Resolve merge conflicts with ChangeLog

Signed-off-by: Isaac Bennetch <bennetch@gmail.com>

ChangeLog

@@ -1,7 +1,7 @@
 phpMyAdmin - ChangeLog
 ======================
 
-4.6.5 (not yet released)
+4.6.5 (2016-11-24)
 - issue        Remove potentionally license problematic sRGB profile
 - issue #12459 Display read only fields as read only when editing
 - issue #12384 Fix expanding of navigation pane when clicking on database
@@ -93,6 +93,20 @@ phpMyAdmin - ChangeLog
 - issue #12361 Fix self SQL injection in table-specific privileges
 - issue #12698 Add link to release notes and download on new version notification
 - issue #12712 Error when trying to setup replication (fatal error in call to an old PMA_DBI_connect function)
+- issue        [security] Unsafe generation of $cfg['blowfish_secret'], see PMASA-2016-58
+- issue        [security] phpMyAdmin's phpinfo functionality is removed, see PMASA-2016-59
+- issue        [security] AllowRoot and allow/deny rule bypass with specially-crafted username, see PMASA-2016-60
+- issue        [security] Username matching weaknesses with allow/deny rules, see PMASA-2016-61
+- issue        [security] Possible to bypass logout timeout, see PMASA-2016-62
+- issue        [security] Full path disclosure (FPD) weaknesses, see PMASA-2016-63
+- issue        [security] Multiple XSS weaknesses, see PMASA-2016-64
+- issue        [security] Multiple denial-of-service (DOS) vulnerabilities, see PMASA-2016-65
+- issue        [security] Possible to bypass white-list protection for URL redirection, see PMASA-2016-66
+- issue        [security] BBCode injection to login page, see PMASA-2016-67
+- issue        [security] Denial-of-service (DOS) vulnerability in table partitioning, see PMASA-2016-68
+- issue        [security] Multiple SQL injection vulnerabilities, see PMASA-2016-69
+- issue        [security] Incorrect serialized string parsing, see PMASA-2016-70
+- issue        [security] CSRF token not stripped from the URL, see PMASA-2016-71
 
 4.6.4 (2016-08-16)
 - issue        [security] Weaknesses with cookie encryption, see PMASA-2016-29

README

@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 4.6.5-dev
+Version 4.6.5
 
 A web interface for MySQL and MariaDB.
 

doc/conf.py

@@ -51,7 +51,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = '4.6.5-dev'
+version = '4.6.5'
 # The full version, including alpha/beta/rc tags.
 release = version
 

import.php

@@ -616,8 +616,8 @@
 
 // Something to skip? (because timeout has passed)
 if (! $error && isset($_POST['skip'])) {
-    $original_skip = $skip = $_POST['skip'];
-    while ($skip > 0) {
+    $original_skip = $skip = intval($_POST['skip']);
+    while ($skip > 0 && ! $finished) {
         PMA_importGetNextChunk($skip < $read_limit ? $skip : $read_limit);
         // Disable read progressivity, otherwise we eat all memory!
         $read_multiply = 1;

index.php

@@ -389,7 +389,7 @@
 PMA_printListItem(
     __('Official Homepage'),
     'li_pma_homepage',
-    PMA_linkURL('https://www.phpMyAdmin.net/'),
+    PMA_linkURL('https://www.phpmyadmin.net/'),
     null,
     '_blank'
 );

js/config.js

@@ -625,9 +625,9 @@ AJAX.registerOnload('config.js', function () {
     var tab_check_fnc = function () {
         if (location.hash != prev_hash) {
             prev_hash = location.hash;
-            if (location.hash.match(/^#tab_[a-zA-Z0-9_]+/)) {
+            if (prev_hash.match(/^#tab_[a-zA-Z0-9_]+$/)) {
                 // session ID is sometimes appended here
-                var hash = location.hash.substr(5).split('&')[0];
+                var hash = prev_hash.substr(5).split('&')[0];
                 if ($('#' + hash).length) {
                     setTab(hash);
                 }

js/microhistory.js

@@ -280,15 +280,16 @@ PMA_SetUrlHash = (function (jQuery, window) {
     /**
      * Start initialisation
      */
-    if (window.location.hash.substring(0, 8) == '#PMAURL-') {
+    var urlhash = window.location.hash;
+    if (urlhash.substring(0, 8) == '#PMAURL-') {
         // We have a valid hash, let's redirect the user
         // to the page that it's pointing to
-        var colon_position = window.location.hash.indexOf(':');
-        var questionmark_position = window.location.hash.indexOf('?');
+        var colon_position = urlhash.indexOf(':');
+        var questionmark_position = urlhash.indexOf('?');
         if (colon_position != -1 && questionmark_position != -1 && colon_position < questionmark_position) {
-            var hash_url = window.location.hash.substring(colon_position + 1, questionmark_position);
+            var hash_url = urlhash.substring(colon_position + 1, questionmark_position);
             if (PMA_gotoWhitelist.indexOf(hash_url) != -1) {
-                window.location = window.location.hash.substring(
+                window.location = urlhash.substring(
                     colon_position + 1
                 );
             }
@@ -328,4 +329,4 @@ PMA_SetUrlHash = (function (jQuery, window) {
      * Publicly exposes a reference to the otherwise private setUrlHash function
      */
     return setUrlHash;
-})(jQuery, window);
+})(jQuery, window);

