/[smecontribs]/rpms/phpMyAdmin/contribs10/phpMyAdmin-4.4.15.10-force-links.patch
ViewVC logotype

Annotation of /rpms/phpMyAdmin/contribs10/phpMyAdmin-4.4.15.10-force-links.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sun Feb 28 06:34:54 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: phpMyAdmin-4_4_15_10-4_el7
from epel

1 jpp 1.1 Backported patch for phpMyAdmin 4.4.x; mysql.user and mysql.db show code instead of usernames.
2    
3     Further details:
4     - https://github.com/phpmyadmin/phpmyadmin/issues/12483
5     - https://github.com/phpmyadmin/phpmyadmin/issues/12341
6     - https://github.com/phpmyadmin/phpmyadmin/issues/12479
7     - https://github.com/phpmyadmin/phpmyadmin/commit/38cf23470728537bed4330a0e669fa636d157eab
8     - https://github.com/phpmyadmin/phpmyadmin/commit/cbd6137c03a7cf0db7b361bf34656e4c046d863b
9     - https://github.com/phpmyadmin/phpmyadmin/commit/48b6dd58d8d7efa30b5330108eb3fd38f5230e23
10     - https://github.com/phpmyadmin/phpmyadmin/commit/72cc1f9f513cb7252e40e46ce74f5b8ce2449ffc
11     - https://github.com/phpmyadmin/phpmyadmin/commit/265efb046fe50acb8ca277da533911414af177d3
12     - https://github.com/phpmyadmin/phpmyadmin/commit/ed6188d2c89deb7d46df958b07de5cf0ca24f2f7
13    
14     --- phpMyAdmin-4.4.15.10/js/config.js 2017-01-23 20:08:47.000000000 +0100
15     +++ phpMyAdmin-4.4.15.10/js/config.js 2018-05-16 14:53:23.000000000 +0200
16     @@ -7,7 +7,7 @@
17     * Unbind all event handlers before tearing down a page
18     */
19     AJAX.registerTeardown('config.js', function () {
20     - $('input[id], select[id], textarea[id]').unbind('change').unbind('keyup');
21     + $('.optbox input[id], .optbox select[id], .optbox textarea[id]').unbind('change').unbind('keyup');
22     $('input[type=button][name=submit_reset]').unbind('click');
23     $('div.tabs_contents').undelegate();
24     $('#import_local_storage, #export_local_storage').unbind('click');
25     @@ -444,7 +444,7 @@
26     var $field = $(field);
27     var errors = {};
28     validate_field($field, isKeyUp, errors);
29     - validate_fieldset($field.closest('fieldset'), isKeyUp, errors);
30     + validate_fieldset($field.closest('fieldset.optbox'), isKeyUp, errors);
31     displayErrors(errors);
32     }
33    
34     @@ -479,8 +479,8 @@
35    
36     AJAX.registerOnload('config.js', function () {
37     // register validators and mark custom values
38     - var $elements = $('input[id], select[id], textarea[id]');
39     - $('input[id], select[id], textarea[id]').each(function () {
40     + var $elements = $('.optbox input[id], .optbox select[id], .optbox textarea[id]');
41     + $('.optbox input[id], .optbox select[id], .optbox textarea[id]').each(function () {
42     markField(this);
43     var $el = $(this);
44     $el.bind('change', function () {
45     @@ -511,7 +511,7 @@
46     validate_field($elements[i], false, errors);
47     }
48     // run all fieldset validators
49     - $('fieldset').each(function () {
50     + $('fieldset.optbox').each(function () {
51     validate_fieldset(this, false, errors);
52     });
53    
54     --- phpMyAdmin-4.4.15.10/libraries/DisplayResults.class.php 2017-01-23 20:08:47.000000000 +0100
55     +++ phpMyAdmin-4.4.15.10/libraries/DisplayResults.class.php 2018-05-16 14:47:47.000000000 +0200
56     @@ -3116,7 +3116,7 @@
57     $divider = strpos($link_relations['default_page'], '?') ? '&' : '?';
58     if (empty($link_relations['link_dependancy_params'])) {
59     return $link_relations['default_page']
60     - . PMA_URL_getCommon($linking_url_params, 'html', $divider);
61     + . PMA_URL_getCommon($linking_url_params, 'raw', $divider);
62     }
63    
64     foreach ($link_relations['link_dependancy_params'] as $new_param) {
65     @@ -3140,7 +3140,7 @@
66     }
67    
68     return $link_relations['default_page']
69     - . PMA_URL_getCommon($linking_url_params, 'html', $divider);
70     + . PMA_URL_getCommon($linking_url_params, 'raw', $divider);
71     }
72    
73    
74     --- phpMyAdmin-4.4.15.10/libraries/navigation/NavigationHeader.class.php 2017-01-23 20:08:47.000000000 +0100
75     +++ phpMyAdmin-4.4.15.10/libraries/navigation/NavigationHeader.class.php 2018-05-16 15:13:54.000000000 +0200
76     @@ -93,9 +93,9 @@
77     $logo_link = trim(
78     htmlspecialchars($GLOBALS['cfg']['NavigationLogoLink'])
79     );
80     - $parsed = parse_url($logo_link);
