From 4951fd1c854d88e22935fd55d342fcb1670dc8e4 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Tue, 17 Aug 2010 16:21:37 +0200
Subject: [PATCH 01/19] Fix XSS on delimiter in db_sql.php.

---
 db_sql.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/db_sql.php b/db_sql.php
index 6c582c3d3981..32d30e406cd4 100644
--- a/db_sql.php
+++ b/db_sql.php
@@ -36,7 +36,7 @@
 /**
  * Query box, bookmark, insert data from textfile
  */
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
 
 /**
  * Displays the footer

From 110c44a7a3117b94b065742606cc6f7bc05f8cd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Tue, 17 Aug 2010 16:23:09 +0200
Subject: [PATCH 02/19] Fix XSS on delimiter in tbl_sql.php.

---
 tbl_sql.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tbl_sql.php b/tbl_sql.php
index f27a3b9aaad7..f9c71d809185 100644
--- a/tbl_sql.php
+++ b/tbl_sql.php
@@ -37,7 +37,7 @@
 /**
  * Query box, bookmark, insert data from textfile
  */
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? $_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ? htmlspecialchars($_REQUEST['delimiter']) : ';');
 
 /**
  * Displays the footer

From 08e27b89077df26a0f7f0390322bbe80e0437aa1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Tue, 17 Aug 2010 16:31:03 +0200
Subject: [PATCH 03/19] Secure handling of sort_by and sort_order in
 server_databases.php.

---
 server_databases.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server_databases.php b/server_databases.php
index b9b8898b0e43..2b3e0a5de6ce 100644
--- a/server_databases.php
+++ b/server_databases.php
@@ -287,11 +287,11 @@
     unset($column_order, $stat_name, $stat, $databases, $table_columns);
 
     if ($is_superuser || $cfg['AllowUserDropDatabase']) {
-        $common_url_query = PMA_generate_common_url() . '&amp;sort_by=' . $sort_by . '&amp;sort_order=' . $sort_order . '&amp;dbstats=' . $dbstats;
+        $common_url_query = PMA_generate_common_url(array('sort_by' => $sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats));
         echo '<img class="selectallarrow" src="' . $pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38" height="22" alt="' . $strWithChecked . '" />' . "\n"
-           . '<a href="./server_databases.php?' . $common_url_query . '&amp;checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n"
+           . '<a href="./server_databases.php' . $common_url_query . '&amp;checkall=1" onclick="if (markAllRows(\'tabledatabases\')) return false;">' . "\n"
            . '    ' . $strCheckAll . '</a> / ' . "\n"
-           . '<a href="./server_databases.php?' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n"
+           . '<a href="./server_databases.php' . $common_url_query . '" onclick="if (unMarkAllRows(\'tabledatabases\')) return false;">' . "\n"
            . '    ' . $strUncheckAll . '</a>' . "\n"
            . '<i>' . $strWithChecked . '</i>' . "\n";
         PMA_buttonOrImage('drop_selected_dbs', 'mult_submit', 'drop_selected_dbs', $strDrop, 'b_deltbl.png');

From c910f4c9ec9af876675d96df3fa65d7fc4551cc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Tue, 17 Aug 2010 16:33:30 +0200
Subject: [PATCH 04/19] Fix handling of unknown sort order.

---
 libraries/database_interface.lib.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php
index 9a40c554b136..b7d122ce4be5 100644
--- a/libraries/database_interface.lib.php
+++ b/libraries/database_interface.lib.php
@@ -208,6 +208,10 @@ function PMA_usort_comparison_callback($a, $b)
     } else {
         $sorter = 'strcasecmp';
     }
+    /* No sorting when key is not present */
+    if (!isset($a[$GLOBALS['callback_sort_by']]) || ! isset($b[$GLOBALS['callback_sort_by']])) {
+        return 0;
+    }
     // produces f.e.:
     // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
     return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]);

From c69fca50ee81ff74cda860aad339d4185d32e194 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Tue, 17 Aug 2010 16:09:07 +0200
Subject: [PATCH 05/19] Add option to escape PMA_sanitize output.

