Merge branch 'master' of https://github.com/phpmyadmin/phpmyadmin int…

…o server_refactor2

ChangeLog

@@ -28,6 +28,7 @@ phpMyAdmin - ChangeLog
 + rfe #316 Configurable menus; allow user groups with customized menus per group
 - bug #4024 Editing field a record is selected by makes pma load forever
 - bug #4035 Query "inline" link disappears when turning off "Explain SQL" option
++ rfe #1385 Hide tables, functions, procedures, events and views in navigation tree
 
 4.0.5.0 (not yet released)
 - bug #3977 Not detected configuration storage
@@ -46,6 +47,17 @@ phpMyAdmin - ChangeLog
 - bug #3998 Non-permanent SQL history not working
 - bug #3578 Transformations for text/plain on a BLOB column
 
+4.0.4.2 (2013-07-28)
+- [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
+- [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
+- [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
+- [security] Fix full path disclosure, see PMASA-2013-12
+- [security] Fix control user SQL injection in pmd_pdf.php, see PMASA-2013-15
+- [security] Fix control user SQL injection in schema_export.php, see PMASA-2013-15
+- [security] Fix self-XSS in schema export, see PMASA-2013-14
+- [security] Fix unencoded json object, see PMASA-2013-11
+- [security] Fix stored XSS in link transformation plugin, see PMASA-2013-13
+
 4.0.4.1 (2013-06-30)
 - [security] Global variables scope injection vulnerability (see PMASA-2013-7)
 
@@ -232,6 +244,20 @@ underscore
   (see PMASA-2013-5)
 - bug #3892 [export] SQL Export files are empty
 
+3.5.8.2 (2013-07-28)
+- [security] Fix self-XSS in "Showing rows", see PMASA-2013-8
+- [security] Fix self-XSS in Display chart, see PMASA-2013-9
+- [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
+- [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
+- [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
++ [security] JSON content type header for version_check.php, see PMASA-2013-9
++ [security] Backport fix for jQuery issue #9521 from jQuery 1.6.3, see PMASA-2013-9
++ [security] Fix full path disclosure, see PMASA-2013-12
++ [security] Fix control user SQL injection in pmd_pdf.php, see PMASA-2013-15
++ [security] Fix control user SQL injection in schema_export.php, see PMASA-2013-15
+- [security] Fix self-XSS in schema export, see PMASA-2013-14
+- [security] Fix unencoded json object, see PMASA-2013-11
+
 3.5.8.1 (2013-04-24)
 - [security] Remote code execution (preg_replace), reported by Janek Vind
   (see PMASA-2013-2)

browse_foreigners.php

@@ -241,7 +241,7 @@ function formupdate(fieldmd5, key) {
 
         $val_ordered_current_row++;
 
-        if ($GLOBALS['PMA_String']::strlen($val_ordered_current_val) <= $cfg['LimitChars']) {
+        if ($GLOBALS['PMA_String']->strlen($val_ordered_current_val) <= $cfg['LimitChars']) {
             $val_ordered_current_val = htmlspecialchars(
                 $val_ordered_current_val
             );
@@ -251,11 +251,11 @@ function formupdate(fieldmd5, key) {
                 $val_ordered_current_val
             );
             $val_ordered_current_val = htmlspecialchars(
-                $GLOBALS['PMA_String']::substr($val_ordered_current_val, 0, $cfg['LimitChars'])
+                $GLOBALS['PMA_String']->substr($val_ordered_current_val, 0, $cfg['LimitChars'])
                 . '...'
             );
         }
-        if ($GLOBALS['PMA_String']::strlen($key_ordered_current_val) <= $cfg['LimitChars']) {
+        if ($GLOBALS['PMA_String']->strlen($key_ordered_current_val) <= $cfg['LimitChars']) {
             $key_ordered_current_val = htmlspecialchars(
                 $key_ordered_current_val
             );
@@ -265,7 +265,7 @@ function formupdate(fieldmd5, key) {
                 $key_ordered_current_val
             );
             $key_ordered_current_val = htmlspecialchars(
-                $GLOBALS['PMA_String']::substr(
+                $GLOBALS['PMA_String']->substr(
                     $key_ordered_current_val, 0, $cfg['LimitChars']
                 ) . '...'
             );

