Upgrade to phpMyAdmin 2.11.10

openemr · Oct 30, 2010 · 5549fc5 · 5549fc5
1 parent 0645669
commit 5549fc5
Show file tree

Hide file tree

Showing 11 changed files with 207 additions and 171 deletions.
diff --git a/phpmyadmin/ChangeLog b/phpmyadmin/ChangeLog
@@ -5,6 +5,16 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
 
+2.11.10.0 (2009-12-07)
+- [core] safer handling of temporary files with open_basedir (thanks to Thijs
+  Kinkhorst)
+- [core] do not automatically set and create TempDir, it might lead to security
+  issue (thanks to Thijs Kinkhorst)
+- [setup] avoid usage of (un)serialize, what might be unsafe in some cases
+
+2.11.9.6 (2009-10-12)
+- [security] XSS and SQL injection, thanks to Herman van Rink
+
 2.11.9.5 (2009-03-24)
 - [security] XSS vulnerability on export page
 - [security] Insufficient output sanitizing when generating configuration file

diff --git a/phpmyadmin/Documentation.html b/phpmyadmin/Documentation.html
@@ -11,7 +11,7 @@
     <link rel="icon" href="./favicon.ico" type="image/x-icon" />
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-    <title>phpMyAdmin 2.11.9.5 - Documentation</title>
+    <title>phpMyAdmin 2.11.10 - Documentation</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 
@@ -33,7 +33,7 @@
     <li><a href="#glossary">Glossary</a></li>
 </ul>
 
-<h1>phpMyAdmin 2.11.9.5 Documentation</h1>
+<h1>phpMyAdmin 2.11.10 Documentation</h1>
 
 <ul><li><a href="http://www.phpmyadmin.net/">
             phpMyAdmin homepage</a></li>
@@ -267,6 +267,7 @@ <h3 id="quick_install">Quick Install</h3>
 <pre>
 mv config/config.inc.php .         # move file to current directory
 chmod o-rw config.inc.php          # remove world read and write permissions
+rm -rf config                      # remove not needed directory
 </pre>
                 Now the file is ready to be used. You can choose to review or edit
                 the file with your favorite editor, if you prefer to set some
@@ -1743,12 +1744,51 @@ <h2 id="config">Configuration</h2>
 
     <dt id="cfg_TempDir">$cfg['TempDir'] string</dt>
     <dd>
-        The name of the directory where temporary files can be stored.
+        The name of the directory where temporary files can be stored. 
         <br /><br />
+
         This is needed for native MS Excel export, see
         <a href="#faq6_23"><abbr title="Frequently Asked Questions">FAQ</abbr>
-        6.23</a>
-    </dd>
+		6.23</a> and to work around limitations of 
+	<tt>open_basedir</tt> for uploaded
+        files, see <a href="#faq1_11"><abbr title="Frequently Asked Questions">FAQ</abbr>
+        1.11</a>.
+        <br /><br />
+
+	If the directory where phpMyAdmin is installed is subject to an
+	<tt>open_basedir</tt> restriction, you need to create a
+        temporary directory in some directory accessible by the web
+        server. However for security reasons, this directory should be outside
+        the tree published by webserver. If you cannot avoid having this
+        directory published by webserver, place at least an empty
+        <tt>index.html</tt> file there, so that directory listing is not
+        possible.
+        <br /><br />
+
+        This directory should have as strict permissions as possible as the only
+        user required to access this directory is the one who runs the
+        webserver. If you have root privileges, simply make this user owner of
+        this directory and make it accessible only by it:
+        <br /><br />
+
+<pre>
+chown www-data:www-data tmp
+chmod 700 tmp
+</pre>
+
+        If you cannot change owner of the directory, you can achieve a similar
+        setup using <abbr title="Access Control List">ACL</abbr>:
+
+<pre>
+chmod 700 tmp
+setfacl -m "g:www-data:rwx" tmp
+setfacl -d -m "g:www-data:rwx" tmp
+</pre>
+
+        If neither of above works for you, you can still make the directory
+        <code>chmod 777</code>, but it might impose risk of other users on
+        system reading and writing data in this directory.
+	</dd>
 
     <dt id="cfg_Export">$cfg['Export'] array</dt>
     <dd>
@@ -2447,11 +2487,9 @@ <h4 id="faq1_11">
     uploading a file from the query box.</a></h4>
 
 <p> Since version 2.2.4, phpMyAdmin supports servers with open_basedir
-    restrictions. Assuming that the restriction allows you to open files in the
-    current directory ('.'), all you have to do is create a 'tmp' directory
-    under the phpMyAdmin install directory, with permissions 777 and the same
-    owner as the owner of your phpMyAdmin directory. The  uploaded files will
-    be moved there, and after execution of your
+    restrictions. However you need to create temporary directory and 
+    configure it as <a href="#cfg_TempDir" class="configrule">$cfg['TempDir']</a>.
+    The uploaded files will be moved there, and after execution of your
     <abbr title="structured query language">SQL</abbr> commands, removed.</p>
 
 <h4 id="faq1_12">

diff --git a/phpmyadmin/Documentation.txt b/phpmyadmin/Documentation.txt
@@ -11,7 +11,7 @@
   * Translators
   * Glossary
 
-phpMyAdmin 2.11.9.5 Documentation
+phpMyAdmin 2.11.10 Documentation
 
   * phpMyAdmin homepage
   * SourceForge phpMyAdmin project page
@@ -20,7 +20,7 @@ phpMyAdmin 2.11.9.5 Documentation
       + Version history: ChangeLog
       + General notes: README
       + License: LICENSE
-  * Documentation version: $Id: Documentation.html 12317 2009-03-24 21:04:18Z
+  * Documentation version: $Id: Documentation.html 13152 2009-12-07 17:13:18Z
     lem9 $
 
 Requirements
@@ -181,6 +181,7 @@ Quick Install
 
         mv config/config.inc.php .         # move file to current directory
         chmod o-rw config.inc.php          # remove world read and write permissions
+        rm -rf config                      # remove not needed directory
 
         Now the file is ready to be used. You can choose to review or edit the
         file with your favorite editor, if you prefer to set some advanced
@@ -1233,7 +1234,35 @@ $cfg['SaveDir'] string
 $cfg['TempDir'] string
     The name of the directory where temporary files can be stored.
 
-    This is needed for native MS Excel export, see FAQ 6.23
+    This is needed for native MS Excel export, see FAQ 6.23 and to work around
+    limitations of open_basedir for uploaded files, see FAQ 1.11.
+
+    If the directory where phpMyAdmin is installed is subject to an
+    open_basedir restriction, you need to create a temporary directory in some
+    directory accessible by the web server. However for security reasons, this
+    directory should be outside the tree published by webserver. If you cannot
+    avoid having this directory published by webserver, place at least an empty
+    index.html file there, so that directory listing is not possible.
+
+    This directory should have as strict permissions as possible as the only
+    user required to access this directory is the one who runs the webserver.
+    If you have root privileges, simply make this user owner of this directory
+    and make it accessible only by it:
+
+
+    chown www-data:www-data tmp
+    chmod 700 tmp
+
+    If you cannot change owner of the directory, you can achieve a similar
+    setup using ACL:
+
+    chmod 700 tmp
+    setfacl -m "g:www-data:rwx" tmp
+    setfacl -d -m "g:www-data:rwx" tmp
+
+    If neither of above works for you, you can still make the directory chmod
+    777, but it might impose risk of other users on system reading and writing
+    data in this directory.
 $cfg['Export'] array
     In this array are defined default parameters for export, names of items are
     similar to texts seen on export page, so you can easily identify what they
@@ -1793,11 +1822,9 @@ It seems to clear up many problems between Internet Explorer and SSL.
 box.
 
 Since version 2.2.4, phpMyAdmin supports servers with open_basedir
-restrictions. Assuming that the restriction allows you to open files in the
-current directory ('.'), all you have to do is create a 'tmp' directory under
-the phpMyAdmin install directory, with permissions 777 and the same owner as
-the owner of your phpMyAdmin directory. The uploaded files will be moved there,
-and after execution of your SQL commands, removed.
+restrictions. However you need to create temporary directory and configure it
+as $cfg['TempDir']. The uploaded files will be moved there, and after execution
+of your SQL commands, removed.
 
 1.12 I have lost my MySQL root password, what can I do?
 

diff --git a/phpmyadmin/README b/phpmyadmin/README
@@ -5,12 +5,12 @@ phpMyAdmin - Readme
 
   A set of PHP-scripts to manage MySQL over the web.
 
-  Version 2.11.9.5
-  ----------------
+  Version 2.11.10
+  ---------------
   http://www.phpmyadmin.net/
 
     Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com>
-    Copyright (C) 2001-2008 Marc Delisle <Marc.Delisle_at_cegepsherbrooke.qc.ca>
+    Copyright (C) 2001-2009 Marc Delisle <Marc.Delisle_at_cegepsherbrooke.qc.ca>
                             Olivier Müller <om_at_omnis.ch>
                             Robin Johnson <robbat2_at_users.sourceforge.net>
                             Alexander M. Turek <me_at_derrabus.de>

diff --git a/phpmyadmin/db_operations.php b/phpmyadmin/db_operations.php
@@ -463,7 +463,7 @@
         <?php
         while ($pages = @PMA_DBI_fetch_assoc($test_rs)) {
             echo '                <option value="' . $pages['page_nr'] . '">'
-                . $pages['page_nr'] . ': ' . $pages['page_descr'] . '</option>' . "\n";
+                . $pages['page_nr'] . ': ' . htmlspecialchars($pages['page_descr']) . '</option>' . "\n";
         } // end while
         PMA_DBI_free_result($test_rs);
         unset($test_rs);

diff --git a/phpmyadmin/libraries/Config.class.php b/phpmyadmin/libraries/Config.class.php
@@ -85,7 +85,7 @@ function __construct($source = null)
      */
     function checkSystem()
     {
-        $this->set('PMA_VERSION', '2.11.9.5');
+        $this->set('PMA_VERSION', '2.11.10');
         /**
          * @deprecated
          */

diff --git a/phpmyadmin/libraries/File.class.php b/phpmyadmin/libraries/File.class.php
@@ -488,7 +488,7 @@ function setLocalSelectedFile($name)
      */
     function isReadable()
     {
-        // surpress warnings from beeing displayed, but not from beeing logged
+        // suppress warnings from being displayed, but not from being logged
         // any file access outside of open_basedir will issue a warning
         ob_start();
         $is_readable = is_readable($this->getName());
@@ -527,42 +527,15 @@ function checkUploadedFile()
             return true;
         }
 
-        /**
-         * it is not important if open_basedir is set - we just cannot read the file
-         * so we try to move it
-        if ('' != ini_get('open_basedir')) {
-         */
-
-        // check tmp dir config
-        if (empty($GLOBALS['cfg']['TempDir'])) {
-            $GLOBALS['cfg']['TempDir'] = 'tmp/';
-        }
-
-        // surpress warnings from beeing displayed, but not from beeing logged
-        ob_start();
-        // check tmp dir
-        if (! is_dir($GLOBALS['cfg']['TempDir'])) {
-            // try to create the tmp directory
-            if (@mkdir($GLOBALS['cfg']['TempDir'], 0777)) {
-                chmod($GLOBALS['cfg']['TempDir'], 0777);
-            } else {
-                // create tmp dir failed
-                $this->_error_message = $GLOBALS['strFieldInsertFromFileTempDirNotExists'];
-                ob_end_clean();
-                return false;
-            }
-        }
-        ob_end_clean();
-
-        if (! is_writable($GLOBALS['cfg']['TempDir'])) {
+        if (empty($GLOBALS['cfg']['TempDir']) || ! is_writable($GLOBALS['cfg']['TempDir'])) {
             // cannot create directory or access, point user to FAQ 1.11
             $this->_error_message = $GLOBALS['strFieldInsertFromFileTempDirNotExists'];
             return false;
         }
 
-        $new_file_to_upload = $GLOBALS['cfg']['TempDir'] . '/' . basename($this->getName());
+        $new_file_to_upload = tempnam(realpath($GLOBALS['cfg']['TempDir']), basename($this->getName()));
 
-        // surpress warnings from beeing displayed, but not from beeing logged
+        // suppress warnings from being displayed, but not from being logged
         // any file access outside of open_basedir will issue a warning
         ob_start();
         $move_uploaded_file_result = move_uploaded_file($this->getName(), $new_file_to_upload);
@@ -602,7 +575,7 @@ function checkUploadedFile()
      */
     function _detectCompression()
     {
-        // surpress warnings from beeing displayed, but not from beeing logged
+        // suppress warnings from being displayed, but not from being logged
         // f.e. any file access outside of open_basedir will issue a warning
         ob_start();
         $file = fopen($this->getName(), 'rb');

diff --git a/phpmyadmin/pdf_pages.php b/phpmyadmin/pdf_pages.php
@@ -273,7 +273,7 @@
             if (isset($chpage) && $chpage == $curr_page['page_nr']) {
                 echo ' selected="selected"';
             }
-            echo '>' . $curr_page['page_nr'] . ': ' . $curr_page['page_descr'] . '</option>';
+            echo '>' . $curr_page['page_nr'] . ': ' . htmlspecialchars($curr_page['page_descr']) . '</option>';
         } // end while
         echo "\n";
         ?>
@@ -426,12 +426,12 @@ function resetDrag() {
             echo "\n" . '        <td>'
                  . "\n" . '            <select name="c_table_' . $i . '[name]">';
             foreach ($selectboxall AS $key => $value) {
-                echo "\n" . '                <option value="' . $value . '"';
+                echo "\n" . '                <option value="' . htmlspecialchars($value) . '"';
                 if ($value == $sh_page['table_name']) {
                     echo ' selected="selected"';
                     $tabExist[$_mtab] = TRUE;
                 }
-                echo '>' . $value . '</option>';
+                echo '>' . htmlspecialchars($value) . '</option>';
             } // end while
             echo "\n" . '            </select>'
                  . "\n" . '        </td>';
@@ -459,7 +459,7 @@ function resetDrag() {
         echo "\n" . '        <td>'
              . "\n" . '            <select name="c_table_' . $i . '[name]">';
         foreach ($selectboxall AS $key => $value) {
-            echo "\n" . '                <option value="' . $value . '">' . $value . '</option>';
+            echo "\n" . '                <option value="' . htmlspecialchars($value) . '">' . htmlspecialchars($value) . '</option>';
         }
         echo "\n" . '            </select>'
              . "\n" . '        </td>';
@@ -490,8 +490,8 @@ function resetDrag() {
     if (!empty($tabExist) && is_array($tabExist)) {
         foreach ($tabExist AS $key => $value) {
             if (!$value) {
-                $_strtrans  .= '<input type="hidden" name="delrow[]" value="' . $key . '" />' . "\n";
-                $_strname   .= '<li>' . $key . '</li>' . "\n";
+                $_strtrans  .= '<input type="hidden" name="delrow[]" value="' . htmlspecialchars($key) . '" />' . "\n";
+                $_strname   .= '<li>' . htmlspecialchars($key) . '</li>' . "\n";
                 $shoot       = TRUE;
             }
         }

diff --git a/phpmyadmin/pmd_pdf.php b/phpmyadmin/pmd_pdf.php
@@ -23,26 +23,29 @@
 
     $pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']);
     $pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']);
+    $scale_q = PMA_sqlAddslashes($scale);
+    $pdf_page_number_q = PMA_sqlAddslashes($pdf_page_number);
 
     if (isset($exp)) {
 
-        $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number . ", ROUND(x/" . $scale . ") , ROUND(y/" . $scale . ") y FROM " . $pmd_table . " WHERE db_name = '" . $db . "'";
+        $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddslashes($db) . "'";
 
         PMA_query_as_cu($sql,TRUE,PMA_DBI_QUERY_STORE);
     }
 
     if (isset($imp)) {
         PMA_query_as_cu(
         'UPDATE ' . $pma_table . ',' . $pmd_table .
-        ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale . ',
-        ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '.$scale.'
+        ' SET ' . $pmd_table . '.`x`= ' . $pma_table . '.`x` * '. $scale_q . ',
+        ' . $pmd_table . '.`y`= ' . $pma_table . '.`y` * '. $scale_q .'
         WHERE
         ' . $pmd_table . '.`db_name`=' . $pma_table . '.`db_name`
         AND
         ' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name`
         AND
-        ' . $pmd_table . '.`db_name`=\''.$db.'\'
-        AND pdf_page_number = '.$pdf_page_number.';',TRUE,PMA_DBI_QUERY_STORE);     }
+        ' . $pmd_table . '.`db_name`=\''. PMA_sqlAddslashes($db) .'\'
+        AND pdf_page_number = ' . $pdf_page_number_q . ';', TRUE, PMA_DBI_QUERY_STORE);     
+    }
 
     die("<script>alert('$strModifications');history.go(-2);</script>");
 }
@@ -76,11 +79,11 @@
       <select name="pdf_page_number">
       <?php
       $table_info_result = PMA_query_as_cu('SELECT * FROM '.PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']).'
-                                             WHERE db_name = \''.$db.'\'');
+                                              WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\'');
       while($page = PMA_DBI_fetch_assoc($table_info_result))
       {
       ?>
-      <option value="<?php echo $page['page_nr'] ?>"><?php echo $page['page_descr'] ?></option>
+      <option value="<?php echo $page['page_nr'] ?>"><?php echo htmlspecialchars($page['page_descr']) ?></option>
       <?php
       }
       ?>