libraries/Config.php

@@ -101,7 +101,7 @@ public function __construct($source = null)
      */
     public function checkSystem()
     {
-        $this->set('PMA_VERSION', '4.6.5-dev');
+        $this->set('PMA_VERSION', '4.6.5');
         /**
          * @deprecated
          */

libraries/DbQbe.php

@@ -1940,7 +1940,10 @@ private function _initializeCriteriasCount()
         // sets row count
         $rows = PMA_ifSetOr($_REQUEST['rows'], 0, 'numeric');
         $criteriaRowAdd = PMA_ifSetOr($_REQUEST['criteriaRowAdd'], 0, 'numeric');
-        $this->_criteria_row_count = max($rows + $criteriaRowAdd, 0);
+        $this->_criteria_row_count = min(
+            100,
+            max($rows + $criteriaRowAdd, 0)
+        );
 
         return $criteriaColumnCount;
     }

libraries/Error.php

@@ -478,7 +478,7 @@ public static function relPath($path)
 
         /* Probably affected by open_basedir */
         if ($dest === FALSE) {
-            return $path;
+            return basename($path);
         }
 
         $Ahere = explode(

libraries/ErrorHandler.php

@@ -193,16 +193,19 @@ public function addError($errstr, $errno, $errfile, $errline, $escape = true)
         $this->errors[$error->getHash()] = $error;
 
         switch ($error->getNumber()) {
-        case E_USER_NOTICE:
-        case E_USER_WARNING:
         case E_STRICT:
         case E_DEPRECATED:
         case E_NOTICE:
         case E_WARNING:
         case E_CORE_WARNING:
         case E_COMPILE_WARNING:
-        case E_USER_ERROR:
         case E_RECOVERABLE_ERROR:
+            /* Avoid rendering BB code in PHP errors */
+            $error->setBBCode(false);
+            break;
+        case E_USER_NOTICE:
+        case E_USER_WARNING:
+        case E_USER_ERROR:
             // just collect the error
             // display is called from outside
             break;

libraries/Message.php

@@ -112,6 +112,14 @@ class Message
      */
     protected $isDisplayed = false;
 
+    /**
+     * Whether to use BB code when displaying.
+     *
+     * @access  protected
+     * @var     boolean
+     */
+    protected $useBBCode = true;
+
     /**
      * Unique id
      *
@@ -236,6 +244,7 @@ static public function raw($message, $type = Message::NOTICE)
     {
         $r = new Message('', $type);
         $r->setMessage($message);
+        $r->setBBCode(false);
         return $r;
     }
 
@@ -392,6 +401,18 @@ public function isError($set = false)
         return $this->getNumber() === Message::ERROR;
     }
 
+    /**
+     * Set whether we should use BB Code when rendering.
+     *
+     * @param boolean $useBBCode Use BB Code?
+     *
+     * @return void
+     */
+    public function setBBCode($useBBCode)
+    {
+        $this->useBBCode = $useBBCode;
+    }
+
     /**
      * set raw message (overrides string)
      *
@@ -647,7 +668,9 @@ public function getMessage()
             $message = Message::format($message, $this->getParams());
         }
 
-        $message = Message::decodeBB($message);
+        if ($this->useBBCode) {
+            $message = Message::decodeBB($message);
+        }
 
         foreach ($this->getAddedMessages() as $add_message) {
             $message .= $add_message;

libraries/SavedSearches.php

@@ -160,6 +160,16 @@ public function setCriterias($criterias, $json = false)
             }
         }
 
+        /* Limit amount of rows */
+        if (!isset($data['rows'])) {
+            $data['rows'] = 0;
+        } else {
+            $data['rows'] = min(
+                max(0, intval($data['rows'])),
+                100
+            );
+        }
+
         for ($i = 0; $i <= $data['rows']; $i++) {
             $data['Or' . $i] = $criterias['Or' . $i];
         }

libraries/Tracker.php

@@ -144,8 +144,9 @@ static public function isTracked($dbname, $tablename)
     static public function getLogComment()
     {
         $date = date('Y-m-d H:i:s');
+        $user = preg_replace('/\s+/', ' ', $GLOBALS['cfg']['Server']['user']);
 
-        return "# log " . $date . " " . $GLOBALS['cfg']['Server']['user'] . "\n";
+        return "# log " . $date . " " . $user . "\n";
     }
 
     /**

libraries/VersionInformation.php

@@ -72,7 +72,7 @@ public function getLatestVersion()
                     CURLOPT_TIMEOUT,
                     $connection_timeout
                 );
-                $response = curl_exec($curl_handle);
+                $response = @curl_exec($curl_handle);
             } else if (ini_get('allow_url_fopen')) {
                 $context = array(
                     'http' => array(
@@ -81,12 +81,16 @@ public function getLatestVersion()
                     )
                 );
                 $context = Util::handleContext($context);
-                $response = file_get_contents(
+                $response = @file_get_contents(
                     $file,
                     false,
                     stream_context_create($context)
                 );
             }
+            // Check possible failure of getting data
+            if ($response === false) {
+                $response = '{}';
+            }
         }
 
         /* Parse response */

libraries/core.lib.php

@@ -754,10 +754,17 @@ function PMA_linkURL($url)
 function PMA_isAllowedDomain($url)
 {
     $arr = parse_url($url);
-    // Avoid URLs without hostname or with credentials
-    if (empty($arr['host']) || ! empty($arr['user']) || ! empty($arr['pass'])) {
+    // We need host to be set
+    if (! isset($arr['host']) || strlen($arr['host']) == 0) {
         return false;
     }
+    // We do not want these to be present
+    $blocked = array('user', 'pass', 'port');
+    foreach ($blocked as $part) {
+        if (isset($arr[$part]) && strlen($arr[$part]) != 0) {
+            return false;
+        }
+    }
     $domain = $arr["host"];
     $domainWhiteList = array(
         /* Include current domain */
@@ -766,6 +773,7 @@ function PMA_isAllowedDomain($url)
         'wiki.phpmyadmin.net', 'www.phpmyadmin.net', 'phpmyadmin.net',
         'demo.phpmyadmin.net',
         'docs.phpmyadmin.net',
+        'demo.phpmyadmin.net',
         /* mysql.com domains */
         'dev.mysql.com','bugs.mysql.com',
         /* mariadb domains */
@@ -781,7 +789,7 @@ function PMA_isAllowedDomain($url)
         /* Following are doubtful ones. */
         'mysqldatabaseadministration.blogspot.com',
     );
-    if (in_array(mb_strtolower($domain), $domainWhiteList)) {
+    if (in_array($domain, $domainWhiteList)) {
         return true;
     }
 
@@ -1014,21 +1022,39 @@ function hash_hmac($algo, $data, $key, $raw_output = false)
 /**
  * Sanitizes MySQL hostname
  *
- * * strips p: prefix
+ * * strips p: prefix(es)
  *
  * @param string $name User given hostname
  *
  * @return string
  */
 function PMA_sanitizeMySQLHost($name)
 {
-    if (strtolower(substr($name, 0, 2)) == 'p:') {
-        return substr($name, 2);
+    while (strtolower(substr($name, 0, 2)) == 'p:') {
+        $name = substr($name, 2);
     }
 
     return $name;
 }
 
+/**
+ * Sanitizes MySQL username
+ *
+ * * strips part behind null byte
+ *
+ * @param string $name User given username
+ *
+ * @return string
+ */
+function PMA_sanitizeMySQLUser($name)
+{
+    $position = strpos($name, chr(0));
+    if ($position !== false) {
+        return substr($name, 0, $position);
+    }
+    return $name;
+}
+
 /**
  * Safe unserializer wrapper
  *
@@ -1062,7 +1088,7 @@ function PMA_safeUnserialize($data)
             case 's':
                 /* string */
                 // parse sting length
-                $strlen = intval($data[$i + 2]);
+                $strlen = intval(substr($data, $i + 2));
                 // string start
                 $i = strpos($data, ':', $i + 2);
                 if ($i === false) {

libraries/export.lib.php

@@ -18,12 +18,10 @@
  */
 function PMA_shutdownDuringExport()
 {
-    $a = error_get_last();
-    if ($a != null && mb_strpos($a['message'], "execution time")) {
-        //write in partially downloaded file for future reference of user
-        print_r($a);
+    $error = error_get_last();
+    if ($error != null && mb_strpos($error['message'], "execution time")) {
         //set session variable to check if there was error while exporting
-        $_SESSION['pma_export_error'] = $a['message'];
+        $_SESSION['pma_export_error'] = $error['message'];
     }
 }
 

libraries/ip_allow_deny.lib.php

@@ -194,7 +194,7 @@ function PMA_ipv6MaskTest($test_range, $ip_to_test)
 
     if ($is_single) {
         $range_hex = bin2hex(inet_pton($test_range));
-        $result = $ip_hex === $range_hex;
+        $result = hash_equals($ip_hex, $range_hex);
         return $result;
     }
 
@@ -321,7 +321,7 @@ function PMA_allowDeny($type)
 
         // check for username
         if (($rule_data[1] != '%') //wildcarded first
-            && ($rule_data[1] != $username)
+            && (! hash_equals($rule_data[1], $username))
         ) {
             continue;
         }