config.sample.inc.php

@@ -61,6 +61,7 @@
 // $cfg['Servers'][$i]['recent'] = 'pma__recent';
 // $cfg['Servers'][$i]['users'] = 'pma__users';
 // $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
+// $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
 /* Contrib / Swekey authentication */
 // $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
 

doc/config.rst

@@ -673,6 +673,20 @@ Server connection settings
       :config:option:`$cfg['Servers'][$i]['users']` (e.g. ``pma__users``) and
       :config:option:`$cfg['Servers'][$i]['usergroups']` (e.g. ``pma__usergroups``)
 
+.. _navigationhiding:
+.. config:option:: $cfg['Servers'][$i]['navigationhiding']
+
+    :type: string
+    :default: ``''``
+
+    Since release 4.1.0 you can hide/show items in the navigation tree.
+
+    To allow the usage of this functionality:
+
+    * set up :config:option:`$cfg['Servers'][$i]['pmadb']` and the phpMyAdmin configuration storage
+    * put the table name in :config:option:`$cfg['Servers'][$i]['navigationhiding']` (e.g.
+      ``pma__navigationhiding``)
+
 .. _tracking:
 .. config:option:: $cfg['Servers'][$i]['tracking']
 

examples/config.manyhosts.inc.php

@@ -47,4 +47,5 @@
     $cfg['Servers'][$i]['recent'] = 'pma__recent';
     $cfg['Servers'][$i]['users'] = 'pma__users';
     $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
+    $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
 }

examples/create_tables.sql

@@ -302,3 +302,20 @@ CREATE TABLE IF NOT EXISTS `pma__usergroups` (
 ) 
   COMMENT='User groups with configured menu items'
   DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `pma__navigationhiding`
+--
+
+CREATE TABLE IF NOT EXISTS `pma__navigationhiding` (
+  `username` varchar(64) NOT NULL,
+  `item_name` varchar(64) NOT NULL,
+  `item_type` varchar(64) NOT NULL,
+  `db_name` varchar(64) NOT NULL,
+  `table_name` varchar(64) NOT NULL,
+  PRIMARY KEY (`username`,`item_name`,`item_type`,`db_name`,`table_name`)
+) 
+  COMMENT='Hidden items of navigation tree'
+  DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;

examples/create_tables_drizzle.sql

@@ -288,3 +288,20 @@ CREATE TABLE IF NOT EXISTS `pma__usergroups` (
 ) 
   COMMENT='User groups with configured menu items'
   COLLATE utf8_bin;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `pma__navigationhiding`
+--
+
+CREATE TABLE IF NOT EXISTS `pma__navigationhiding` (
+  `username` varchar(64) NOT NULL,
+  `item_name` varchar(64) NOT NULL,
+  `item_type` varchar(64) NOT NULL,
+  `db_name` varchar(64) NOT NULL,
+  `table_name` varchar(64) NOT NULL,
+  PRIMARY KEY (`username`,`item_name`,`item_type`,`db_name`,`table_name`)
+) 
+  COMMENT='Hidden items of navigation tree'
+  COLLATE utf8_bin;

import.php

@@ -10,6 +10,8 @@
  * Get the variables sent or posted to this script and a core script
  */
 require_once 'libraries/common.inc.php';
+require_once 'libraries/sql.lib.php';
+require_once 'libraries/bookmark.lib.php';
 //require_once 'libraries/display_import_functions.lib.php';
 
