File: 030_CVE-2007-2245.patch

package info (click to toggle)
phpmyadmin 4%3A2.9.1.1-13
  • links: PTS
  • area: main
  • in suites: etch
  • size: 13,324 kB
  • ctags: 119,177
  • sloc: php: 148,860; sh: 645; sql: 224; perl: 142
file content (56 lines) | stat: -rw-r--r-- 2,327 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
--- phpMyAdmin-2.10.0.2-all-languages-utf-8-only/browse_foreigners.php	2007-08-28 22:32:53.000000000 +0200
+++ phpMyAdmin-2.10.1-all-languages-utf-8-only/browse_foreigners.php	2007-08-28 22:33:37.000000000 +0200
@@ -108,7 +108,7 @@
             var element_name = field + '[]';
             <?php } ?>
 
-            <?php if ( isset( $fieldkey ) ) { ?>
+            <?php if ( isset( $fieldkey ) && is_numeric($fieldkey)) { ?>
             var element_name_alt = field + '[<?php echo $fieldkey; ?>]';
             <?php } else { ?>
             var element_name_alt = field + '[0]';
@@ -140,7 +140,7 @@
 <?php echo PMA_generate_common_hidden_inputs( $db, $table ); ?>
 <input type="hidden" name="field" value="<?php echo urlencode($field); ?>" />
 <input type="hidden" name="fieldkey"
-    value="<?php echo isset($fieldkey) ? $fieldkey : ''; ?>" />
+    value="<?php echo isset($fieldkey) ? htmlspecialchars($fieldkey) : ''; ?>" />
 <?php if ( isset( $pk ) ) { ?>
 <input type="hidden" name="pk" value="<?php echo urlencode($pk); ?>" />
 <?php } ?>
--- phpMyAdmin-2.10.0.2-all-languages-utf-8-only/libraries/sanitizing.lib.php.orig	2006-11-19 01:28:45.000000000 +0100
+++ phpMyAdmin-2.10.1-all-languages-utf-8-only/libraries/sanitizing.lib.php	2007-05-07 10:57:29.000000000 +0200
@@ -34,7 +34,32 @@
         '[br]'      => '<br />',
         '[/a]'      => '</a>',
     );
-    return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));
+
+    $message = strtr($message, $replace_pairs);
+
+    $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
+
+    if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
+        $valid_links = array(
+            'http',  // default http:// links (and https://)
+            './Do',  // ./Documentation
+        );
+
+        foreach ($founds as $found) {
+            // only http... and ./Do... allowed
+            if (! in_array(substr($found[1], 0, 4), $valid_links)) {
+                return $message;
+            }
+            // a-z and _ allowed in target
+            if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
+                return $message;
+            }
+        }
+
+        $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
+    }
+
+    return $message;
 }
 
 ?>