Merge branch 'MAINT_4_0_10' into QA_4_0

Conflicts:
	ChangeLog

.travis.yml

@@ -2,5 +2,14 @@ language: php
 php:
   - "5.4"
   - "5.3"
-before_script: ./scripts/generate-mo --quiet
-script: phpunit --configuration phpunit.xml.nocoverage
+sudo: false
+before_script:
+  - export PATH=~/.composer/vendor/bin/:$PATH
+  - mysql -uroot -e "CREATE DATABASE test;"
+  - composer install --dev --no-interaction ;
+  - ./scripts/generate-mo --quiet
+script:
+  - ./vendor/bin/phpunit --configuration phpunit.xml.nocoverage
+cache:
+  directories:
+    - $HOME/.composer/cache/

ChangeLog

@@ -1,6 +1,38 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.0.10.7 (2014-12-03)
+- bug #4611 [security] DOS attack with long passwords
+
+4.0.10.6 (2014-11-20)
+- bug #4578 [security] XSS vulnerability in table print view
+- bug #4579 [security] XSS vulnerability in zoom search page
+- bug #4594 [security] Path traversal in file inclusion of GIS factory
+- bug #4598 [security] XSS in multi submit
+- bug #4597 [security] XSS through pma_fontsize cookie
+
+4.0.10.5 (2014-10-21)
+- bug #4562 [security] XSS in debug SQL output
+- bug #4563 [security] XSS in monitor query analyzer
+
+4.0.10.4 (2014-10-01)
+- bug #4544 [security] XSS vulnerabilities in table search and table structure pages
+
+4.0.10.3 (2014-09-13)
+- bug #4530 [security] DOM based XSS that results to a CSRF that creates a
+            ROOT account in certain conditions
+
+4.0.10.2 (2014-08-17)
+- bug #4501 [security] XSS in table browse page
+- bug #4502 [security] Self-XSS in enum value editor
+- bug #4503 [security] Self-XSSes in monitor
+- bug #4504 [security] Self-XSS in query charts
+- bug #4517 [security] XSS in relation view
+
+4.0.10.1 (2014-07-17)
+- bug #4488 [security] XSS injection due to unescaped table name (triggers)
+- bug #4492 [security] XSS in AJAX confirmation messages 
+
 4.0.10.0 (2013-12-04)
 - bug #4150 Clicking database name in query window opens a new tab
 - bug #4141 Wrong page is shown after editing; also, do not show a modal

README

@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 4.0.10-dev
+Version 4.0.10.7
 
 A set of PHP-scripts to manage MySQL over the web.
 
@@ -13,7 +13,7 @@ Copyright
 Copyright (C) 1998-2000
     Tobias Ratschiller <tobias_at_ratschiller.com>
 
-Copyright (C) 2001-2013
+Copyright (C) 2001-2014
     Marc Delisle <marc_at_infomarc.info>
     Olivier Müller <om_at_omnis.ch>
     Robin Johnson <robbat2_at_users.sourceforge.net>

composer.json

@@ -20,5 +20,10 @@
     },
     "require": {
         "php": ">=5.2.0"
+    },
+    "require-dev": {
+        "satooshi/php-coveralls": ">=0.6",
+        "phpunit/phpunit": "<4.2",
+        "phpunit/phpunit-selenium": ">=1.2"
     }
 }

doc/conf.py

@@ -49,7 +49,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = '4.0.10-dev'
+version = '4.0.10.7'
 # The full version, including alpha/beta/rc tags.
 release = version
 

js/ajax.js

@@ -714,9 +714,16 @@ AJAX.setUrlHash = (function (jQuery, window) {
     if (window.location.hash.substring(0, 8) == '#PMAURL-') {
         // We have a valid hash, let's redirect the user
         // to the page that it's pointing to
-        window.location = window.location.hash.substring(
-            window.location.hash.indexOf(':') + 1
-        );
+        var colon_position = window.location.hash.indexOf(':');
+        var questionmark_position = window.location.hash.indexOf('?');
+        if (colon_position != -1 && questionmark_position != -1 && colon_position < questionmark_position) {
+            var hash_url = window.location.hash.substring(colon_position + 1, questionmark_position);
+            if (PMA_gotoWhitelist.indexOf(hash_url) != -1) {
+                window.location = window.location.hash.substring(
+                    colon_position + 1
+                );
+            }
+        }
     } else {
         // We don't have a valid hash, so we'll set it up
         // when the page finishes loading

js/functions.js

@@ -2550,7 +2550,7 @@ AJAX.registerOnload('functions.js', function() {
         } else {
             var title = PMA_messages['enum_columnVals'].replace(
                 /%s/,
-                '"' + decodeURIComponent(colname) + '"'
+                '"' + escapeHtml(decodeURIComponent(colname)) + '"'
             );
         }
         // Get the values as a string
@@ -3368,7 +3368,7 @@ AJAX.registerOnload('functions.js', function() {
         var question = PMA_messages.strDropTableStrongWarning + ' ';
         question += $.sprintf(
             PMA_messages.strDoYouReally,
-            'DROP TABLE ' + PMA_commonParams.get('table')
+            'DROP TABLE ' + escapeHtml(PMA_commonParams.get('table'))
         );
 
         $(this).PMA_confirm(question, $(this).attr('href'), function(url) {
@@ -3401,7 +3401,7 @@ AJAX.registerOnload('functions.js', function() {
         var question = PMA_messages.strTruncateTableStrongWarning + ' ';
         question += $.sprintf(
             PMA_messages.strDoYouReally,
-            'TRUNCATE ' + PMA_commonParams.get('table')
+            'TRUNCATE ' + escapeHtml(PMA_commonParams.get('table'))
         );
         $(this).PMA_confirm(question, $(this).attr('href'), function(url) {
             PMA_ajaxShowMessage(PMA_messages['strProcessingRequest']);

js/server_status_monitor.js

@@ -996,7 +996,7 @@ AJAX.registerOnload('server_status_monitor.js', function() {
             label: $('#variableInput').val().replace(/_/g, " ")
         };
         newChart.series.push(newSeries);
-        $('#seriesPreview').append('- ' + newSeries.label + str + '<br/>');
+        $('#seriesPreview').append('- ' + escapeHtml(newSeries.label + str) + '<br/>');
         newChart.nodes.push(serie);
         $('#variableInput').val('');
         $('input[name="differentialValue"]').prop('checked', true);
@@ -1991,7 +1991,7 @@ AJAX.registerOnload('server_status_monitor.js', function() {
                 case 'user_host':
                     return value.replace(/(\[.*?\])+/g, '');
             }
-            return value;
+            return escapeHtml(value);
         };
 
         for (var i = 0, l = rows.length; i < l; i++) {
@@ -2144,7 +2144,7 @@ AJAX.registerOnload('server_status_monitor.js', function() {
             for (var i = 0, l = data.explain.length; i < l; i++) {
                 explain += '<div class="explain-' + i + '"' + (i>0? 'style="display:none;"' : '' ) + '>';
                 $.each(data.explain[i], function(key, value) {
-                    value = (value == null)?'null':value;
+                    value = (value == null)?'null': escapeHtml(value);
 
                     if (key == 'type' && value.toLowerCase() == 'all') {
                         value = '<span class="attention">' + value + '</span>';

js/sql.js

@@ -103,7 +103,7 @@ AJAX.registerOnload('sql.js', function() {
     // Delete row from SQL results
     $('a.delete_row.ajax').click(function (e) {
         e.preventDefault();
-        var question = $.sprintf(PMA_messages['strDoYouReally'], $(this).closest('td').find('div').text());
+        var question = $.sprintf(PMA_messages['strDoYouReally'], escapeHtml($(this).closest('td').find('div').text()));
         var $link = $(this);
         $link.PMA_confirm(question, $link.attr('href'), function (url) {
             $msgbox = PMA_ajaxShowMessage();

js/tbl_chart.js

@@ -260,7 +260,7 @@ function PMA_queryChart(data, columnNames, settings) {
         },
         axes : {
             xaxis : {
-                label : settings.xaxisLabel
+                label : escapeHtml(settings.xaxisLabel)
             },
             yaxis : {
                 label : settings.yaxisLabel

js/tbl_structure.js

@@ -144,6 +144,7 @@ AJAX.registerOnload('tbl_structure.js', function() {
          * @var curr_column_name    String containing name of the field referred to by {@link curr_row}
          */
         var curr_column_name = $curr_row.children('th').children('label').text();
+        curr_column_name = escapeHtml(curr_column_name);
         /**
          * @var $after_field_item    Corresponding entry in the 'After' field.
          */

js/whitelist.php

@@ -0,0 +1,31 @@
+<?php
+/* vim: set expandtab sw=4 ts=4 sts=4: */
+/**
+ * Exporting of $goto_whitelist from PHP to Javascript
+ *
+ * @package PhpMyAdmin
+ */
+
+chdir('..');
+
+// Send correct type:
+header('Content-Type: text/javascript; charset=UTF-8');
+
+// Cache output in client - the nocache query parameter makes sure that this
+// file is reloaded when config changes
+header('Expires: ' . gmdate('D, d M Y H:i:s', time() + 3600) . ' GMT');
+
+// Avoid loading the full common.inc.php because this would add many
+// non-js-compatible stuff like DOCTYPE
+define('PMA_MINIMUM_COMMON', true);
+require_once './libraries/common.inc.php';
+// Close session early as we won't write anything there
+session_write_close();
+
+echo "var PMA_gotoWhitelist = new Array();\n";
+$i = -1;
+foreach ($GLOBALS['goto_whitelist'] as $one_whitelist) {
+    $i++;
+    echo 'PMA_gotoWhitelist[' . $i . ']="' . $one_whitelist . '";' . "\n";
+}
+?>

libraries/Config.class.php

@@ -102,7 +102,7 @@ function __construct($source = null)
      */
     function checkSystem()
     {
-        $this->set('PMA_VERSION', '4.0.10-dev');
+        $this->set('PMA_VERSION', '4.0.10.7');
         /**
          * @deprecated
          */
@@ -1717,7 +1717,7 @@ static protected function getFontsizeSelection()
         // for the case when there is no config file (this is supported)
         if (empty($current_size)) {
             if (isset($_COOKIE['pma_fontsize'])) {
-                $current_size = $_COOKIE['pma_fontsize'];
+                $current_size = htmlspecialchars($_COOKIE['pma_fontsize']);
             } else {
                 $current_size = '82%';
             }

libraries/Header.class.php

@@ -146,7 +146,16 @@ public function __construct()
      */
     private function _addDefaultScripts()
     {
+        // Localised strings
+        $params = array('lang' => $GLOBALS['lang']);
+        if (isset($GLOBALS['db'])) {
+            $params['db'] = $GLOBALS['db'];
+        }
+
         $this->_scripts->addFile('jquery/jquery-1.8.3.min.js');
+        $this->_scripts->addFile(
+            'whitelist.php' . PMA_generate_common_url($params), false, true
+        );
         $this->_scripts->addFile('ajax.js');
         $this->_scripts->addFile('keyhandler.js');
         $this->_scripts->addFile('jquery/jquery-ui-1.9.2.custom.min.js');
@@ -169,11 +178,6 @@ private function _addDefaultScripts()
         // Here would not be a good place to add CodeMirror because
         // the user preferences have not been merged at this point
 
-        // Localised strings
-        $params = array('lang' => $GLOBALS['lang']);
-        if (isset($GLOBALS['db'])) {
-            $params['db'] = $GLOBALS['db'];
-        }
         $this->_scripts->addFile('messages.php' . PMA_generate_common_url($params));
         // Append the theme id to this url to invalidate
         // the cache on a theme change. Though this might be

libraries/Scripts.class.php

@@ -50,6 +50,7 @@ class PMA_Scripts
      */
     private function _includeFiles($files)
     {
+        $first_dynamic_scripts = "";
         $dynamic_scripts = "";
         $params = array();
         foreach ($files as $value) {
@@ -68,14 +69,18 @@ private function _includeFiles($files)
                     $params[] = "scripts[]=" . $value['filename'];
                 }
             } else {
-                $dynamic_scripts .= "<script type='text/javascript' src='js/" . $value['filename'] . "'></script>";
+                if ($value['before_statics'] === true) {
+                    $first_dynamic_scripts .= "<script type='text/javascript' src='js/" . $value['filename'] . "'></script>";
+                } else {
+                    $dynamic_scripts .= "<script type='text/javascript' src='js/" . $value['filename'] . "'></script>";
+                }
             }
         }
         $static_scripts = sprintf(
             "<script type='text/javascript' src='js/get_scripts.js.php?%s'></script>",
             implode("&", $params)
         );
-        return $static_scripts . $dynamic_scripts;
+        return $first_dynamic_scripts . $static_scripts . $dynamic_scripts;
     }
 
     /**
@@ -97,18 +102,21 @@ public function __construct()
      * @param string $filename       The name of the file to include
      * @param bool   $conditional_ie Whether to wrap the script tag in
      *                               conditional comments for IE
+     * @param bool   $before_statics Whether this dynamic script should be
+     *                               include before the static ones
      *
      * @return void
      */
-    public function addFile($filename, $conditional_ie = false)
+    public function addFile($filename, $conditional_ie = false, $before_statics = false)
     {
         $hash = md5($filename);
         if (empty($this->_files[$hash])) {
             $has_onload = $this->_eventBlacklist($filename);
             $this->_files[$hash] = array(
                 'has_onload' => $has_onload,
                 'filename' => $filename,
-                'conditional_ie' => $conditional_ie
+                'conditional_ie' => $conditional_ie,
+                'before_statics' => $before_statics
             );
         }
     }

libraries/TableSearch.class.php

@@ -307,6 +307,7 @@ private function _getForeignKeyInputBox($foreignData, $column_name,
     private function _getEnumSetInputBox($column_index, $criteriaValues,
         $column_type, $column_id, $in_zoom_search_edit = false
     ) {
+        $column_type = htmlspecialchars($column_type);
         $html_output = '';
         $value = explode(
             ', ',
@@ -932,7 +933,9 @@ private function _getRowsNormal()
             $html_output .= '<th>'
                 . htmlspecialchars($this->_columnNames[$column_index]) . '</th>';
             $properties = $this->getColumnProperties($column_index, $column_index);
-            $html_output .= '<td>' . $properties['type'] . '</td>';
+            $html_output .= '<td>'
+                . htmlspecialchars($properties['type'])
+                . '</td>';
             $html_output .= '<td>' . $properties['collation'] . '</td>';
             $html_output .= '<td>' . $properties['func'] . '</td>';
             $html_output .= '<td>' . $properties['value'] . '</td>';
@@ -941,11 +944,13 @@ private function _getRowsNormal()
             $html_output .= '<tr><td>';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnNames[' . $column_index . ']"'
-                . ' value="' . htmlspecialchars($this->_columnNames[$column_index])
+                . ' value="'
+                . htmlspecialchars($this->_columnNames[$column_index])
                 . '" />';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnTypes[' . $column_index . ']"'
-                . ' value="' . $this->_columnTypes[$column_index] . '" />';
+                . ' value="'
+                . htmlspecialchars($this->_columnTypes[$column_index]) . '" />';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnCollations[' . $column_index . ']"'
                 . ' value="' . $this->_columnCollations[$column_index] . '" />';

libraries/Theme.class.php

@@ -491,7 +491,7 @@ function getFontSize()
             return $fs;
         }
         if (isset($_COOKIE['pma_fontsize'])) {
-            return $_COOKIE['pma_fontsize'];
+            return htmlspecialchars($_COOKIE['pma_fontsize']);
         }
         return '82%';
     }

libraries/Util.class.php

@@ -3150,8 +3150,11 @@ public static function extractColumnSpec($columnspec)
         // for the case ENUM('–','“')
         $displayed_type = htmlspecialchars($printtype);
         if (strlen($printtype) > $GLOBALS['cfg']['LimitChars']) {
-            $displayed_type  = '<abbr title="' . $printtype . '">';
-            $displayed_type .= substr($printtype, 0, $GLOBALS['cfg']['LimitChars']);
+            $displayed_type  = '<abbr title="'
+                . htmlspecialchars($printtype) . '">';
+            $displayed_type .= htmlspecialchars(
+                substr($printtype, 0, $GLOBALS['cfg']['LimitChars'])
+            );
             $displayed_type .= '</abbr>';
         }