 if (isset($_REQUEST['show_as_php'])) {
@@ -601,17 +603,15 @@
     }
 }
 
-// we want to see the results of the last query that returned at least a row
-if (! empty($last_query_with_results)) {
-    // but we want to show intermediate results too
-    $disp_query = $sql_query;
-    $disp_message = __('Your SQL query has been executed successfully');
-    $sql_query = $last_query_with_results;
-    $go_sql = true;
-}
-
 if ($go_sql) {
-    include 'sql.php';
+    // parse sql query
+    require_once 'libraries/parse_analyze.inc.php';
+
+    PMA_executeQueryAndSendQueryResponse(
+        $analyzed_sql_results, false, $db, $table, null, null, null, false, null,
+        null, null, null, $goto, $pmaThemeImage, null, null, null, $sql_query,
+        null, null
+    );
 } else {
     $active_page = $goto;
     include '' . $goto;

js/messages.php

@@ -366,6 +366,7 @@
 /* navigation panel */
 $js_messages['strShowPanel'] = __('Show Panel');
 $js_messages['strHidePanel'] = __('Hide Panel');
+$js_messages['strUnhideNavItem'] = __('Show hidden navigation tree items');
 
 /* microhistory */
 $js_messages['strInvalidPage'] = __('The requested page was not found in the history, it may have expired.');

js/navigation.js

@@ -180,7 +180,10 @@ $(function () {
     });
 
     /** Export Routines, Triggers and Events */
-    $('li.procedure a.ajax img, li.function a.ajax img, li.trigger a.ajax img, li.event a.ajax img').live('click', function (event) {
+    $('li.procedure div:eq(1) a.ajax img,'
+        + ' li.function div:eq(1) a.ajax img,'
+        + ' li.trigger div:eq(1) a.ajax img,'
+        + ' li.event div:eq(1) a.ajax img').live('click', function (event) {
         event.preventDefault();
         var dialog = new RTE.object();
         dialog.exportDialog($(this).parent());
@@ -211,6 +214,70 @@ $(function () {
         event.preventDefault();
         PMA_createViewDialog($(this));
     });
+
+    /** Hide navigation tree item */
+    $('a.hideNavItem.ajax').live('click', function (event) {
+        event.preventDefault();
+        $.ajax({
+            url: $(this).attr('href') + '&ajax_request=true',
+            success: function(data) {
+                if (data.success === true) {
+                    PMA_reloadNavigation();
+                } else {
+                    PMA_ajaxShowMessage(data.error);
+                }
+            }
+        });
+    });
+
+    /** Display a dialog to choose hidden navigation items to show */
+    $('a.showUnhide.ajax').live('click', function (event) {
+        event.preventDefault();
+        var $msg = PMA_ajaxShowMessage();
+        $.get($(this).attr('href') + '&ajax_request=1', function (data) {
+            if (data.success === true) {
+                PMA_ajaxRemoveMessage($msg);
+                var buttonOptions = {};
+                buttonOptions[PMA_messages.strClose] = function () {
+                    $(this).dialog("close");
+                };
+                var $dialog = $('<div/>')
+                    .attr('id', 'unhideNavItemDialog')
+                    .append(data.message)
+                    .dialog({
+                        width: 400,
+                        minWidth: 200,
+                        modal: true,
+                        buttons: buttonOptions,
+                        title: PMA_messages.strUnhideNavItem,
+                        close: function () {
+                            $(this).remove();
+                        }
+                    });
+            } else {
+                PMA_ajaxShowMessage(data.error);
+            }
+        });
+    });
+
+    /** Show a hidden navigation tree item */
+    $('a.unhideNavItem.ajax').live('click', function (event) {
+        event.preventDefault();
+        var $tr = $(this).parents('tr');
+        var $msg = PMA_ajaxShowMessage();
+        $.ajax({
+            url: $(this).attr('href') + '&ajax_request=true',
+            success: function(data) {
+                PMA_ajaxRemoveMessage($msg);
+                if (data.success === true) {
+                    $tr.remove();
+                    PMA_reloadNavigation();
+                } else {
+                    PMA_ajaxShowMessage(data.error);
+                }
+            }
+        });
+    });
 });
 
 /**

libraries/Config.class.php

@@ -5,6 +5,7 @@
  *
  * @package PhpMyAdmin
  */
+
 if (! defined('PHPMYADMIN')) {
     exit;
 }