Whitelist relative URLs from built in transformatons

Fixes #12483 Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Aug 24, 2016 · ed6188d · ed6188d
1 parent 38cf234
commit ed6188d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -9,6 +9,7 @@ phpMyAdmin - ChangeLog
 - issue #12374 Reintroduced simplified PmaAbsoluteUri configuration directive
 - issue        Always use UTC time in HTTP headers
 - issue #12479 Simplified validation of external links
+- issue #12483 Fix browsing tables with built in transformations
 
 4.6.4 (2016-08-16)
 - issue        [security] Weaknesses with cookie encryption, see PMASA-2016-29

diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
@@ -22,6 +22,26 @@ function PMA_checkLink($url, $http=false, $other=false)
         'https://',
         './url.php?url=https%3a%2f%2f',
         './doc/html/',
+        # possible return values from Util::getScriptNameForOption
+        './index.php?',
+        './server_databases.php?',
+        './server_status.php?',
+        './server_variables.php?',
+        './server_privileges.php?',
+        './db_structure.php?',
+        './db_sql.php?',
+        './db_search.php?',
+        './db_operations.php?',
+        './tbl_structure.php?',
+        './tbl_sql.php?',
+        './tbl_select.php?',
+        './tbl_change.php?',
+        './sql.php?',
+        # Hardcoded options in libraries/special_schema_links.lib.php
+        './db_events.php?',
+        './db_routines.php?',
+        './server_privileges.php?',
+        './tbl_structure.php?',
     );
     if ($other) {
         $valid_starts[] = 'mailto:';