This is required when it is used in form values.
---
 libraries/sanitizing.lib.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index 388ca1397526..abac19da906a 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -17,7 +17,7 @@
  *
  * @access  public
  */
-function PMA_sanitize($message)
+function PMA_sanitize($message, $escape = false)
 {
     $replace_pairs = array(
         '<'         => '&lt;',
@@ -65,6 +65,10 @@ function PMA_sanitize($message)
         $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
     }
 
+    if ($escape) {
+        $message = htmlspecialchars($message);
+    }
+
     return $message;
 }
 ?>

From a4a54da173440d4c5097aececef56c28c14dc52e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Tue, 17 Aug 2010 16:10:27 +0200
Subject: [PATCH 06/19] Escape html chars in form values.

---
 sql.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/sql.php b/sql.php
index 35bdab51d9bd..2a744c57c2f4 100644
--- a/sql.php
+++ b/sql.php
@@ -175,14 +175,14 @@
         .PMA_generate_common_hidden_inputs($db, $table);
     ?>
     <input type="hidden" name="sql_query" value="<?php echo htmlspecialchars($sql_query); ?>" />
-    <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" />
+    <input type="hidden" name="zero_rows" value="<?php echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" />
     <input type="hidden" name="goto" value="<?php echo $goto; ?>" />
-    <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back) : ''; ?>" />
-    <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload) : 0; ?>" />
-    <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge) : ''; ?>" />
-    <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" />
-    <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" />
-    <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" />
+    <input type="hidden" name="back" value="<?php echo isset($back) ? PMA_sanitize($back, true) : ''; ?>" />
+    <input type="hidden" name="reload" value="<?php echo isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" />
+    <input type="hidden" name="purge" value="<?php echo isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" />
+    <input type="hidden" name="cpurge" value="<?php echo isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" />
+    <input type="hidden" name="purgekey" value="<?php echo isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" />
+    <input type="hidden" name="show_query" value="<?php echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" />
     <?php
     echo '<fieldset class="confirmation">' . "\n"
         .'    <legend>' . $strDoYouReally . '</legend>'

From 0fe30236fac3c00ff123b9d48cc0b4b2ff6a7746 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 11:42:08 +0200
Subject: [PATCH 07/19] Document PMA_sanitize.

---
 libraries/sanitizing.lib.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index abac19da906a..3ba7224b90c6 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -7,11 +7,20 @@
 
 /**
  * Sanitizes $message, taking into account our special codes
- * for formatting
+ * for formatting.
+ *
+ * If you want to include result in element attribute, you should escape it.
+ *
+ * Examples:
+ *
+ * <p><?php echo PMA_sanitize($foo); ?></p>
+ *
+ * <a title="<?php echo PMA_sanitize($foo, true); ?>">bar</a>
  *
  * @uses    preg_replace()
  * @uses    strtr()
  * @param   string   the message
+ * @param   boolean  whether to escape html in result
  *
  * @return  string   the sanitized message
  *

From 8b8ce64792bb981cefc37a19f29f28f112df1c16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 12:22:19 +0200
Subject: [PATCH 08/19] Fix XSS on dbname.

---
 server_privileges.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server_privileges.php b/server_privileges.php
index 23d174b986d1..1e6d64edc1bc 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1595,7 +1595,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
             } else {
             echo '    - ' . $GLOBALS['strDatabase'];
             }
-            $url_dbname = urlencode(str_replace('\_', '_', $dbname));
+            $url_dbname = htmlspecialchars(urlencode(str_replace('\_', '_', $dbname)));
             echo ' <i><a href="' . $GLOBALS['cfg']['DefaultTabDatabase'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;reload=1">' . htmlspecialchars($dbname) . '</a></i>' . "\n";
             if (isset($tablename) && strlen($tablename)) {
                 echo '    - ' . $GLOBALS['strTable'] . ' <i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;table=' . urlencode($tablename) . '&amp;reload=1">' . htmlspecialchars($tablename) . '</a></i>' . "\n";
@@ -1841,14 +1841,14 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
                        . '    <td>';
                     printf($link_edit, urlencode($username),
                         urlencode($hostname),
-                        urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname),
+                        htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
                         urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));
                     echo '</td>' . "\n"
                        . '    <td>';
                     if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
                         printf($link_revoke, urlencode($username),
                             urlencode($hostname),
-                            urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname),
+                            htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
                             urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));
                     }
                     echo '</td>' . "\n"

From 1fe1aa6c0e2d85bed1343f4be21d672368e0a9c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 12:23:13 +0200
Subject: [PATCH 09/19] Fix XSS on tablename and pred_tablename.

