Skip to content

Commit c1a3f85

Browse files
author
Marc Delisle
committed
[security] XSS with malicious ENUM values
Signed-off-by: Marc Delisle <marc@infomarc.info> Conflicts: libraries/Util.class.php
1 parent 7dc42d9 commit c1a3f85

File tree

2 files changed

+14
-6
lines changed

2 files changed

+14
-6
lines changed

Diff for: libraries/TableSearch.class.php

+8-3
Original file line numberDiff line numberDiff line change
@@ -316,6 +316,7 @@ private function _getForeignKeyInputBox($foreignData, $column_name,
316316
private function _getEnumSetInputBox($column_index, $criteriaValues,
317317
$column_type, $column_id, $in_zoom_search_edit = false
318318
) {
319+
$column_type = htmlspecialchars($column_type);
319320
$html_output = '';
320321
$value = explode(
321322
', ',
@@ -985,7 +986,9 @@ private function _getRowsNormal()
985986
$html_output .= '<th>'
986987
. htmlspecialchars($this->_columnNames[$column_index]) . '</th>';
987988
$properties = $this->getColumnProperties($column_index, $column_index);
988-
$html_output .= '<td>' . $properties['type'] . '</td>';
989+
$html_output .= '<td>'
990+
. htmlspecialchars($properties['type'])
991+
. '</td>';
989992
$html_output .= '<td>' . $properties['collation'] . '</td>';
990993
$html_output .= '<td>' . $properties['func'] . '</td>';
991994
// here, the data-type attribute is needed for a date/time picker
@@ -996,11 +999,13 @@ private function _getRowsNormal()
996999
$html_output .= '<tr><td>';
9971000
$html_output .= '<input type="hidden"'
9981001
. ' name="criteriaColumnNames[' . $column_index . ']"'
999-
. ' value="' . htmlspecialchars($this->_columnNames[$column_index])
1002+
. ' value="'
1003+
. htmlspecialchars($this->_columnNames[$column_index])
10001004
. '" />';
10011005
$html_output .= '<input type="hidden"'
10021006
. ' name="criteriaColumnTypes[' . $column_index . ']"'
1003-
. ' value="' . $this->_columnTypes[$column_index] . '" />';
1007+
. ' value="'
1008+
. htmlspecialchars($this->_columnTypes[$column_index]) . '" />';
10041009
$html_output .= '<input type="hidden"'
10051010
. ' name="criteriaColumnCollations[' . $column_index . ']"'
10061011
. ' value="' . $this->_columnCollations[$column_index] . '" />';

Diff for: libraries/Util.class.php

+6-3
Original file line numberDiff line numberDiff line change
@@ -3029,9 +3029,12 @@ public static function extractColumnSpec($columnspec)
30293029
// for the case ENUM('&#8211;','&ldquo;')
30303030
$displayed_type = htmlspecialchars($printtype);
30313031
if (strlen($printtype) > $GLOBALS['cfg']['LimitChars']) {
3032-
$displayed_type = '<abbr title="' . $printtype . '">';
3033-
$displayed_type .= $GLOBALS['PMA_String']->substr(
3034-
$printtype, 0, $GLOBALS['cfg']['LimitChars']
3032+
$displayed_type = '<abbr title="'
3033+
. htmlspecialchars($printtype) . '">';
3034+
$displayed_type .= htmlspecialchars(
3035+
$GLOBALS['PMA_String']->substr(
3036+
$printtype, 0, $GLOBALS['cfg']['LimitChars']
3037+
)
30353038
);
30363039
$displayed_type .= '</abbr>';
30373040
}

0 commit comments

Comments
 (0)