Fix XSS in login form (bug #436)

vrana · Feb 7, 2015 · c990de3 · c990de3
1 parent 411d198
commit c990de3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php
@@ -114,8 +114,13 @@ function unset_permanent() {
 	cookie("adminer_permanent", implode(" ", $permanent));
 }
 
+/** Renders an error message and a login form
+* @param string plain text
+* @return null exits
+*/
 function auth_error($error) {
 	global $adminer, $has_token;
+	$error = h($error);
 	$session_name = session_name();
 	if (isset($_GET["username"])) {
 		header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header

diff --git a/changes.txt b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.2.0-dev:
+Fix XSS in login form (bug #436)
 Allow limiting number of displayed rows in SQL command
 Fix reading routine column collations
 Unlock session in alter database