---
 server_privileges.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server_privileges.php b/server_privileges.php
index 1e6d64edc1bc..da1c248f9ee6 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1598,7 +1598,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
             $url_dbname = htmlspecialchars(urlencode(str_replace('\_', '_', $dbname)));
             echo ' <i><a href="' . $GLOBALS['cfg']['DefaultTabDatabase'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;reload=1">' . htmlspecialchars($dbname) . '</a></i>' . "\n";
             if (isset($tablename) && strlen($tablename)) {
-                echo '    - ' . $GLOBALS['strTable'] . ' <i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;table=' . urlencode($tablename) . '&amp;reload=1">' . htmlspecialchars($tablename) . '</a></i>' . "\n";
+                echo '    - ' . $GLOBALS['strTable'] . ' <i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] . '?' . $GLOBALS['url_query'] . '&amp;db=' . $url_dbname . '&amp;table=' . htmlspecialchars(urlencode($tablename)) . '&amp;reload=1">' . htmlspecialchars($tablename) . '</a></i>' . "\n";
             }
             unset($url_dbname);
         }

From 8b7f07cd954221f276ab11e2c3d98f18deb2f551 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 12:25:35 +0200
Subject: [PATCH 10/19] Fix XSS on username.

---
 server_privileges.php | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/server_privileges.php b/server_privileges.php
index da1c248f9ee6..188dfb77854b 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -602,7 +602,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
        . $spaces . '        <option value="userdefined"' . ((!isset($GLOBALS['pred_username']) || $GLOBALS['pred_username'] == 'userdefined') ? ' selected="selected"' : '') . '>' . $GLOBALS['strUseTextField'] . ':</option>' . "\n"
        . $spaces . '    </select>' . "\n"
        . $spaces . '</span>' . "\n"
-       . $spaces . '<input type="text" name="username" maxlength="' . $username_length . '" title="' . $GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username']) ? '' : ' value="' . (isset($GLOBALS['new_username']) ? $GLOBALS['new_username'] : $GLOBALS['username']) . '"') . ' onchange="pred_username.value = \'userdefined\';" />' . "\n"
+       . $spaces . '<input type="text" name="username" maxlength="' . $username_length . '" title="' . $GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username']) ? '' : ' value="' . htmlspecialchars(isset($GLOBALS['new_username']) ? $GLOBALS['new_username'] : $GLOBALS['username']) . '"') . ' onchange="pred_username.value = \'userdefined\';" />' . "\n"
        . $spaces . '</div>' . "\n"
        . $spaces . '<div class="item">' . "\n"
        . $spaces . '<label for="select_pred_hostname">' . "\n"
@@ -757,7 +757,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
 
     if (PMA_DBI_num_rows($res) == 1) {
         PMA_DBI_free_result($res);
-        $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . $username . '\'@\'' . $hostname . '\'[/i]');
+        $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'[/i]');
         $adduser = 1;
     } else {
         PMA_DBI_free_result($res);
@@ -1048,7 +1048,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
     $sql_query = (isset($sql_query0) ? $sql_query0 . ' ' : '')
                . (isset($sql_query1) ? $sql_query1 . ' ' : '')
                . $sql_query2;
-    $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . $username . '\'@\'' . $hostname . '\'');
+    $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
 }
 
