/[smecontribs]/rpms/phpMyAdmin/contribs10/phpMyAdmin-4.4.15.10-force-links.patch
ViewVC logotype

Contents of /rpms/phpMyAdmin/contribs10/phpMyAdmin-4.4.15.10-force-links.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (show annotations) (download)
Sun Feb 28 08:33:42 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
* Sun Feb 28 2021 Jean-Philipe Pialasse <tests@pialasse.com> 5.1.0-1.sme
- Upgrade to 5.1.0 [SME: 11043]
  use epel spec with some modifications from remi

1 Backported patch for phpMyAdmin 4.4.x; mysql.user and mysql.db show code instead of usernames.
2
3 Further details:
4 - https://github.com/phpmyadmin/phpmyadmin/issues/12483
5 - https://github.com/phpmyadmin/phpmyadmin/issues/12341
6 - https://github.com/phpmyadmin/phpmyadmin/issues/12479
7 - https://github.com/phpmyadmin/phpmyadmin/commit/38cf23470728537bed4330a0e669fa636d157eab
8 - https://github.com/phpmyadmin/phpmyadmin/commit/cbd6137c03a7cf0db7b361bf34656e4c046d863b
9 - https://github.com/phpmyadmin/phpmyadmin/commit/48b6dd58d8d7efa30b5330108eb3fd38f5230e23
10 - https://github.com/phpmyadmin/phpmyadmin/commit/72cc1f9f513cb7252e40e46ce74f5b8ce2449ffc
11 - https://github.com/phpmyadmin/phpmyadmin/commit/265efb046fe50acb8ca277da533911414af177d3
12 - https://github.com/phpmyadmin/phpmyadmin/commit/ed6188d2c89deb7d46df958b07de5cf0ca24f2f7
13
14 --- phpMyAdmin-4.4.15.10/js/config.js 2017-01-23 20:08:47.000000000 +0100
15 +++ phpMyAdmin-4.4.15.10/js/config.js 2018-05-16 14:53:23.000000000 +0200
16 @@ -7,7 +7,7 @@
17 * Unbind all event handlers before tearing down a page
18 */
19 AJAX.registerTeardown('config.js', function () {
20 - $('input[id], select[id], textarea[id]').unbind('change').unbind('keyup');
21 + $('.optbox input[id], .optbox select[id], .optbox textarea[id]').unbind('change').unbind('keyup');
22 $('input[type=button][name=submit_reset]').unbind('click');
23 $('div.tabs_contents').undelegate();
24 $('#import_local_storage, #export_local_storage').unbind('click');
25 @@ -444,7 +444,7 @@
26 var $field = $(field);
27 var errors = {};
28 validate_field($field, isKeyUp, errors);
29 - validate_fieldset($field.closest('fieldset'), isKeyUp, errors);
30 + validate_fieldset($field.closest('fieldset.optbox'), isKeyUp, errors);
31 displayErrors(errors);
32 }
33
34 @@ -479,8 +479,8 @@
35
36 AJAX.registerOnload('config.js', function () {
37 // register validators and mark custom values
38 - var $elements = $('input[id], select[id], textarea[id]');
39 - $('input[id], select[id], textarea[id]').each(function () {
40 + var $elements = $('.optbox input[id], .optbox select[id], .optbox textarea[id]');
41 + $('.optbox input[id], .optbox select[id], .optbox textarea[id]').each(function () {
42 markField(this);
43 var $el = $(this);
44 $el.bind('change', function () {
45 @@ -511,7 +511,7 @@
46 validate_field($elements[i], false, errors);
47 }
48 // run all fieldset validators
49 - $('fieldset').each(function () {
50 + $('fieldset.optbox').each(function () {
51 validate_fieldset(this, false, errors);
52 });
53
54 --- phpMyAdmin-4.4.15.10/libraries/DisplayResults.class.php 2017-01-23 20:08:47.000000000 +0100
55 +++ phpMyAdmin-4.4.15.10/libraries/DisplayResults.class.php 2018-05-16 14:47:47.000000000 +0200
56 @@ -3116,7 +3116,7 @@
57 $divider = strpos($link_relations['default_page'], '?') ? '&' : '?';
58 if (empty($link_relations['link_dependancy_params'])) {
59 return $link_relations['default_page']
60 - . PMA_URL_getCommon($linking_url_params, 'html', $divider);
61 + . PMA_URL_getCommon($linking_url_params, 'raw', $divider);
62 }
63
64 foreach ($link_relations['link_dependancy_params'] as $new_param) {
65 @@ -3140,7 +3140,7 @@
66 }
67
68 return $link_relations['default_page']
69 - . PMA_URL_getCommon($linking_url_params, 'html', $divider);
70 + . PMA_URL_getCommon($linking_url_params, 'raw', $divider);
71 }
72
73
74 --- phpMyAdmin-4.4.15.10/libraries/navigation/NavigationHeader.class.php 2017-01-23 20:08:47.000000000 +0100
