Fixes #12361 and #12360 - Self XSS

Signed-off-by: Achilles-96 <raghuram.vadapalli@research.iiit.ac.in>
phpmyadmin · Jul 7, 2016 · 2e317e0 · 2e317e0
1 parent 6676433
commit 2e317e0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/libraries/server_privileges.lib.php b/libraries/server_privileges.lib.php
@@ -188,8 +188,15 @@ function PMA_extractPrivInfo($row = null, $enableHTML = false, $tablePrivs = fal
                 && is_array($GLOBALS[$current_grant[0]])
                 && empty($GLOBALS[$current_grant[0] . '_none'])
             ) {
+                if (isset($GLOBALS[$current_grant[0]]) && is_array($GLOBALS[$current_grant[0]])) {
+                    $GLOBALS[$current_grant[0]] = array_map(
+                        function($val)
+                        {
+                            return Util::backquote($val);
+                        }, $GLOBALS[$current_grant[0]]);
+                }
                 $privs[] = PMA_formatPrivilege($current_grant, $enableHTML)
-                    . ' (`' . join('`, `', $GLOBALS[$current_grant[0]]) . '`)';
+                    . ' (' . join('`, `', $GLOBALS[$current_grant[0]]) . ')';
             } else {
                 $allPrivileges = false;
             }
@@ -3979,10 +3986,11 @@ function PMA_updatePrivileges($username, $hostname, $tablename, $dbname, $itemTy
 
     // Should not do a GRANT USAGE for a table-specific privilege, it
     // causes problems later (cannot revoke it)
+    $private_info = PMA_extractPrivInfo();
     if (! (mb_strlen($tablename)
-        && 'USAGE' == implode('', PMA_extractPrivInfo()))
+        && 'USAGE' == implode('', $private_info))
     ) {
-        $sql_query2 = 'GRANT ' . join(', ', PMA_extractPrivInfo())
+        $sql_query2 = 'GRANT ' . join(', ', $private_info)
             . ' ON ' . $itemType . ' ' . $db_and_table
             . ' TO \'' . Util::sqlAddSlashes($username) . '\'@\''
             . Util::sqlAddSlashes($hostname) . '\'';

diff --git a/libraries/server_user_groups.lib.php b/libraries/server_user_groups.lib.php
@@ -352,7 +352,7 @@ function PMA_editUserGroup($userGroup, $new = false)
             }
             $tabName = $tabGroupName . '_' . $tab;
             $allowed = isset($_REQUEST[$tabName]) && $_REQUEST[$tabName] == 'Y';
-            $sql_query .= "('" . $userGroup . "', '" . $tabName . "', '"
+            $sql_query .= "('" . PMA\libraries\Util::sqlAddSlashes($userGroup) . "', '" . $tabName . "', '"
                 . ($allowed ? "Y" : "N") . "')";
             $first = false;
         }