phpmyadmin: fix for Security Advisory CVE-2014-5273

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5273 Signed-off-by: Roy Li <rongqing.li@windriver.com>
author: Roy Li <rongqing.li@windriver.com> 2014-10-30 13:37:25 +0800
committer: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-10-31 11:35:25 +0000
commit: 780fb7c811b03ea5ae614cfa228f2f74d884f900 (patch)
tree: 42e6c6ec4686852f3d837f5904420babb7b1eb9a /meta-webserver/recipes-php
parent: a4fd0b34103f3fc6365eb154ea5277485ed01a5c (diff)
download: meta-openembedded-780fb7c811b03ea5ae614cfa228f2f74d884f900.tar.gz
2 files changed, 30 insertions, 0 deletions
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
new file mode 100644
index 000000000..27eac7762
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
@@ -0,0 +1,29 @@
+From 90ddeecf60fc029608b972e490b735f3a65ed0cb Mon Sep 17 00:00:00 2001
+From: Madhura Jayaratne <madhura.cj@gmail.com>
+Date: Sun, 17 Aug 2014 08:52:05 -0400
+Subject: [PATCH] bug #4504 [security] Self-XSS in query charts
+Upstream-status: Backport
+Signed-off-by: Marc Delisle <marc@infomarc.info>
+---
+ js/tbl_chart.js |    2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ 4.2.7.0 (2014-07-31)
+diff --git a/js/tbl_chart.js b/js/tbl_chart.js
+index 943d4ae..04c9c40 100644
+--- a/js/tbl_chart.js
+++ b/js/tbl_chart.js
+@@ -47,7 +47,7 @@ function PMA_queryChart(data, columnNames, settings) {
+         },
+         axes : {
+             xaxis : {
+-                label : settings.xaxisLabel
+                label : escapeHtml(settings.xaxisLabel)
+             },
+             yaxis : {
+                 label : settings.yaxisLabel
+-- 
+1.7.10.4
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
index 0de3f6d43..c267d8962 100644
--- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
                    file://libraries/tcpdf/LICENSE.TXT;md5=5c87b66a5358ebcc495b03e0afcd342c"
 SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
+           file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
           file://apache.conf"
 SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"
author	Roy Li <rongqing.li@windriver.com>	2014-10-30 13:37:25 +0800
committer	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-10-31 11:35:25 +0000
commit	780fb7c811b03ea5ae614cfa228f2f74d884f900 (patch)
tree	42e6c6ec4686852f3d837f5904420babb7b1eb9a /meta-webserver/recipes-php
parent	a4fd0b34103f3fc6365eb154ea5277485ed01a5c (diff)
download	meta-openembedded-780fb7c811b03ea5ae614cfa228f2f74d884f900.tar.gz

diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch new file mode 100644 index 000000000..27eac7762 --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
@@ -0,0 +1,29 @@
		1	From 90ddeecf60fc029608b972e490b735f3a65ed0cb Mon Sep 17 00:00:00 2001
		2	From: Madhura Jayaratne <madhura.cj@gmail.com>
		3	Date: Sun, 17 Aug 2014 08:52:05 -0400
		4	Subject: [PATCH] bug #4504 [security] Self-XSS in query charts
		5
		6	Upstream-status: Backport
		7
		8	Signed-off-by: Marc Delisle <marc@infomarc.info>
		9	---
		10	js/tbl_chart.js \| 2 +-
		11	2 files changed, 2 insertions(+), 1 deletion(-)
		12
		13	4.2.7.0 (2014-07-31)
		14	diff --git a/js/tbl_chart.js b/js/tbl_chart.js
		15	index 943d4ae..04c9c40 100644
		16	--- a/js/tbl_chart.js
		17	+++ b/js/tbl_chart.js
		18	@@ -47,7 +47,7 @@ function PMA_queryChart(data, columnNames, settings) {
		19	},
		20	axes : {
		21	xaxis : {
		22	- label : settings.xaxisLabel
		23	+ label : escapeHtml(settings.xaxisLabel)
		24	},
		25	yaxis : {
		26	label : settings.yaxisLabel
		27	--
		28	1.7.10.4
		29


diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb index 0de3f6d43..c267d8962 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
6	file://libraries/tcpdf/LICENSE.TXT;md5=5c87b66a5358ebcc495b03e0afcd342c"	6	file://libraries/tcpdf/LICENSE.TXT;md5=5c87b66a5358ebcc495b03e0afcd342c"
7		7
8	SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \	8	SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
		9	file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
9	file://apache.conf"	10	file://apache.conf"
10		11
11	SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"	12	SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"