[security] XSS with malicious ENUM values

Signed-off-by: Marc Delisle <marc@infomarc.info>
phpmyadmin · Sep 28, 2014 · c6c7758 · c6c7758
1 parent ceb7d7e
commit c6c7758
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/libraries/TableSearch.class.php b/libraries/TableSearch.class.php
@@ -307,6 +307,7 @@ private function _getForeignKeyInputBox($foreignData, $column_name,
     private function _getEnumSetInputBox($column_index, $criteriaValues,
         $column_type, $column_id, $in_zoom_search_edit = false
     ) {
+        $column_type = htmlspecialchars($column_type);
         $html_output = '';
         $value = explode(
             ', ',
@@ -932,7 +933,9 @@ private function _getRowsNormal()
             $html_output .= '<th>'
                 . htmlspecialchars($this->_columnNames[$column_index]) . '</th>';
             $properties = $this->getColumnProperties($column_index, $column_index);
-            $html_output .= '<td>' . $properties['type'] . '</td>';
+            $html_output .= '<td>'
+                . htmlspecialchars($properties['type'])
+                . '</td>';
             $html_output .= '<td>' . $properties['collation'] . '</td>';
             $html_output .= '<td>' . $properties['func'] . '</td>';
             $html_output .= '<td>' . $properties['value'] . '</td>';
@@ -941,11 +944,13 @@ private function _getRowsNormal()
             $html_output .= '<tr><td>';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnNames[' . $column_index . ']"'
-                . ' value="' . htmlspecialchars($this->_columnNames[$column_index])
+                . ' value="'
+                . htmlspecialchars($this->_columnNames[$column_index])
                 . '" />';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnTypes[' . $column_index . ']"'
-                . ' value="' . $this->_columnTypes[$column_index] . '" />';
+                . ' value="'
+                . htmlspecialchars($this->_columnTypes[$column_index]) . '" />';
             $html_output .= '<input type="hidden"'
                 . ' name="criteriaColumnCollations[' . $column_index . ']"'
                 . ' value="' . $this->_columnCollations[$column_index] . '" />';

diff --git a/libraries/Util.class.php b/libraries/Util.class.php
@@ -3150,8 +3150,11 @@ public static function extractColumnSpec($columnspec)
         // for the case ENUM('&#8211;','&ldquo;')
         $displayed_type = htmlspecialchars($printtype);
         if (strlen($printtype) > $GLOBALS['cfg']['LimitChars']) {
-            $displayed_type  = '<abbr title="' . $printtype . '">';
-            $displayed_type .= substr($printtype, 0, $GLOBALS['cfg']['LimitChars']);
+            $displayed_type  = '<abbr title="'
+                . htmlspecialchars($printtype) . '">';
+            $displayed_type .= htmlspecialchars(
+                substr($printtype, 0, $GLOBALS['cfg']['LimitChars'])
+            );
             $displayed_type .= '</abbr>';
         }