 
@@ -1080,7 +1080,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
         unset($sql_query1);
     }
     $sql_query = $sql_query0 . (isset($sql_query1) ? ' ' . $sql_query1 : '');
-    $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . $username . '\'@\'' . $hostname . '\'');
+    $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
     if (! isset($tablename) || ! strlen($tablename)) {
         unset($dbname);
     } else {
@@ -1115,7 +1115,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
         $sql_query        = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
         $local_query      = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
         PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
-        $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . $username . '\'@\'' . $hostname . '\'');
+        $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
     }
 }
 
@@ -1588,7 +1588,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
 
         echo '<h2>' . "\n"
            . ($GLOBALS['cfg']['PropertiesIconic'] ? '<img class="icon" src="' . $pmaThemeImage . 'b_usredit.png" width="16" height="16" alt="" />' : '')
-           . $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&amp;username=' . urlencode($username) . '&amp;hostname=' . urlencode($hostname) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n";
+           . $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&amp;username=' . htmlspecialchars(urlencode($username)) . '&amp;hostname=' . urlencode($hostname) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n";
         if (isset($dbname) && strlen($dbname)) {
             if ($dbname_is_wildcard) {
             echo '    - ' . $GLOBALS['strDatabases'];
@@ -1839,14 +1839,14 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
                     }
                     echo '</td>' . "\n"
                        . '    <td>';
-                    printf($link_edit, urlencode($username),
+                    printf($link_edit, htmlspecialchars(urlencode($username)),
                         urlencode($hostname),
                         htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
                         urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));
                     echo '</td>' . "\n"
                        . '    <td>';
                     if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
-                        printf($link_revoke, urlencode($username),
+                        printf($link_revoke, htmlspecialchars(urlencode($username)),
                             urlencode($hostname),
                             htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
                             urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));

From a7c004d8d4069ca3c7d1c221f37b9cab39e36aaf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 18 Aug 2010 12:27:37 +0200
Subject: [PATCH 11/19] Fix XSS on hostname.

---
 server_privileges.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/server_privileges.php b/server_privileges.php
index 188dfb77854b..a030c5641cf0 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -650,7 +650,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
        . $spaces . '        <option value="userdefined"' . ((isset($GLOBALS['pred_hostname']) && $GLOBALS['pred_hostname'] == 'userdefined') ? ' selected="selected"' : '') . '>' . $GLOBALS['strUseTextField'] . ':</option>' . "\n"
        . $spaces . '    </select>' . "\n"
        . $spaces . '</span>' . "\n"
-       . $spaces . '<input type="text" name="hostname" maxlength="' . $hostname_length . '" value="' . (isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '') . '" title="' . $GLOBALS['strHost'] . '" onchange="pred_hostname.value = \'userdefined\';" />' . "\n"
+       . $spaces . '<input type="text" name="hostname" maxlength="' . $hostname_length . '" value="' . htmlspecialchars(isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '') . '" title="' . $GLOBALS['strHost'] . '" onchange="pred_hostname.value = \'userdefined\';" />' . "\n"
        . $spaces . '</div>' . "\n"
        . $spaces . '<div class="item">' . "\n"
        . $spaces . '<label for="select_pred_password">' . "\n"
@@ -757,14 +757,14 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
 
     if (PMA_DBI_num_rows($res) == 1) {
         PMA_DBI_free_result($res);
-        $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'[/i]');
+        $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'[/i]');
         $adduser = 1;
     } else {
         PMA_DBI_free_result($res);
 
         if (50002 <= PMA_MYSQL_INT_VERSION) {
             // MySQL 5 requires CREATE USER before any GRANT on this user can done
-            $create_user_real = 'CREATE USER \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\'';
+            $create_user_real = 'CREATE USER \'' . PMA_sqlAddslashes($username) . '\'@\'' . htmlspecialchars($hostname) . '\'';
         }
 
         $real_sql_query =
@@ -1048,7 +1048,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
     $sql_query = (isset($sql_query0) ? $sql_query0 . ' ' : '')
                . (isset($sql_query1) ? $sql_query1 . ' ' : '')
                . $sql_query2;
-    $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
+    $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
 }
 
