helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

phpmyadmin: fix for Security Advisory CVE-2014-7217

Browse Source 
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before
4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote
authenticated users to inject arbitrary web script or HTML via a crafted ENUM
value that is improperly handled during rendering of the (1) table search or (2)
table structure page, related to
libraries/TableSearch.class.php and libraries/Util.class.php.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7217

Signed-off-by: Roy Li <rongqing.li@windriver.com>
This commit is contained in:
Roy Li 2014-10-30 13:37:27 +08:00 committed by Paul Eggleton
parent 7edda3d926
commit 6b530d936f
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-Bug-4544-additional-fix-for-4.2.x.patch Normal file
View File

@ -0,0 +1,29 @@
From 304fb2b645b36a39e03b954fdbd567173ebe6448 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Wed, 1 Oct 2014 08:09:12 -0400
Subject: [PATCH] Bug 4544: additional fix for 4.2.x
Upstream-Status: Backport
Signed-off-by: Marc Delisle <marc@infomarc.info>
---
libraries/TableSearch.class.php | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libraries/TableSearch.class.php b/libraries/TableSearch.class.php
index a0b3fa4..b7eb42f 100644
--- a/libraries/TableSearch.class.php
+++ b/libraries/TableSearch.class.php
@@ -992,7 +992,8 @@ EOT;
$html_output .= '<td>' . $properties['collation'] . '</td>';
$html_output .= '<td>' . $properties['func'] . '</td>';
// here, the data-type attribute is needed for a date/time picker
- $html_output .= '<td data-type="' . $properties['type'] . '"'
+ $html_output .= '<td data-type="'
+ . htmlspecialchars($properties['type']) . '"'
. '>' . $properties['value'] . '</td>';
$html_output .= '</tr>';
//Displays hidden fields
--
1.7.10.4

1
meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
View File

@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
file://0001-bug-4505-security-XSS-in-view-operations-page.patch \
file://0001-Bug-4544-additional-fix-for-4.2.x.patch \
file://apache.conf"
SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"