.php
+++ b/libraries/import/xml.php
@@ -56,6 +56,13 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) {
 
 unset($data);
 
+/**
+ * Disable loading of external XML entities.
+ */
+if (function_exists('libxml_disable_entity_loader')) {
+    libxml_disable_entity_loader();
+}
+
 /**
  * Load the XML string
  *
@@ -141,19 +148,19 @@ if (isset($namespaces['pma'])) {
      * Get structures for all tables
      */
     $struct = $xml->children($namespaces['pma']);
-    
+
     $create = array();
-    
+
     foreach ($struct as $tier1 => $val1) {
         foreach($val1 as $tier2 => $val2) {
             /* Need to select the correct database for the creation of tables, views, triggers, etc. */
             /**
-             * @todo    Generating a USE here blocks importing of a table 
-             *          into another database. 
+             * @todo    Generating a USE here blocks importing of a table
+             *          into another database.
              */
             $attrs = $val2->attributes();
             $create[] = "USE " . PMA_backquote($attrs["name"]);
-            
+
             foreach ($val2 as $val3) {
                 /**
                  * Remove the extra cosmetic spacing
@@ -163,7 +170,7 @@ if (isset($namespaces['pma'])) {
             }
         }
     }
-    
+
     $struct_present = true;
 }
 
@@ -179,13 +186,13 @@ $data_present = false;
  */
 if (@count($xml->children())) {
     $data_present = true;
-    
+
     /**
      * Process all database content
      */
     foreach ($xml as $k1 => $v1) {
         $tbl_attr = $v1->attributes();
-        
+
         $isInTables = false;
         for ($i = 0; $i < count($tables); ++$i) {
             if (! strcmp($tables[$i][TBL_NAME], (string)$tbl_attr['name'])) {
@@ -193,11 +200,11 @@ if (@count($xml->children())) {
                 break;
             }
         }
-        
+
         if ($isInTables == false) {
             $tables[] = array((string)$tbl_attr['name']);
         }
-        
+
         foreach ($v1 as $k2 => $v2) {
             $row_attr = $v2->attributes();
             if (! array_search((string)$row_attr['name'], $tempRow))
@@ -206,17 +213,17 @@ if (@count($xml->children())) {
             }
             $tempCells[] = (string)$v2;
         }
-        
+
         $rows[] = array((string)$tbl_attr['name'], $tempRow, $tempCells);
-        
+
         $tempRow = array();
         $tempCells = array();
     }
-    
+
     unset($tempRow);
     unset($tempCells);
     unset($xml);
-    
+
     /**
      * Bring accumulated rows into the corresponding table
      */
@@ -227,17 +234,17 @@ if (@count($xml->children())) {
                 if (! isset($tables[$i][COL_NAMES])) {
                     $tables[$i][] = $rows[$j][COL_NAMES];
                 }
-                
+
                 $tables[$i][ROWS][] = $rows[$j][ROWS];
             }
         }
     }
-    
+
     unset($rows);
-    
+
     if (! $struct_present) {
         $analyses = array();
-        
+
         $len = count($tables);
         for ($i = 0; $i < $len; ++$i) {
             $analyses[] = PMA_analyzeTable($tables[$i]);
@@ -289,7 +296,7 @@ if (strlen($db)) {
     if ($db_name === NULL) {
         $db_name = 'XML_DB';
     }
-    
+
     /* Set database collation/charset */
     $options = array(
         'db_collation' => $collation,

From 34d99de000de9d15cfdf5e9cc8b7682d51110bbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@suse.cz>
Date: Mon, 7 Nov 2011 15:18:10 +0100
Subject: [PATCH 2/4] Disable XML loading plugins on old PHP

When libxml_disable_entity_loader is not available, we can not guarantee
safe handling of XML data.
---
 libraries/import/ods.php | 11 ++++++++---
 libraries/import/xml.php | 11 ++++++++---
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/libraries/import/ods.php b/libraries/import/ods.php
index 49408f652..90160160e 100644
--- a/libraries/import/ods.php
+++ b/libraries/import/ods.php
@@ -13,6 +13,13 @@ if (! defined('PHPMYADMIN')) {
     exit;
 }
 
+/**
+ * We need way to disable external XML entities processing.
+ */
+if (!function_exists('libxml_disable_entity_loader')) {
+    return;
+}
+
 /**
  * The possible scopes for $plugin_param are: 'table', 'database', and 'server'
  */
@@ -66,9 +73,7 @@ unset($data);
 /**
  * Disable loading of external XML entities.
  */
-if (function_exists('libxml_disable_entity_loader')) {
-    libxml_disable_entity_loader();
-}
+libxml_disable_entity_loader();
 
 /**
  * Load the XML string
diff --git a/libraries/import/xml.php b/libraries/import/xml.php
index e152a9587..ce20fe795 100644
--- a/libraries/import/xml.php
+++ b/libraries/import/xml.php
@@ -12,6 +12,13 @@ if (! defined('PHPMYADMIN')) {
     exit;
 }
 
+/**
+ * We need way to disable external XML entities processing.
+ */
+if (!function_exists('libxml_disable_entity_loader')) {
+    return;
+}
+
 /**
  * The possible scopes for $plugin_param are: 'table', 'database', and 'server'
  */
@@ -59,9 +66,7 @@ unset($data);
 /**
  * Disable loading of external XML entities.
  */
-if (function_exists('libxml_disable_entity_loader')) {
-    libxml_disable_entity_loader();
-}
+libxml_disable_entity_loader();
 
 /**
  * Load the XML string

From 4dd5c0d0dc413d2cb2cfcb31f8d4aec0c753033c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@suse.cz>
Date: Mon, 7 Nov 2011 15:49:53 +0100
Subject: [PATCH 3/4] Changelog entry

---
 ChangeLog | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 1e06756fc..7d3d630fa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+3.4.7.0 (not yet released)
+- [security] Fixed possible local file inclusion in XML import (CVE-2011-4107).
+
 3.4.7.0 (2011-10-23)
 - bug #3418610 [interface] Links in navigation when $cfg['MainPageIconic'] = false
 - bug #3418849 [interface] Inline edit shows dropdowns even after closing

From 05f96b921a7e7dacd02be5ca61b2e7bdd014ee55 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Thu, 10 Nov 2011 04:55:31 -0500
Subject: [PATCH 4/4] New PHP requirements for XML and ODS importing

---
 Documentation.html | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Documentation.html b/Documentation.html
index 834215c2d..d376f7358 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -82,6 +82,9 @@ vim: expandtab ts=4 sw=4 sts=4 tw=78
                 <li>To support BLOB streaming, see PHP and MySQL requirements
                 in <a href="#faq6_25">
                     <abbr title="Frequently Asked Questions">FAQ</abbr> 6.25</a>.</li>
+                <li>To support XML and Open Document Spreadsheet importing,
+                you need PHP 5.2.17 or newer and the 
+                <a href="http://www.php.net/libxml"><tt>libxml</tt></a> extension.</li>
         </ul>
     </li>
     <li><b>MySQL</b> 5.0 or newer (<a href="#faq1_17">details</a>);</li>