81     - /* Allow only links with http/https */
82     - if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https'))) {
83     + // prevent XSS, see PMASA-2013-9
84     + // if link has protocol, allow only http and https
85     + if (! PMA_checkLink($logo_link, true)) {
86     $logo_link = 'index.php';
87     }
88     $retval .= ' <a href="' . $logo_link;
89     --- phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php 2017-01-23 20:08:47.000000000 +0100
90     +++ phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php 2018-05-16 14:51:32.000000000 +0200
91     @@ -46,9 +46,7 @@
92     public function applyTransformation($buffer, $options = array(), $meta = '')
93     {
94     $url = (isset($options[0]) ? $options[0] : '') . $buffer;
95     - $parsed = parse_url($url);
96     - /* Do not allow javascript links */
97     - if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https', 'ftp', 'mailto'))) {
98     + if (! PMA_checkLink($url, true, true)) {
99     return htmlspecialchars($url);
100     }
101     return '<a href="' . htmlspecialchars($url)
102     --- phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php 2017-01-23 20:08:47.000000000 +0100
103     +++ phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php 2018-05-16 14:52:04.000000000 +0200
104     @@ -46,9 +46,7 @@
105     public function applyTransformation($buffer, $options = array(), $meta = '')
106     {
107     $url = (isset($options[0]) ? $options[0] : '') . ((isset($options[2]) && $options[2]) ? '' : $buffer);
108     - $parsed = parse_url($url);
109     - /* Do not allow javascript links */
110     - if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https', 'ftp', 'mailto'))) {
111     + if (! PMA_checkLink($url, true, true)) {
112     return htmlspecialchars($url);
113     }
114     return '<a href="'
115     --- phpMyAdmin-4.4.15.10/libraries/sanitizing.lib.php 2017-01-23 20:08:47.000000000 +0100
116     +++ phpMyAdmin-4.4.15.10/libraries/sanitizing.lib.php 2018-05-16 15:10:55.000000000 +0200
117     @@ -12,25 +12,53 @@
118     /**
119     * Checks whether given link is valid
120     *
121     - * @param string $url URL to check
122     + * @param string $url URL to check
123     + * @param boolean $http Whether to allow http links
124     + * @param boolean $other Whether to allow ftp and mailto links
125     *
126     * @return boolean True if string can be used as link
127     */
128     -function PMA_checkLink($url)
129     +function PMA_checkLink($url, $http=false, $other=false)
130     {
131     + $url = strtolower($url);
132     $valid_starts = array(
133     - 'http://',
134     'https://',
135     - './url.php?url=http%3A%2F%2F',
136     - './url.php?url=https%3A%2F%2F',
137     + './url.php?url=https%3a%2f%2f',
138     './doc/html/',
139     + # possible values from $GLOBALS['cfg']['DefaultTabTable'] and $GLOBALS['cfg']['DefaultTabDatabase']
140     + './index.php?',
141     + './server_databases.php?',
142     + './server_status.php?',
143     + './server_variables.php?',
144     + './server_privileges.php?',
145     + './db_structure.php?',
146     + './db_sql.php?',
147     + './db_search.php?',
148     + './db_operations.php?',
149     + './tbl_structure.php?',
150     + './tbl_sql.php?',
151     + './tbl_select.php?',
152     + './tbl_change.php?',
153     + './sql.php?',
154     + # Hardcoded options in libraries/special_schema_links.lib.php
155     + './db_events.php?',
156     + './db_routines.php?',
157     + './server_privileges.php?',
158     + './tbl_structure.php?',
159     );
160     + if ($other) {
161     + $valid_starts[] = 'mailto:';
162     + $valid_starts[] = 'ftp://';
163     + }
164     + if ($http) {
165     + $valid_starts[] = 'http://';
166     + }
167     if (defined('PMA_SETUP')) {
168     $valid_starts[] = '?page=form&';
169     $valid_starts[] = '?page=servers&';
170     }
171     foreach ($valid_starts as $val) {
172     - if (/*overload*/mb_substr($url, 0, /*overload*/mb_strlen($val)) == $val) {
173     + if (substr($url, 0, strlen($val)) == $val) {
174     return true;
175     }
176     }
177     --- phpMyAdmin-4.4.15.10/libraries/special_schema_links.lib.php 2017-01-23 20:08:47.000000000 +0100
178     +++ phpMyAdmin-4.4.15.10/libraries/special_schema_links.lib.php 2018-05-16 14:47:47.000000000 +0200
179     @@ -55,7 +55,7 @@
180     'column_name' => 'host'