 
@@ -1080,7 +1080,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
         unset($sql_query1);
     }
     $sql_query = $sql_query0 . (isset($sql_query1) ? ' ' . $sql_query1 : '');
-    $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
+    $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
     if (! isset($tablename) || ! strlen($tablename)) {
         unset($dbname);
     } else {
@@ -1115,7 +1115,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
         $sql_query        = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
         $local_query      = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
         PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
-        $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . htmlspecialchars($username) . '\'@\'' . $hostname . '\'');
+        $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'');
     }
 }
 
@@ -1588,7 +1588,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
 
         echo '<h2>' . "\n"
            . ($GLOBALS['cfg']['PropertiesIconic'] ? '<img class="icon" src="' . $pmaThemeImage . 'b_usredit.png" width="16" height="16" alt="" />' : '')
-           . $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&amp;username=' . htmlspecialchars(urlencode($username)) . '&amp;hostname=' . urlencode($hostname) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n";
+           . $GLOBALS['strUser'] . ' <i><a href="server_privileges.php?' . $GLOBALS['url_query'] . '&amp;username=' . htmlspecialchars(urlencode($username)) . '&amp;hostname=' . htmlspecialchars(urlencode($hostname)) . '">\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\'</a></i>' . "\n";
         if (isset($dbname) && strlen($dbname)) {
             if ($dbname_is_wildcard) {
             echo '    - ' . $GLOBALS['strDatabases'];
@@ -1840,14 +1840,14 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) {
                     echo '</td>' . "\n"
                        . '    <td>';
                     printf($link_edit, htmlspecialchars(urlencode($username)),
-                        urlencode($hostname),
+                        htmlspecialchars(urlencode($hostname)),
                         htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
                         urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));
                     echo '</td>' . "\n"
                        . '    <td>';
                     if (! empty($row['can_delete']) || isset($row['Table_name']) && strlen($row['Table_name'])) {
                         printf($link_revoke, htmlspecialchars(urlencode($username)),
-                            urlencode($hostname),
+                            htmlspecialchars(urlencode($hostname)),
                             htmlspecialchars(urlencode((! isset($dbname) || ! strlen($dbname)) ? $row['Db'] : $dbname)),
                             urlencode((! isset($dbname) || ! strlen($dbname)) ? '' : $row['Table_name']));
                     }

From 30c83acddb58d3bbf940b5f9ec28abf5b235f4d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Thu, 19 Aug 2010 09:55:25 +0200
Subject: [PATCH 12/19] Properly escape key name when generating config file.

---
 scripts/setup.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/setup.php b/scripts/setup.php
index 2f3d09d45ff2..49dd67bd18c3 100644
--- a/scripts/setup.php
+++ b/scripts/setup.php
@@ -518,6 +518,7 @@ function get_cfg_val($name, $val) {
                 }
             }
             if ($type == 'string') {
+                $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);
                 $ret .= get_cfg_val($name . "['$k']", $v);
             } elseif ($type == 'int') {
                 $ret .= '    ' . PMA_var_export($v) . ',' . $crlf;

From 4a50055d52cb1d6ba125b743b0eb422d5549b9c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 20 Aug 2010 10:38:32 +0200
Subject: [PATCH 13/19] Fix XSS with $cfg['SQP']['fmtType'] = 'text'.

---
 libraries/sqlparser.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php
index 488cde211bab..753f94cb6f73 100644
--- a/libraries/sqlparser.lib.php
+++ b/libraries/sqlparser.lib.php
@@ -2425,7 +2425,7 @@ function PMA_SQP_formatHtml($arr, $mode='color', $start_token=0,
             }
             $after                 .= "\n";
 */
-            $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after;
+            $str .= $before . ($mode=='color' ? PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])). $after;
         } // end for
         if ($mode=='color') {
             $str .= '</span>';

From 0fd0512c9b7344abad60ab9effb7b7537b2b5d08 Mon Sep 17 00:00:00 2001
From: Herman van Rink <rink@initfour.nl>
Date: Fri, 20 Aug 2010 10:42:03 +0200
Subject: [PATCH 14/19] Fix XSS on error with very long query.

---
 libraries/common.lib.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 626bbe386ed0..6c81663e49f6 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -473,7 +473,7 @@ function PMA_mysqlDie($error_message = '', $the_query = '',
         $formatted_sql = '';
     } else {
         if (strlen($the_query) > $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) {
-            $formatted_sql = substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]';
+            $formatted_sql = htmlspecialchars(substr($the_query, 0, $GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]';
         } else {
             $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query);
         }

From 2051a861f8a968dafc297650036cc7e640a18887 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 20 Aug 2010 11:19:28 +0200
Subject: [PATCH 15/19] Fix possible XSS on IIS redirect page.

---
 libraries/common.lib.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 6c81663e49f6..716af94d219f 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -622,22 +622,23 @@ function PMA_convert_using($string, $mode='unquoted', $force_utf8 = false)
 function PMA_sendHeaderLocation($uri)
 {
     if (PMA_IS_IIS && strlen($uri) > 600) {
+        require_once './libraries/js_escape.lib.php';
 
         echo '<html><head><title>- - -</title>' . "\n";
         echo '<meta http-equiv="expires" content="0">' . "\n";
         echo '<meta http-equiv="Pragma" content="no-cache">' . "\n";
         echo '<meta http-equiv="Cache-Control" content="no-cache">' . "\n";
-        echo '<meta http-equiv="Refresh" content="0;url=' .$uri . '">' . "\n";
+        echo '<meta http-equiv="Refresh" content="0;url=' .  htmlspecialchars($uri) . '">' . "\n";
         echo '<script type="text/javascript">' . "\n";
         echo '//<![CDATA[' . "\n";
-        echo 'setTimeout("window.location = unescape(\'"' . $uri . '"\')", 2000);' . "\n";
+        echo 'setTimeout("window.location = unescape(\'"' . PMA_escapeJsString($uri) . '"\')", 2000);' . "\n";
         echo '//]]>' . "\n";
         echo '</script>' . "\n";
         echo '</head>' . "\n";
         echo '<body>' . "\n";
         echo '<script type="text/javascript">' . "\n";
         echo '//<![CDATA[' . "\n";
-        echo 'document.write(\'<p><a href="' . $uri . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n";
+        echo 'document.write(\'<p><a href="' . htmlspecialchars($uri) . '">' . $GLOBALS['strGo'] . '</a></p>\');' . "\n";
         echo '//]]>' . "\n";
         echo '</script></body></html>' . "\n";
 

From e7d10a6d53582abcf20455ad0051048a991023af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 20 Aug 2010 11:31:11 +0200
Subject: [PATCH 16/19] Avoid information disclossure on error.

---
 error.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/error.php b/error.php
index e0abb44574d9..750ac60e3ad1 100644
--- a/error.php
+++ b/error.php
@@ -73,10 +73,14 @@
 <body>
 <h1>phpMyAdmin - <?php echo $type; ?></h1>
 <p><?php
-if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
-    echo PMA_sanitize(stripslashes($_REQUEST['error']));
+if (!empty($_REQUEST['error'])) {
+    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
+        echo PMA_sanitize(stripslashes($_REQUEST['error']));
+    } else {
+        echo PMA_sanitize($_REQUEST['error']);
+    }
 } else {
-    echo PMA_sanitize($_REQUEST['error']);
+    echo 'No error message!';
 }
 ?></p>
 </body>

From a88dbaf305a44107ffb557e9d93512792744af84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 20 Aug 2010 11:35:42 +0200
Subject: [PATCH 17/19] Escape error message coming from MySQL to avoid XSS on
 bad parameters.

---
 libraries/dbi/mysql.dbi.lib.php  | 2 ++
 libraries/dbi/mysqli.dbi.lib.php | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php
index 3ae84b803ab5..b0275b11ef67 100644
--- a/libraries/dbi/mysql.dbi.lib.php
+++ b/libraries/dbi/mysql.dbi.lib.php
@@ -300,6 +300,8 @@ function PMA_DBI_getError($link = null)
         $error_message = PMA_DBI_convert_message($error_message);
     }
 
+    $error_message = htmlspecialchars($error_message);
+
     // Some errors messages cannot be obtained by mysql_error()
     if ($error_number == 2002) {
         $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem'];
diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php
index 705477ebf240..13b3eaf8838e 100644
--- a/libraries/dbi/mysqli.dbi.lib.php
+++ b/libraries/dbi/mysqli.dbi.lib.php
@@ -417,6 +417,8 @@ function PMA_DBI_getError($link = null)
         $error_message = PMA_DBI_convert_message($error_message);
     }
 
+    $error_message = htmlspecialchars($error_message);
+
     if ($error_number == 2002) {
         $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem'];
     } elseif (defined('PMA_MYSQL_INT_VERSION') && PMA_MYSQL_INT_VERSION >= 40100) {

From 437e00ef2eec5fbc743f652c93d90b3853dcf825 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 20 Aug 2010 13:24:46 +0200
Subject: [PATCH 18/19] Changelog.

---
 ChangeLog | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 8c3a59aee838..e20be30e1009 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,11 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
 
+2.11.10.1 (2010-08-20)
+- [setup] Fixed output sanitizing in setup script, see PMASA-2010-4 for
+  more details.
+- [core] Fixed various XSS issues, see PMASA-2010-5 for more details.
+
 2.11.10.0 (2009-12-07)
 - [core] safer handling of temporary files with open_basedir (thanks to Thijs
   Kinkhorst)

From b1cb5590eefd2977bdb3a6e45796d5a4189e95ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 20 Aug 2010 13:26:54 +0200
Subject: [PATCH 19/19] Set version to 2.11.10.1.

---
 Documentation.html         | 4 ++--
 README                     | 4 ++--
 libraries/Config.class.php | 2 +-
 translators.html           | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Documentation.html b/Documentation.html
index 8998b08fddb9..85b6715cee62 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -11,7 +11,7 @@
     <link rel="icon" href="./favicon.ico" type="image/x-icon" />
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-    <title>phpMyAdmin 2.11.10 - Documentation</title>
+    <title>phpMyAdmin 2.11.10.1 - Documentation</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 
@@ -33,7 +33,7 @@
     <li><a href="#glossary">Glossary</a></li>
 </ul>
 
-<h1>phpMyAdmin 2.11.10 Documentation</h1>
+<h1>phpMyAdmin 2.11.10.1 Documentation</h1>
 
 <ul><li><a href="http://www.phpmyadmin.net/">
             phpMyAdmin homepage</a></li>
diff --git a/README b/README
index a6b34c83fb72..9480f6a9bf08 100644
--- a/README
+++ b/README
@@ -5,8 +5,8 @@ phpMyAdmin - Readme
 
   A set of PHP-scripts to manage MySQL over the web.
 
-  Version 2.11.10
-  ---------------
+  Version 2.11.10.1
+  -----------------
   http://www.phpmyadmin.net/
 
     Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com>
diff --git a/libraries/Config.class.php b/libraries/Config.class.php
index 05bd2e1fed5f..6029a030d9b2 100644
--- a/libraries/Config.class.php
+++ b/libraries/Config.class.php
@@ -85,7 +85,7 @@ function __construct($source = null)
      */
     function checkSystem()
     {
-        $this->set('PMA_VERSION', '2.11.10');
+        $this->set('PMA_VERSION', '2.11.10.1');
         /**
          * @deprecated
          */
diff --git a/translators.html b/translators.html
index 2fb69de42417..b271c13cb533 100644
--- a/translators.html
+++ b/translators.html
@@ -8,7 +8,7 @@
     <link rel="icon" href="./favicon.ico" type="image/x-icon" />
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-    <title>phpMyAdmin 2.11.10 - Official translators</title>
+    <title>phpMyAdmin 2.11.10.1 - Official translators</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 
@@ -31,7 +31,7 @@
     <li><a href="Documentation.html#glossary">Glossary</a></li>
 </ul>
 
-<h1>phpMyAdmin 2.11.10 official translators list</h1>
+<h1>phpMyAdmin 2.11.10.1 official translators list</h1>
 
 <p> Here is the list of the &quot;official translators&quot; of
     phpMyAdmin.</p>