Merge branch 'master' of https://github.com/phpmyadmin/phpmyadmin int…

…o UT_plu_table

.gitignore

@@ -22,6 +22,8 @@ phpmyadmin.wpj
 .idea
 .netbeans
 *.sw[op]
+# IIS files
+web.config
 # Locales
 /locale/
 # Backups

ChangeLog

@@ -33,8 +33,9 @@ phpMyAdmin - ChangeLog
 
 4.0.6.0 (not yet released)
 - bug #4036 Call to undefined function mb_detect_encoding (clarify the doc)
+- bug Missing hints when changing a column's structure
 
-4.0.5.0 (not yet released)
+4.0.5.0 (2013-08-04)
 - bug #3977 Not detected configuration storage
 - bug #3970 Pressing enter in the filter field reloads page
 - bug #3984 Cannot insert in this table (PHP < 5.4)
@@ -54,6 +55,7 @@ phpMyAdmin - ChangeLog
 + Reinstated configuration directive: AllowThirdPartyFraming
 
 4.0.4.2 (2013-07-28)
+- [security] fix unescaped parameter, see PMASA-2013-8
 - [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
 - [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
 - [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9

README

@@ -39,6 +39,26 @@ details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+Third party licenses
+--------------------
+
+phpMyAdmin includes several third party libraries which come under their
+respective licenses.
+
+jQuery's license, which is where we got the files under js/jquery/ is
+(MIT|GPL), a copy of each license is available in this repository (GPL
+is available as LICENSE, MIT as js/jquery/MIT-LICENSE.txt).
+
+TCPDF which is located under libraries/tcpdf is released under GPL
+version 3 and the license is available as libraries/tcpdf/LICENSE.TXT.
+
+DejaVu fonts which are located under libraries/tcpdf/fonts/ and their
+license is documented in
+libraries/tcpdf/fonts/dejavu-fonts-ttf-2.33/LICENSE.
+
+PHP-gettext which is located under libraries/php-gettext/ is released
+under GPL version 2 license which is available in the LICENSE file.
+
 Requirements
 ------------
 

db_export.php

@@ -48,8 +48,9 @@
 $multi_values .= '<select name="table_select[]" id="table_select" size="10" multiple="multiple">';
 $multi_values .= "\n";
 
-if (!empty($selected_tbl) && empty($table_select)) {
-    $table_select = $selected_tbl;
+// when called by libraries/mult_submits.inc.php
+if (!empty($_POST['selected_tbl']) && empty($table_select)) {
+    $table_select = $_POST['selected_tbl'];
 }
 
 // Check if the selected tables are defined in $_GET

db_operations.php

@@ -186,23 +186,17 @@
     PMA_setDbComment($db, $_REQUEST['comment']);
 }
 
-/**
- * Prepares the tables list if the user where not redirected to this script
- * because there is no table in the database ($is_info is true)
- */
-if (empty($is_info)) {
-    include 'libraries/db_common.inc.php';
-    $url_query .= '&goto=db_operations.php';
-
-    // Gets the database structure
-    $sub_part = '_structure';
-    include 'libraries/db_info.inc.php';
-    echo "\n";
-
-    if (isset($message)) {
-        echo PMA_Util::getMessage($message, $sql_query);
-        unset($message);
-    }
+include 'libraries/db_common.inc.php';
+$url_query .= '&goto=db_operations.php';
+
+// Gets the database structure
+$sub_part = '_structure';
+include 'libraries/db_info.inc.php';
+echo "\n";
+
+if (isset($message)) {
+    echo PMA_Util::getMessage($message, $sql_query);
+    unset($message);
 }
 
 $_REQUEST['db_collation'] = PMA_getDbCollation($db);

db_structure.php

@@ -22,54 +22,35 @@
 $scripts->addFile('tbl_change.js');
 $scripts->addFile('jquery/jquery-ui-timepicker-addon.js');
 
-$post_params = array(
-    'error',
-    'is_info',
-    'message',
-    'mult_btn',
-    'selected_tbl',
-    'submit_mult'
-);
-foreach ($post_params as $one_post_param) {
-    if (isset($_POST[$one_post_param])) {
-        $GLOBALS[$one_post_param] = $_POST[$one_post_param];
+// Drops/deletes/etc. multiple tables if required
+if ((!empty($_POST['submit_mult']) && isset($_POST['selected_tbl']))
+    || isset($_POST['mult_btn'])
+) {
+    $action = 'db_structure.php';
+    $err_url = 'db_structure.php?'. PMA_generate_common_url($db);
+
+    // see bug #2794840; in this case, code path is:
+    // db_structure.php -> libraries/mult_submits.inc.php -> sql.php
+    // -> db_structure.php and if we got an error on the multi submit,
+    // we must display it here and not call again mult_submits.inc.php
+    if (! isset($_POST['error']) || false === $_POST['error']) {
+        include 'libraries/mult_submits.inc.php';
     }
-}
-/**
- * Prepares the tables list if the user where not redirected to this script
- * because there is no table in the database ($is_info is true)
- */
-if (empty($_POST['is_info'])) {
-    // Drops/deletes/etc. multiple tables if required
-    if ((!empty($_POST['submit_mult']) && isset($_POST['selected_tbl']))
-        || isset($_POST['mult_btn'])
-    ) {
-        $action = 'db_structure.php';
-        $err_url = 'db_structure.php?'. PMA_generate_common_url($db);
-
-        // see bug #2794840; in this case, code path is:
-        // db_structure.php -> libraries/mult_submits.inc.php -> sql.php
-        // -> db_structure.php and if we got an error on the multi submit,
-        // we must display it here and not call again mult_submits.inc.php
-        if (! isset($_POST['error']) || false === $_POST['error']) {
-            include 'libraries/mult_submits.inc.php';
-        }
-        if (empty($_POST['message'])) {
-            $_POST['message'] = PMA_Message::success();
-        }
+    if (empty($_POST['message'])) {
+        $_POST['message'] = PMA_Message::success();
     }
-    include 'libraries/db_common.inc.php';
-    $url_query .= '&goto=db_structure.php';
+}
+include 'libraries/db_common.inc.php';
+$url_query .= '&goto=db_structure.php';
 
-    // Gets the database structure
-    $sub_part = '_structure';
-    include 'libraries/db_info.inc.php';
+// Gets the database structure
+$sub_part = '_structure';
+include 'libraries/db_info.inc.php';
 
-    if (!PMA_DRIZZLE) {
-        include_once 'libraries/replication.inc.php';
-    } else {
-        $server_slave_status = false;
-    }
+if (!PMA_DRIZZLE) {
+    include_once 'libraries/replication.inc.php';
+} else {
+    $server_slave_status = false;
 }
 
 require_once 'libraries/bookmark.lib.php';

doc/setup.rst

@@ -410,8 +410,6 @@ are always ways to make your installation more secure:
 
 * remove ``setup`` directory from phpMyAdmin, you will probably not 
   use it after initial setup
-* prevent access to ``libraries`` directory from browser, 
-  as it is not needed, supplied ``.htaccess`` file does this
 * properly choose authentication method - :ref:`cookie`
   is probably the best choice for shared hosting
 * in case you don't want all MySQL users to be able to access