181     )
182     ),
183     - 'default_page' => 'server_privileges.php'
184     + 'default_page' => './server_privileges.php'
185     ),
186     'table_name' => array(
187     'link_param' => 'table',
188     @@ -65,7 +65,7 @@
189     'column_name' => 'Db'
190     ),
191     ),
192     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
193     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
194     ),
195     'column_name' => array(
196     'link_param' => 'field',
197     @@ -79,7 +79,7 @@
198     'column_name' => 'Table_name'
199     )
200     ),
201     - 'default_page' => 'tbl_structure.php?change_column=1'
202     + 'default_page' => './tbl_structure.php?change_column=1'
203     ),
204     ),
205     'db' => array(
206     @@ -91,7 +91,7 @@
207     'column_name' => 'host'
208     )
209     ),
210     - 'default_page' => 'server_privileges.php'
211     + 'default_page' => './server_privileges.php'
212     )
213     ),
214     'event' => array(
215     @@ -103,7 +103,7 @@
216     'column_name' => 'db'
217     )
218     ),
219     - 'default_page' => 'db_events.php?edit_item=1'
220     + 'default_page' => './db_events.php?edit_item=1'
221     ),
222    
223     ),
224     @@ -116,7 +116,7 @@
225     'column_name' => 'database_name'
226     ),
227     ),
228     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
229     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
230     ),
231     'index_name' => array(
232     'link_param' => 'index',
233     @@ -130,7 +130,7 @@
234     'column_name' => 'table_name'
235     )
236     ),
237     - 'default_page' => 'tbl_structure.php'
238     + 'default_page' => './tbl_structure.php'
239     ),
240     ),
241     'innodb_table_stats' => array(
242     @@ -142,7 +142,7 @@
243     'column_name' => 'database_name'
244     ),
245     ),
246     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
247     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
248     ),
249     ),
250     'proc' => array(
251     @@ -158,7 +158,7 @@
252     'column_name' => 'type'
253     )
254     ),
255     - 'default_page' => 'db_routines.php?edit_item=1'
256     + 'default_page' => './db_routines.php?edit_item=1'
257     ),
258     'specific_name' => array(
259     'link_param' => 'item_name',
260     @@ -172,7 +172,7 @@
261     'column_name' => 'type'
262     )
263     ),
264     - 'default_page' => 'db_routines.php?edit_item=1'
265     + 'default_page' => './db_routines.php?edit_item=1'
266     ),
267     ),
268     'proc_priv' => array(
269     @@ -184,7 +184,7 @@
270     'column_name' => 'Host'
271     )
272     ),
273     - 'default_page' => 'server_privileges.php'
274     + 'default_page' => './server_privileges.php'
275     ),
276     'routine_name' => array(
277     'link_param' => 'item_name',
278     @@ -198,7 +198,7 @@
279     'column_name' => 'Routine_type'
280     )
281     ),
282     - 'default_page' => 'db_routines.php?edit_item=1'
283     + 'default_page' => './db_routines.php?edit_item=1'
284     ),
285     ),
286     'proxies_priv' => array(
287     @@ -210,7 +210,7 @@
288     'column_name' => 'Host'
289     )
290     ),
291     - 'default_page' => 'server_privileges.php'
292     + 'default_page' => './server_privileges.php'
293     ),
294     ),
295     'tables_priv' => array(
296     @@ -222,7 +222,7 @@
297     'column_name' => 'Host'
298     )
299     ),
300     - 'default_page' => 'server_privileges.php'
301     + 'default_page' => './server_privileges.php'
302     ),
303     'table_name' => array(
304     'link_param' => 'table',
305     @@ -232,7 +232,7 @@
306     'column_name' => 'Db'
307     ),
308     ),
309     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
310     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
311     ),
312     ),
313     'user' => array(
314     @@ -244,7 +244,7 @@
315     'column_name' => 'host'
316     )
317     ),
318     - 'default_page' => 'server_privileges.php'
319     + 'default_page' => './server_privileges.php'
320     )
321     )
322     ),
323     @@ -258,7 +258,7 @@
324     'column_name' => 'table_schema'
325     )
326     ),
327     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
328     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
329     ),
330     'column_name' => array(
331     'link_param' => 'field',
332     @@ -272,7 +272,7 @@
333     'column_name' => 'table_name'
