summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorschnoebe <schnoebe>2014-02-24 16:31:03 +0000
committerschnoebe <schnoebe>2014-02-24 16:31:03 +0000
commitfc7187fcd4bfad0b5a826d765fcc0957dfaef45a (patch)
treec89ed71e9c886a4dfa658f69ee47c4d8f6e1aa5c
parent1cd34bf7f07d2fffbccf68d0c16eef2308d754c4 (diff)
downloadpkgsrc-fc7187fcd4bfad0b5a826d765fcc0957dfaef45a.tar.gz
Resolve the vunerability reported in PMASA-2014-1.
Based on GIT commit https://github.com/phpmyadmin/phpmyadmin/commit/968d5d5f486820bfa30af046f063b9f23304e14a RT ticket 4333.
-rw-r--r--databases/phpmyadmin/Makefile3
-rw-r--r--databases/phpmyadmin/distinfo3
-rw-r--r--databases/phpmyadmin/patches/patch-import.php33
3 files changed, 37 insertions, 2 deletions
diff --git a/databases/phpmyadmin/Makefile b/databases/phpmyadmin/Makefile
index 8cc00d857df..c9cbb85fb78 100644
--- a/databases/phpmyadmin/Makefile
+++ b/databases/phpmyadmin/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.122 2013/12/06 18:34:54 tron Exp $
+# $NetBSD: Makefile,v 1.122.2.1 2014/02/24 16:31:03 schnoebe Exp $
DISTNAME= phpMyAdmin-${DIST_VERSION}-all-languages
+PKGREVISION= 1
PKGNAME= phpmyadmin-${DIST_VERSION:S/-//}
CATEGORIES= databases www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=phpmyadmin/}
diff --git a/databases/phpmyadmin/distinfo b/databases/phpmyadmin/distinfo
index 96a3a228c37..0637f8f07bc 100644
--- a/databases/phpmyadmin/distinfo
+++ b/databases/phpmyadmin/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.79 2013/12/06 18:34:54 tron Exp $
+$NetBSD: distinfo,v 1.79.2.1 2014/02/24 16:31:03 schnoebe Exp $
SHA1 (phpMyAdmin-4.0.10-all-languages.tar.xz) = 2002e954471b3c76eddd5ffc14c224089bc08d26
RMD160 (phpMyAdmin-4.0.10-all-languages.tar.xz) = c78ea8b17fd01472df3eb7d25a8a0ef6a94eb6d0
Size (phpMyAdmin-4.0.10-all-languages.tar.xz) = 4774280 bytes
+SHA1 (patch-import.php) = 134dd0d6364c4903012b7d3b826b463706f9d71a
SHA1 (patch-libraries_vendor_config.php) = af587496e999bf1e92d6c5a9ab8053fe6e92a0f2
diff --git a/databases/phpmyadmin/patches/patch-import.php b/databases/phpmyadmin/patches/patch-import.php
new file mode 100644
index 00000000000..83c885dd187
--- /dev/null
+++ b/databases/phpmyadmin/patches/patch-import.php
@@ -0,0 +1,33 @@
+$NetBSD: patch-import.php,v 1.1.2.1 2014/02/24 16:31:03 schnoebe Exp $
+
+Fix "security vulnerablity" reported in PMASA-2014-1. Patch based on
+the following GIT commit:
+
+https://github.com/phpmyadmin/phpmyadmin/commit/968d5d5f486820bfa30af046f063b9f23304e14a
+
+--- import.php.orig 2013-12-04 17:44:44.000000000 +0000
++++ import.php 2014-02-22 11:21:37.000000000 +0000
+@@ -549,9 +549,9 @@
+
+ $message->addString($import_notice);
+ if (isset($local_import_file)) {
+- $message->addString('(' . $local_import_file . ')');
++ $message->addString('(' . htmlspecialchars($local_import_file) . ')');
+ } else {
+- $message->addString('(' . $_FILES['import_file']['name'] . ')');
++ $message->addString('(' . htmlspecialchars($_FILES['import_file']['name']) . ')');
+ }
+ } else {
+ $message = PMA_Message::success(
+@@ -559,9 +559,9 @@
+ );
+ $message->addParam($executed_queries);
+ if (isset($local_import_file)) {
+- $message->addString('(' . $local_import_file . ')');
++ $message->addString('(' . htmlspecialchars($local_import_file) . ')');
+ } else {
+- $message->addString('(' . $_FILES['import_file']['name'] . ')');
++ $message->addString('(' . htmlspecialchars($_FILES['import_file']['name']) . ')');
+ }
+ }
+ }