75 +++ phpMyAdmin-4.4.15.10/libraries/navigation/NavigationHeader.class.php 2018-05-16 15:13:54.000000000 +0200
76 @@ -93,9 +93,9 @@
77 $logo_link = trim(
78 htmlspecialchars($GLOBALS['cfg']['NavigationLogoLink'])
79 );
80 - $parsed = parse_url($logo_link);
81 - /* Allow only links with http/https */
82 - if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https'))) {
83 + // prevent XSS, see PMASA-2013-9
84 + // if link has protocol, allow only http and https
85 + if (! PMA_checkLink($logo_link, true)) {
86 $logo_link = 'index.php';
87 }
88 $retval .= ' <a href="' . $logo_link;
89 --- phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php 2017-01-23 20:08:47.000000000 +0100
90 +++ phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextImageLinkTransformationsPlugin.class.php 2018-05-16 14:51:32.000000000 +0200
91 @@ -46,9 +46,7 @@
92 public function applyTransformation($buffer, $options = array(), $meta = '')
93 {
94 $url = (isset($options[0]) ? $options[0] : '') . $buffer;
95 - $parsed = parse_url($url);
96 - /* Do not allow javascript links */
97 - if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https', 'ftp', 'mailto'))) {
98 + if (! PMA_checkLink($url, true, true)) {
99 return htmlspecialchars($url);
100 }
101 return '<a href="' . htmlspecialchars($url)
102 --- phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php 2017-01-23 20:08:47.000000000 +0100
103 +++ phpMyAdmin-4.4.15.10/libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php 2018-05-16 14:52:04.000000000 +0200
104 @@ -46,9 +46,7 @@
105 public function applyTransformation($buffer, $options = array(), $meta = '')
106 {
107 $url = (isset($options[0]) ? $options[0] : '') . ((isset($options[2]) && $options[2]) ? '' : $buffer);
108 - $parsed = parse_url($url);
109 - /* Do not allow javascript links */
110 - if (! isset($parsed['scheme']) || ! in_array(strtolower($parsed['scheme']), array('http', 'https', 'ftp', 'mailto'))) {
111 + if (! PMA_checkLink($url, true, true)) {
112 return htmlspecialchars($url);
113 }
114 return '<a href="'
115 --- phpMyAdmin-4.4.15.10/libraries/sanitizing.lib.php 2017-01-23 20:08:47.000000000 +0100
116 +++ phpMyAdmin-4.4.15.10/libraries/sanitizing.lib.php 2018-05-16 15:10:55.000000000 +0200
117 @@ -12,25 +12,53 @@
118 /**
119 * Checks whether given link is valid
120 *
121 - * @param string $url URL to check
122 + * @param string $url URL to check
123 + * @param boolean $http Whether to allow http links
124 + * @param boolean $other Whether to allow ftp and mailto links
125 *
126 * @return boolean True if string can be used as link
127 */
128 -function PMA_checkLink($url)
129 +function PMA_checkLink($url, $http=false, $other=false)
130 {
131 + $url = strtolower($url);
132 $valid_starts = array(
133 - 'http://',
134 'https://',
135 - './url.php?url=http%3A%2F%2F',
136 - './url.php?url=https%3A%2F%2F',
137 + './url.php?url=https%3a%2f%2f',
138 './doc/html/',
139 + # possible values from $GLOBALS['cfg']['DefaultTabTable'] and $GLOBALS['cfg']['DefaultTabDatabase']
140 + './index.php?',
141 + './server_databases.php?',
142 + './server_status.php?',
143 + './server_variables.php?',
144 + './server_privileges.php?',
145 + './db_structure.php?',
146 + './db_sql.php?',
147 + './db_search.php?',
148 + './db_operations.php?',
149 + './tbl_structure.php?',
150 + './tbl_sql.php?',
151 + './tbl_select.php?',
152 + './tbl_change.php?',
153 + './sql.php?',
154 + # Hardcoded options in libraries/special_schema_links.lib.php
155 + './db_events.php?',
156 + './db_routines.php?',
157 + './server_privileges.php?',
158 + './tbl_structure.php?',
159 );
160 + if ($other) {
161 + $valid_starts[] = 'mailto:';
162 + $valid_starts[] = 'ftp://';
163 + }
164 + if ($http) {
165 + $valid_starts[] = 'http://';
166 + }
167 if (defined('PMA_SETUP')) {
168 $valid_starts[] = '?page=form&';
169 $valid_starts[] = '?page=servers&';
170 }
171 foreach ($valid_starts as $val) {
172 - if (/*overload*/mb_substr($url, 0, /*overload*/mb_strlen($val)) == $val) {