334     )
335     ),
336     - 'default_page' => 'tbl_structure.php?change_column=1'
337     + 'default_page' => './tbl_structure.php?change_column=1'
338     )
339     ),
340     'key_column_usage' => array(
341     @@ -284,7 +284,7 @@
342     'column_name' => 'constraint_schema'
343     )
344     ),
345     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
346     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
347     ),
348     'column_name' => array(
349     'link_param' => 'field',
350     @@ -298,7 +298,7 @@
351     'column_name' => 'table_name'
352     )
353     ),
354     - 'default_page' => 'tbl_structure.php?change_column=1'
355     + 'default_page' => './tbl_structure.php?change_column=1'
356     ),
357     'referenced_table_name' => array(
358     'link_param' => 'table',
359     @@ -308,7 +308,7 @@
360     'column_name' => 'referenced_table_schema'
361     )
362     ),
363     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
364     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
365     ),
366     'referenced_column_name' => array(
367     'link_param' => 'field',
368     @@ -322,7 +322,7 @@
369     'column_name' => 'referenced_table_name'
370     )
371     ),
372     - 'default_page' => 'tbl_structure.php?change_column=1'
373     + 'default_page' => './tbl_structure.php?change_column=1'
374     )
375     ),
376     'partitions' => array(
377     @@ -334,7 +334,7 @@
378     'column_name' => 'table_schema'
379     )
380     ),
381     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
382     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
383     )
384     ),
385     'processlist' => array(
386     @@ -346,7 +346,7 @@
387     'column_name' => 'host'
388     )
389     ),
390     - 'default_page' => 'server_privileges.php'
391     + 'default_page' => './server_privileges.php'
392     )
393     ),
394     'referential_constraints' => array(
395     @@ -358,7 +358,7 @@
396     'column_name' => 'constraint_schema'
397     )
398     ),
399     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
400     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
401     ),
402     'referenced_table_name' => array(
403     'link_param' => 'table',
404     @@ -368,7 +368,7 @@
405     'column_name' => 'constraint_schema'
406     )
407     ),
408     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
409     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
410     )
411     ),
412     'routines' => array(
413     @@ -384,13 +384,13 @@
414     'column_name' => 'routine_type'
415     )
416     ),
417     - 'default_page' => 'db_routines.php'
418     + 'default_page' => './db_routines.php'
419     ),
420     ),
421     'schemata' => array(
422     'schema_name' => array(
423     'link_param' => 'db',
424     - 'default_page' => $GLOBALS['cfg']['DefaultTabDatabase']
425     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabDatabase']
426     )
427     ),
428     'statistics' => array(
429     @@ -402,7 +402,7 @@
430     'column_name' => 'table_schema'
431     )
432     ),
433     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
434     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
435     ),
436     'column_name' => array(
437     'link_param' => 'field',
438     @@ -416,7 +416,7 @@
439     'column_name' => 'table_name'
440     )
441     ),
442     - 'default_page' => 'tbl_structure.php?change_column=1'
443     + 'default_page' => './tbl_structure.php?change_column=1'
444     )
445     ),
446     'tables' => array(
447     @@ -428,7 +428,7 @@
448     'column_name' => 'table_schema'
449     )
450     ),
451     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
452     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
453     ),
454     ),
455     'table_constraints' => array(
456     @@ -440,7 +440,7 @@
457     'column_name' => 'table_schema'
458     )
459     ),
460     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
461     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
462     ),
463     ),
464     'views' => array(
465     @@ -452,7 +452,7 @@
466     'column_name' => 'table_schema'
467     )
468     ),
469     - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
470     + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
471     ),
472     ),
473     )

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed