From b434320eff8ca9c2fc1b043c1804f868341af9a7 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Thu, 30 Jun 2011 20:26:08 +0200 Subject: [PATCH] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8 --- ChangeLog | 13 +++++++------ libraries/display_tbl.lib.php | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index e3db9229c3..ae6147c27e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ phpMyAdmin - ChangeLog - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 - [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7 +- [security] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8 3.4.3.0 (2011-06-27) - bug #3311170 [sync] Missing helper icons in Synchronize @@ -94,7 +95,7 @@ phpMyAdmin - ChangeLog + patch #2974341 [structure] Clicking on table name in db Structure should Browse the table if possible, thanks to bhdouglass - dougboybhd + patch #2975533 [search] New search operators, thanks to - Martynas Mickevičius + Martynas Mickevičius + patch #2967320 [designer] Colored relations based on the primary key, thanks to GreenRover - greenrover - [core] Provide way for vendors to easily change paths to config files. @@ -248,7 +249,7 @@ phpMyAdmin - ChangeLog 3.3.7.0 (2010-09-07) - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after - a page size increase, thanks to Martin Schönberger - mad05 + a page size increase, thanks to Martin Schönberger - mad05 3.3.6.0 (2010-08-28) - bug #3033063 [core] Navi gets wrong db name @@ -269,7 +270,7 @@ phpMyAdmin - ChangeLog 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of - databases, thanks to Stéphane Pontier - shadow_walker + databases, thanks to Stéphane Pontier - shadow_walker - bug #3022705 [import] Import button does not work in Catalan when there is no progress bar possible - bug [replication] Do not offer information_schema in the list of databases @@ -309,9 +310,9 @@ phpMyAdmin - ChangeLog - patch #2984893 [engines] InnoDB storage page emits a warning, thanks to Madhura Jayaratne - madhuracj - bug #2974687, bug #2974692 [compatibility] PHPExcel : IBM AIX iconv() does not work, - thanks to Björn Wiberg - bwiberg + thanks to Björn Wiberg - bwiberg - bug #2983066 [interface] Flush table on table operations shows the query twice, - thanks to Martynas Mickevičius - BlinK_ + thanks to Martynas Mickevičius - BlinK_ - bug #2983060, patch #2987900 [interface] Fix initial state of tables in designer, thanks to Sutharshan Balachandren. - bug #2983062, patch #2989408 [engines] Fix warnings when changing table @@ -390,7 +391,7 @@ phpMyAdmin - ChangeLog + rfe #2839504 [engines] Support InnoDB plugin's new row formats + [core] Added ability for synchronizing databases among servers. + [lang] #2843101 Dutch update, thanks to scavenger2008 -+ [lang] Galician update, thanks to Xosé Calvo - xosecalvo ++ [lang] Galician update, thanks to Xosé Calvo - xosecalvo + [export] Added MediaWiki export module, thanks to Derek Schaefer - drummingds1 + [lang] Turkish update, thanks to Burak Yavuz diff --git a/libraries/display_tbl.lib.php b/libraries/display_tbl.lib.php index 64a0383cdd..c7d74ef44b 100644 --- a/libraries/display_tbl.lib.php +++ b/libraries/display_tbl.lib.php @@ -1308,7 +1308,7 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) { if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) { if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) { - $include_file = $GLOBALS['mime_map'][$meta->name]['transformation']; + $include_file = PMA_securePath($GLOBALS['mime_map'][$meta->name]['transformation']); if (file_exists('./libraries/transformations/' . $include_file)) { $transformfunction_name = str_replace('.inc.php', '', $GLOBALS['mime_map'][$meta->name]['transformation']); -- 2.11.4.GIT