173 + if (substr($url, 0, strlen($val)) == $val) {
174 return true;
175 }
176 }
177 --- phpMyAdmin-4.4.15.10/libraries/special_schema_links.lib.php 2017-01-23 20:08:47.000000000 +0100
178 +++ phpMyAdmin-4.4.15.10/libraries/special_schema_links.lib.php 2018-05-16 14:47:47.000000000 +0200
179 @@ -55,7 +55,7 @@
180 'column_name' => 'host'
181 )
182 ),
183 - 'default_page' => 'server_privileges.php'
184 + 'default_page' => './server_privileges.php'
185 ),
186 'table_name' => array(
187 'link_param' => 'table',
188 @@ -65,7 +65,7 @@
189 'column_name' => 'Db'
190 ),
191 ),
192 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
193 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
194 ),
195 'column_name' => array(
196 'link_param' => 'field',
197 @@ -79,7 +79,7 @@
198 'column_name' => 'Table_name'
199 )
200 ),
201 - 'default_page' => 'tbl_structure.php?change_column=1'
202 + 'default_page' => './tbl_structure.php?change_column=1'
203 ),
204 ),
205 'db' => array(
206 @@ -91,7 +91,7 @@
207 'column_name' => 'host'
208 )
209 ),
210 - 'default_page' => 'server_privileges.php'
211 + 'default_page' => './server_privileges.php'
212 )
213 ),
214 'event' => array(
215 @@ -103,7 +103,7 @@
216 'column_name' => 'db'
217 )
218 ),
219 - 'default_page' => 'db_events.php?edit_item=1'
220 + 'default_page' => './db_events.php?edit_item=1'
221 ),
222
223 ),
224 @@ -116,7 +116,7 @@
225 'column_name' => 'database_name'
226 ),
227 ),
228 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
229 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
230 ),
231 'index_name' => array(
232 'link_param' => 'index',
233 @@ -130,7 +130,7 @@
234 'column_name' => 'table_name'
235 )
236 ),
237 - 'default_page' => 'tbl_structure.php'
238 + 'default_page' => './tbl_structure.php'
239 ),
240 ),
241 'innodb_table_stats' => array(
242 @@ -142,7 +142,7 @@
243 'column_name' => 'database_name'
244 ),
245 ),
246 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
247 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
248 ),
249 ),
250 'proc' => array(
251 @@ -158,7 +158,7 @@
252 'column_name' => 'type'
253 )
254 ),
255 - 'default_page' => 'db_routines.php?edit_item=1'
256 + 'default_page' => './db_routines.php?edit_item=1'
257 ),
258 'specific_name' => array(
259 'link_param' => 'item_name',
260 @@ -172,7 +172,7 @@
261 'column_name' => 'type'
262 )
263 ),
264 - 'default_page' => 'db_routines.php?edit_item=1'
265 + 'default_page' => './db_routines.php?edit_item=1'
266 ),
267 ),
268 'proc_priv' => array(
269 @@ -184,7 +184,7 @@
270 'column_name' => 'Host'
271 )
272 ),
273 - 'default_page' => 'server_privileges.php'
274 + 'default_page' => './server_privileges.php'
275 ),
276 'routine_name' => array(
277 'link_param' => 'item_name',
278 @@ -198,7 +198,7 @@
279 'column_name' => 'Routine_type'
280 )
281 ),
282 - 'default_page' => 'db_routines.php?edit_item=1'
283 + 'default_page' => './db_routines.php?edit_item=1'
284 ),
285 ),
286 'proxies_priv' => array(
287 @@ -210,7 +210,7 @@
288 'column_name' => 'Host'
289 )
290 ),
291 - 'default_page' => 'server_privileges.php'
292 + 'default_page' => './server_privileges.php'
293 ),
294 ),
295 'tables_priv' => array(
296 @@ -222,7 +222,7 @@
297 'column_name' => 'Host'
298 )
299 ),
300 - 'default_page' => 'server_privileges.php'
301 + 'default_page' => './server_privileges.php'
302 ),
303 'table_name' => array(
304 'link_param' => 'table',
305 @@ -232,7 +232,7 @@
306 'column_name' => 'Db'
307 ),
308 ),
309 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
310 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
311 ),
312 ),
313 'user' => array(
314 @@ -244,7 +244,7 @@
315 'column_name' => 'host'
316 )
317 ),
318 - 'default_page' => 'server_privileges.php'
319 + 'default_page' => './server_privileges.php'
320 )
321 )
322 ),
323 @@ -258,7 +258,7 @@
324 'column_name' => 'table_schema'
325 )
326 ),
327 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
