[security] XSS with malicious ENUM values

Signed-off-by: Marc Delisle <marc@infomarc.info>
phpmyadmin · Oct 1, 2014 · 71ccbbc · 71ccbbc
1 parent 247ebb6
commit 71ccbbc
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 6 deletions.
diff --git a/libraries/TableSearch.class.php b/libraries/TableSearch.class.php
@@ -316,6 +316,7 @@ private function _getForeignKeyInputBox($foreignData, $column_name,
     private function _getEnumSetInputBox($column_index, $criteriaValues,
         $column_type, $column_id, $in_zoom_search_edit = false
     ) {
+        $column_type = htmlspecialchars($column_type);
         $html_output = '';
         $value = explode(
             ', ',
@@ -984,7 +985,9 @@ private function _getRowsNormal()
             $html_output .= '<th>'
                 . htmlspecialchars($this->_columnNames[$column_index]) . '</th>';
             $properties = $this->getColumnProperties($column_index, $column_index);
-            $html_output .= '<td>' . $properties['type'] . '</td>';
+            $html_output .= '<td>'
+                . htmlspecialchars($properties['type'])
+                . '</td>';
             $html_output .= '<td>' . $properties['collation'] . '</td>';
             $html_output .= '<td>' . $properties['func'] . '</td>';
             $html_output .= '<td>' . $properties['value'] . '</td>';
@@ -993,11 +996,13 @@ private function _getRowsNormal()
             $html_output .= '<tr><td>';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnNames[' . $column_index . ']"'
-                . ' value="' . htmlspecialchars($this->_columnNames[$column_index])
+                . ' value="'
+                . htmlspecialchars($this->_columnNames[$column_index])
                 . '" />';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnTypes[' . $column_index . ']"'
-                . ' value="' . $this->_columnTypes[$column_index] . '" />';
+                . ' value="'
+                . htmlspecialchars($this->_columnTypes[$column_index]) . '" />';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnCollations[' . $column_index . ']"'
                 . ' value="' . $this->_columnCollations[$column_index] . '" />';

diff --git a/libraries/Util.class.php b/libraries/Util.class.php
@@ -3062,8 +3062,11 @@ public static function extractColumnSpec($columnspec)
         // for the case ENUM('&#8211;','&ldquo;')
         $displayed_type = htmlspecialchars($printtype);
         if (strlen($printtype) > $GLOBALS['cfg']['LimitChars']) {
-            $displayed_type  = '<abbr title="' . $printtype . '">';
-            $displayed_type .= substr($printtype, 0, $GLOBALS['cfg']['LimitChars']);
+            $displayed_type  = '<abbr title="'
+                . htmlspecialchars($printtype) . '">';
+            $displayed_type .= htmlspecialchars(
+                substr($printtype, 0, $GLOBALS['cfg']['LimitChars'])
+            );
             $displayed_type .= '</abbr>';
         }
 
@@ -4363,4 +4366,4 @@ public static function addMicroseconds($value)
     }
 }
 
-?>
+?>