Skip to content

Commit

Permalink
Merge branch 'master' into master-security
Browse files Browse the repository at this point in the history
  • Loading branch information
@nijel
nijel committed Sep 19, 2016
2 parents 19c24a8 + ad87644 commit 07b846f
Show file tree
Hide file tree
Showing 35 changed files with 581 additions and 270 deletions.
8 changes: 8 additions & 0 deletions ChangeLog
View file
Expand Up @@ -59,6 +59,14 @@ phpMyAdmin - ChangeLog
- issue #12473 Code can throw unhandled exception
- issue #12550 Do not try to keep alive session even after expiry
- issue #12512 Fixed rendering BBCode links in setup
- issue #12518 Fixed copy of table with generated columns
- issue #12221 Fixed export of table with generated columns
- issue #12320 Copying a user does not copy usergroup
- issue #12272 Adding a new row with default enum goes to no selection when you want to add more then 2 rows
- issue #12487 Drag and drop import prevents file dropping to blob column file selector on the insert tab
- issue #12554 Absence of scrolling makes it impossible to read longer text values in grid editing
- issue #12530 "Edit routine" crashes when the current user is not the definer, even if privileges are adequate
- issue #12300 Export selective tables by-default dumps Events also

4.6.4 (2016-08-16)
- issue [security] Weaknesses with cookie encryption, see PMASA-2016-29
Expand Down
1 change: 1 addition & 0 deletions doc/setup.rst
View file
Expand Up @@ -852,6 +852,7 @@ are always ways to make your installation more secure:
* Ensure your PHP setup follows recommendations for production sites, for example
`display_errors <https://php.net/manual/en/errorfunc.configuration.php#ini.display-errors>`_
should be disabled.
* Remove the ``test`` directory from phpMyAdmin, unless you are developing and need test suite.
* Remove the ``setup`` directory from phpMyAdmin, you will probably not
use it after the initial setup.
* Properly choose an authentication method - :ref:`cookie`
Expand Down
24 changes: 24 additions & 0 deletions js/common.js
View file
Expand Up @@ -298,6 +298,13 @@ PMA_DROP_IMPORT = {
* @return void
*/
_dragenter : function (event) {

// We don't want to prevent users from using
// browser's default drag-drop feature on some page(s)
if ($(".noDragDrop").length !== 0) {
return;
}

event.stopPropagation();
event.preventDefault();
if (!PMA_DROP_IMPORT._hasFiles(event)) {
Expand Down Expand Up @@ -333,6 +340,12 @@ PMA_DROP_IMPORT = {
* @return void
*/
_dragover: function (event) {
// We don't want to prevent users from using
// browser's default drag-drop feature on some page(s)
if ($(".noDragDrop").length !== 0) {
return;
}

event.stopPropagation();
event.preventDefault();
if (!PMA_DROP_IMPORT._hasFiles(event)) {
Expand All @@ -348,6 +361,11 @@ PMA_DROP_IMPORT = {
* @return void
*/
_dragleave: function (event) {
// We don't want to prevent users from using
// browser's default drag-drop feature on some page(s)
if ($(".noDragDrop").length !== 0) {
return;
}
event.stopPropagation();
event.preventDefault();
var $pma_drop_handler = $(".pma_drop_handler");
Expand Down Expand Up @@ -408,6 +426,12 @@ PMA_DROP_IMPORT = {
* @return void
*/
_drop: function (event) {
// We don't want to prevent users from using
// browser's default drag-drop feature on some page(s)
if ($(".noDragDrop").length !== 0) {
return;
}

var dbname = PMA_commonParams.get('db');
var server = PMA_commonParams.get('server');

Expand Down
17 changes: 17 additions & 0 deletions js/export.js
View file
Expand Up @@ -545,6 +545,16 @@ function toggle_table_select(row) {
}
}

function handleAddProcCheckbox() {
if ($('#table_structure_all').is(':checked') === true
&& $('#table_data_all').is(':checked') === true
) {
$('#checkbox_sql_procedure_function').prop('checked', true);
} else {
$('#checkbox_sql_procedure_function').prop('checked', false);
}
}

AJAX.registerOnload('export.js', function () {
/**
* For SQL plugin, if "CREATE TABLE options" is checked/unchecked, check/uncheck each of its sub-options
Expand Down Expand Up @@ -584,26 +594,31 @@ AJAX.registerOnload('export.js', function () {
$('input[name="table_select[]"]').on('change', function() {
toggle_table_select($(this).closest('tr'));
check_table_select_all();
handleAddProcCheckbox();
});

$('input[name="table_structure[]"]').on('change', function() {
check_table_selected($(this).closest('tr'));
check_table_select_all();
handleAddProcCheckbox();
});

$('input[name="table_data[]"]').on('change', function() {
check_table_selected($(this).closest('tr'));
check_table_select_all();
handleAddProcCheckbox();
});

$('#table_structure_all').on('change', function() {
toggle_table_select_all_str();
check_selected_tables();
handleAddProcCheckbox();
});

$('#table_data_all').on('change', function() {
toggle_table_select_all_data();
check_selected_tables();
handleAddProcCheckbox();
});

if ($("input[name='export_type']").val() == 'database') {
Expand Down Expand Up @@ -810,6 +825,8 @@ AJAX.registerOnload('export.js', function () {
toggle_quick_or_custom();
toggle_structure_data_opts();
toggle_sql_include_comments();
check_table_select_all();
handleAddProcCheckbox();

/**
* Initially disables the "Dump some row(s)" sub-options
Expand Down
2 changes: 1 addition & 1 deletion js/functions.js
View file
Expand Up @@ -906,7 +906,7 @@ AJAX.registerOnload('functions.js', function () {
var remaining = PMA_commonParams.get('LoginCookieValidity') - _idleSecondsCounter;
if (remaining > 5) {
// max value for setInterval() function
var interval = min(remaining * 1000, Math.pow(2, 31) - 1);
var interval = Math.min(remaining * 1000, Math.pow(2, 31) - 1);
updateTimeout = window.setTimeout(UpdateIdleTime, interval);
} else if (remaining > 0) {
// We're close to session expiry
Expand Down
2 changes: 2 additions & 0 deletions js/messages.php
View file
Expand Up @@ -390,6 +390,8 @@ function () {
$js_messages['MissingReturn']
= __('The definition of a stored function must contain a RETURN statement!');
$js_messages['strExport'] = __('Export');
$js_messages['NoExportable']
= __('No routine is exportable. Required privileges may be lacking.');

/* For ENUM/SET editor*/
$js_messages['enum_editor'] = __('ENUM/SET editor');
Expand Down
6 changes: 6 additions & 0 deletions js/rte.js
View file
Expand Up @@ -128,6 +128,11 @@ RTE.COMMON = {
var count = export_anchors.length;
var returnCount = 0;

// No routine is exportable (due to privilege issues)
if (count === 0) {
PMA_ajaxShowMessage(PMA_messages.NoExportable);
}

export_anchors.each(function () {
$.get($(this).attr('href'), {'ajax_request': true}, function (data) {
returnCount++;
Expand All @@ -149,6 +154,7 @@ RTE.COMMON = {
} else {
$.get($this.attr('href'), {'ajax_request': true}, showExport);
}
PMA_ajaxRemoveMessage($msg);

function showExport(data) {
if (data.success === true) {
Expand Down
10 changes: 10 additions & 0 deletions js/tbl_change.js
View file
Expand Up @@ -553,6 +553,7 @@ AJAX.registerOnload('tbl_change.js', function () {
// handle input text fields and textareas
if ($this_element.is('.textfield') || $this_element.is('.char')) {
// do not remove the 'value' attribute for ENUM columns
// special handling for radio fields after updating ids to unique - see below
if ($this_element.closest('tr').find('span.column_type').html() != 'enum') {
$this_element.val($this_element.closest('tr').find('span.default_value').html());
}
Expand Down Expand Up @@ -675,6 +676,15 @@ AJAX.registerOnload('tbl_change.js', function () {
$(this).attr('tabindex', tabindex);
// update the IDs of textfields to ensure that they are unique
$(this).attr('id', "field_" + tabindex + "_3");

// special handling for radio fields after updating ids to unique
if ($(this).closest('tr').find('span.column_type').html() === 'enum') {
if ($(this).val() === $(this).closest('tr').find('span.default_value').html()) {
$(this).prop('checked', true);
} else {
$(this).prop('checked', false);
}
}
});
$('.control_at_footer')
.each(function () {
Expand Down
5 changes: 3 additions & 2 deletions libraries/DatabaseInterface.php
View file
Expand Up @@ -1748,10 +1748,11 @@ public function getProceduresOrFunctions($db, $which, $link = null)
* @param string $db db name
* @param string $which PROCEDURE | FUNCTION | EVENT | VIEW
* @param string $name the procedure|function|event|view name
* @param object $link MySQL link
*
* @return string the definition
*/
public function getDefinition($db, $which, $name)
public function getDefinition($db, $which, $name, $link = null)
{
$returned_field = array(
'PROCEDURE' => 'Create Procedure',
Expand All @@ -1762,7 +1763,7 @@ public function getDefinition($db, $which, $name)
$query = 'SHOW CREATE ' . $which . ' '
. Util::backquote($db) . '.'
. Util::backquote($name);
return($this->fetchValue($query, 0, $returned_field[$which]));
return($this->fetchValue($query, 0, $returned_field[$which], $link));
}

/**
Expand Down
176 changes: 176 additions & 0 deletions libraries/OpenDocument.php
View file
@@ -0,0 +1,176 @@
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Simple interface for creating OASIS OpenDocument files.
*
* @package PhpMyAdmin
*/
namespace PMA\libraries;


use PMA\libraries\ZipFile;

/**
* Simplfied OpenDocument creator class
*
* @package PhpMyAdmin
*/
class OpenDocument
{

const NS = <<<EOT
xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"
xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0"
xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0"
xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0"
xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0"
EOT;

/**
* Minimalistic creator of OASIS OpenDocument
*
* @param string $mime desired MIME type
* @param string $data document content
*
* @return string OASIS OpenDocument data
*
* @access public
*/
public static function create($mime, $data)
{
$zipfile = new ZipFile();
$zipfile -> addFile($mime, 'mimetype');
$zipfile -> addFile($data, 'content.xml');
$zipfile -> addFile(
'<?xml version="1.0" encoding="UTF-8"?' . '>'
. '<office:document-meta '
. 'xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" '
. 'xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" '
. 'office:version="1.0">'
. '<office:meta>'
. '<meta:generator>phpMyAdmin ' . PMA_VERSION . '</meta:generator>'
. '<meta:initial-creator>phpMyAdmin ' . PMA_VERSION
. '</meta:initial-creator>'
. '<meta:creation-date>' . strftime('%Y-%m-%dT%H:%M:%S')
. '</meta:creation-date>'
. '</office:meta>'
. '</office:document-meta>',
'meta.xml'
);
$zipfile -> addFile(
'<?xml version="1.0" encoding="UTF-8"?' . '>'
. '<office:document-styles ' . OpenDocument::NS
. 'office:version="1.0">'
. '<office:font-face-decls>'
. '<style:font-face style:name="Arial Unicode MS"'
. ' svg:font-family="\'Arial Unicode MS\'" style:font-pitch="variable"/>'
. '<style:font-face style:name="DejaVu Sans1"'
. ' svg:font-family="\'DejaVu Sans\'" style:font-pitch="variable"/>'
. '<style:font-face style:name="HG Mincho Light J"'
. ' svg:font-family="\'HG Mincho Light J\'" style:font-pitch="variable"/>'
. '<style:font-face style:name="DejaVu Serif"'
. ' svg:font-family="\'DejaVu Serif\'" style:font-family-generic="roman"'
. ' style:font-pitch="variable"/>'
. '<style:font-face style:name="Thorndale"'
. ' svg:font-family="Thorndale" style:font-family-generic="roman"'
. ' style:font-pitch="variable"/>'
. '<style:font-face style:name="DejaVu Sans"'
. ' svg:font-family="\'DejaVu Sans\'" style:font-family-generic="swiss"'
. ' style:font-pitch="variable"/>'
. '</office:font-face-decls>'
. '<office:styles>'
. '<style:default-style style:family="paragraph">'
. '<style:paragraph-properties fo:hyphenation-ladder-count="no-limit"'
. ' style:text-autospace="ideograph-alpha" style:punctuation-wrap="hanging"'
. ' style:line-break="strict" style:tab-stop-distance="0.4925in"'
. ' style:writing-mode="page"/>'
. '<style:text-properties style:use-window-font-color="true"'
. ' style:font-name="DejaVu Serif" fo:font-size="12pt" fo:language="en"'
. ' fo:country="US" style:font-name-asian="DejaVu Sans1"'
. ' style:font-size-asian="12pt" style:language-asian="none"'
. ' style:country-asian="none" style:font-name-complex="DejaVu Sans1"'
. ' style:font-size-complex="12pt" style:language-complex="none"'
. ' style:country-complex="none" fo:hyphenate="false"'
. ' fo:hyphenation-remain-char-count="2"'
. ' fo:hyphenation-push-char-count="2"/>'
. '</style:default-style>'
. '<style:style style:name="Standard" style:family="paragraph"'
. ' style:class="text"/>'
. '<style:style style:name="Text_body" style:display-name="Text body"'
. ' style:family="paragraph" style:parent-style-name="Standard"'
. ' style:class="text">'
. '<style:paragraph-properties fo:margin-top="0in"'
. ' fo:margin-bottom="0.0835in"/>'
. '</style:style>'
. '<style:style style:name="Heading" style:family="paragraph"'
. ' style:parent-style-name="Standard" style:next-style-name="Text_body"'
. ' style:class="text">'
. '<style:paragraph-properties fo:margin-top="0.1665in"'
. ' fo:margin-bottom="0.0835in" fo:keep-with-next="always"/>'
. '<style:text-properties style:font-name="DejaVu Sans" fo:font-size="14pt"'
. ' style:font-name-asian="DejaVu Sans1" style:font-size-asian="14pt"'
. ' style:font-name-complex="DejaVu Sans1" style:font-size-complex="14pt"/>'
. '</style:style>'
. '<style:style style:name="Heading_1" style:display-name="Heading 1"'
. ' style:family="paragraph" style:parent-style-name="Heading"'
. ' style:next-style-name="Text_body" style:class="text"'
. ' style:default-outline-level="1">'
. '<style:text-properties style:font-name="Thorndale" fo:font-size="24pt"'
. ' fo:font-weight="bold" style:font-name-asian="HG Mincho Light J"'
. ' style:font-size-asian="24pt" style:font-weight-asian="bold"'
. ' style:font-name-complex="Arial Unicode MS"'
. ' style:font-size-complex="24pt" style:font-weight-complex="bold"/>'
. '</style:style>'
. '<style:style style:name="Heading_2" style:display-name="Heading 2"'
. ' style:family="paragraph" style:parent-style-name="Heading"'
. ' style:next-style-name="Text_body" style:class="text"'
. ' style:default-outline-level="2">'
. '<style:text-properties style:font-name="DejaVu Serif"'
. ' fo:font-size="18pt" fo:font-weight="bold"'
. ' style:font-name-asian="DejaVu Sans1" style:font-size-asian="18pt"'
. ' style:font-weight-asian="bold" style:font-name-complex="DejaVu Sans1"'
. ' style:font-size-complex="18pt" style:font-weight-complex="bold"/>'
. '</style:style>'
. '</office:styles>'
. '<office:automatic-styles>'
. '<style:page-layout style:name="pm1">'
. '<style:page-layout-properties fo:page-width="8.2673in"'
. ' fo:page-height="11.6925in" style:num-format="1"'
. ' style:print-orientation="portrait" fo:margin-top="1in"'
. ' fo:margin-bottom="1in" fo:margin-left="1.25in"'
. ' fo:margin-right="1.25in" style:writing-mode="lr-tb"'
. ' style:footnote-max-height="0in">'
. '<style:footnote-sep style:width="0.0071in"'
. ' style:distance-before-sep="0.0398in"'
. ' style:distance-after-sep="0.0398in" style:adjustment="left"'
. ' style:rel-width="25%" style:color="#000000"/>'
. '</style:page-layout-properties>'
. '<style:header-style/>'
. '<style:footer-style/>'
. '</style:page-layout>'
. '</office:automatic-styles>'
. '<office:master-styles>'
. '<style:master-page style:name="Standard" style:page-layout-name="pm1"/>'
. '</office:master-styles>'
. '</office:document-styles>',
'styles.xml'
);
$zipfile -> addFile(
'<?xml version="1.0" encoding="UTF-8"?' . '>'
. '<manifest:manifest'
. ' xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0">'
. '<manifest:file-entry manifest:media-type="' . $mime
. '" manifest:full-path="/"/>'
. '<manifest:file-entry manifest:media-type="text/xml"'
. ' manifest:full-path="content.xml"/>'
. '<manifest:file-entry manifest:media-type="text/xml"'
. ' manifest:full-path="meta.xml"/>'
. '<manifest:file-entry manifest:media-type="text/xml"'
. ' manifest:full-path="styles.xml"/>'
. '</manifest:manifest>',
'META-INF/manifest.xml'
);
return $zipfile -> file();
}
}

0 comments on commit 07b846f

Please sign in to comment.