328 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
329 ),
330 'column_name' => array(
331 'link_param' => 'field',
332 @@ -272,7 +272,7 @@
333 'column_name' => 'table_name'
334 )
335 ),
336 - 'default_page' => 'tbl_structure.php?change_column=1'
337 + 'default_page' => './tbl_structure.php?change_column=1'
338 )
339 ),
340 'key_column_usage' => array(
341 @@ -284,7 +284,7 @@
342 'column_name' => 'constraint_schema'
343 )
344 ),
345 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
346 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
347 ),
348 'column_name' => array(
349 'link_param' => 'field',
350 @@ -298,7 +298,7 @@
351 'column_name' => 'table_name'
352 )
353 ),
354 - 'default_page' => 'tbl_structure.php?change_column=1'
355 + 'default_page' => './tbl_structure.php?change_column=1'
356 ),
357 'referenced_table_name' => array(
358 'link_param' => 'table',
359 @@ -308,7 +308,7 @@
360 'column_name' => 'referenced_table_schema'
361 )
362 ),
363 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
364 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
365 ),
366 'referenced_column_name' => array(
367 'link_param' => 'field',
368 @@ -322,7 +322,7 @@
369 'column_name' => 'referenced_table_name'
370 )
371 ),
372 - 'default_page' => 'tbl_structure.php?change_column=1'
373 + 'default_page' => './tbl_structure.php?change_column=1'
374 )
375 ),
376 'partitions' => array(
377 @@ -334,7 +334,7 @@
378 'column_name' => 'table_schema'
379 )
380 ),
381 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
382 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
383 )
384 ),
385 'processlist' => array(
386 @@ -346,7 +346,7 @@
387 'column_name' => 'host'
388 )
389 ),
390 - 'default_page' => 'server_privileges.php'
391 + 'default_page' => './server_privileges.php'
392 )
393 ),
394 'referential_constraints' => array(
395 @@ -358,7 +358,7 @@
396 'column_name' => 'constraint_schema'
397 )
398 ),
399 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
400 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
401 ),
402 'referenced_table_name' => array(
403 'link_param' => 'table',
404 @@ -368,7 +368,7 @@
405 'column_name' => 'constraint_schema'
406 )
407 ),
408 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
409 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
410 )
411 ),
412 'routines' => array(
413 @@ -384,13 +384,13 @@
414 'column_name' => 'routine_type'
415 )
416 ),
417 - 'default_page' => 'db_routines.php'
418 + 'default_page' => './db_routines.php'
419 ),
420 ),
421 'schemata' => array(
422 'schema_name' => array(
423 'link_param' => 'db',
424 - 'default_page' => $GLOBALS['cfg']['DefaultTabDatabase']
425 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabDatabase']
426 )
427 ),
428 'statistics' => array(
429 @@ -402,7 +402,7 @@
430 'column_name' => 'table_schema'
431 )
432 ),
433 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
434 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
435 ),
436 'column_name' => array(
437 'link_param' => 'field',
438 @@ -416,7 +416,7 @@
439 'column_name' => 'table_name'
440 )
441 ),
442 - 'default_page' => 'tbl_structure.php?change_column=1'
443 + 'default_page' => './tbl_structure.php?change_column=1'
444 )
445 ),
446 'tables' => array(
447 @@ -428,7 +428,7 @@
448 'column_name' => 'table_schema'
449 )
450 ),
451 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
452 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
453 ),
454 ),
455 'table_constraints' => array(
456 @@ -440,7 +440,7 @@
457 'column_name' => 'table_schema'
458 )
459 ),
460 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
461 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
462 ),
463 ),
464 'views' => array(
465 @@ -452,7 +452,7 @@
466 'column_name' => 'table_schema'
467 )
468 ),
469 - 'default_page' => $GLOBALS['cfg']['DefaultTabTable']
470 + 'default_page' => './' . $GLOBALS['cfg']['DefaultTabTable']
471 ),
472 ),
473 )

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed