phpmyadmin: fix for Security Advisory CVE-2014-5274

Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5274 Signed-off-by: Roy Li <rongqing.li@windriver.com>
author: Roy Li <rongqing.li@windriver.com> 2014-10-30 13:37:26 +0800
committer: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-10-31 11:35:25 +0000
commit: 7edda3d9267cc3561151a5611a2d215848824423 (patch)
tree: 140920340e077d34cabfb1048816dc906d03fd47 /meta-webserver/recipes-php
parent: 780fb7c811b03ea5ae614cfa228f2f74d884f900 (diff)
download: meta-openembedded-7edda3d9267cc3561151a5611a2d215848824423.tar.gz
2 files changed, 44 insertions, 0 deletions
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch
new file mode 100644
index 000000000..164a072ef
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch
@@ -0,0 +1,43 @@
+From 0cd293f5e13aa245e4a57b8d373597cc0e421b6f Mon Sep 17 00:00:00 2001
+From: Madhura Jayaratne <madhura.cj@gmail.com>
+Date: Sun, 17 Aug 2014 08:41:57 -0400
+Subject: [PATCH] bug #4505 [security] XSS in view operations page
+Upstream-Status: Backport
+Signed-off-by: Marc Delisle <marc@infomarc.info>
+---
+ ChangeLog       |    3 +++
+ js/functions.js |    2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+diff --git a/ChangeLog b/ChangeLog
+index 7afac1a..cec9d77 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,6 +1,9 @@
+ phpMyAdmin - ChangeLog
+ ======================
+ 
+4.2.7.1 (2014-08-17)
+- bug #4505 [security] XSS in view operations page
+
+ 4.2.7.0 (2014-07-31)
+ - bug       Broken links on home page
+ - bug #4494 Overlap in navigation panel
+diff --git a/js/functions.js b/js/functions.js
+index 09bfeda..a970a81 100644
+--- a/js/functions.js
+++ b/js/functions.js
+@@ -3585,7 +3585,7 @@ AJAX.registerOnload('functions.js', function () {
+         var question = PMA_messages.strDropTableStrongWarning + ' ';
+         question += $.sprintf(
+             PMA_messages.strDoYouReally,
+-            'DROP VIEW ' + PMA_commonParams.get('table')
+            'DROP VIEW ' + escapeHtml(PMA_commonParams.get('table'))
+         );
+ 
+         $(this).PMA_confirm(question, $(this).attr('href'), function (url) {
+-- 
+1.7.10.4
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
index c267d8962..447b77884 100644
--- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
 SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
           file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
+           file://0001-bug-4505-security-XSS-in-view-operations-page.patch \
           file://apache.conf"
 SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"
author	Roy Li <rongqing.li@windriver.com>	2014-10-30 13:37:26 +0800
committer	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-10-31 11:35:25 +0000
commit	7edda3d9267cc3561151a5611a2d215848824423 (patch)
tree	140920340e077d34cabfb1048816dc906d03fd47 /meta-webserver/recipes-php
parent	780fb7c811b03ea5ae614cfa228f2f74d884f900 (diff)
download	meta-openembedded-7edda3d9267cc3561151a5611a2d215848824423.tar.gz

diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch new file mode 100644 index 000000000..164a072ef --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch
@@ -0,0 +1,43 @@
		1	From 0cd293f5e13aa245e4a57b8d373597cc0e421b6f Mon Sep 17 00:00:00 2001
		2	From: Madhura Jayaratne <madhura.cj@gmail.com>
		3	Date: Sun, 17 Aug 2014 08:41:57 -0400
		4	Subject: [PATCH] bug #4505 [security] XSS in view operations page
		5
		6	Upstream-Status: Backport
		7
		8	Signed-off-by: Marc Delisle <marc@infomarc.info>
		9	---
		10	ChangeLog \| 3 +++
		11	js/functions.js \| 2 +-
		12	2 files changed, 4 insertions(+), 1 deletion(-)
		13
		14	diff --git a/ChangeLog b/ChangeLog
		15	index 7afac1a..cec9d77 100644
		16	--- a/ChangeLog
		17	+++ b/ChangeLog
		18	@@ -1,6 +1,9 @@
		19	phpMyAdmin - ChangeLog
		20	======================
		21
		22	+4.2.7.1 (2014-08-17)
		23	+- bug #4505 [security] XSS in view operations page
		24	+
		25	4.2.7.0 (2014-07-31)
		26	- bug Broken links on home page
		27	- bug #4494 Overlap in navigation panel
		28	diff --git a/js/functions.js b/js/functions.js
		29	index 09bfeda..a970a81 100644
		30	--- a/js/functions.js
		31	+++ b/js/functions.js
		32	@@ -3585,7 +3585,7 @@ AJAX.registerOnload('functions.js', function () {
		33	var question = PMA_messages.strDropTableStrongWarning + ' ';
		34	question += $.sprintf(
		35	PMA_messages.strDoYouReally,
		36	- 'DROP VIEW ' + PMA_commonParams.get('table')
		37	+ 'DROP VIEW ' + escapeHtml(PMA_commonParams.get('table'))
		38	);
		39
		40	$(this).PMA_confirm(question, $(this).attr('href'), function (url) {
		41	--
		42	1.7.10.4
		43


diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb index c267d8962..447b77884 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
7		7
8	SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \	8	SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
9	file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \	9	file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
		10	file://0001-bug-4505-security-XSS-in-view-operations-page.patch \
10	file://apache.conf"	11	file://apache.conf"
11		12
12	SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"	13	SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"