diff options
author | Michal Čihař <michal@cihar.com> | 2016-09-02 16:04:55 +0300 |
---|---|---|
committer | Michal Čihař <michal@cihar.com> | 2016-09-02 16:04:55 +0300 |
commit | 5ee95b3615e2224eddb3cc24c77b00fddb06a4b8 (patch) | |
tree | b9a08f266194844eb2c6db560ad61a8ea374dd9a | |
parent | 3ba11212a3558f112d82d42d6cf305db6ef6912f (diff) | |
parent | 9f0c4c37f3067abcaa7a40b9ef907e343ee62de4 (diff) |
Merge branch 'QA_4_6-security' into master-security
-rw-r--r-- | index.php | 2 | ||||
-rw-r--r-- | libraries/core.lib.php | 14 | ||||
-rw-r--r-- | test/classes/MessageTest.php | 3 | ||||
-rw-r--r-- | test/libraries/core/PMA_isAllowedDomain_test.php | 3 |
4 files changed, 18 insertions, 4 deletions
@@ -393,7 +393,7 @@ PMA_printListItem( PMA_printListItem( __('Official Homepage'), 'li_pma_homepage', - PMA_linkURL('https://www.phpMyAdmin.net/'), + PMA_linkURL('https://www.phpmyadmin.net/'), null, '_blank' ); diff --git a/libraries/core.lib.php b/libraries/core.lib.php index c50166e01f..870422ad13 100644 --- a/libraries/core.lib.php +++ b/libraries/core.lib.php @@ -730,10 +730,17 @@ function PMA_linkURL($url) function PMA_isAllowedDomain($url) { $arr = parse_url($url); - // Avoid URLs without hostname or with credentials - if (empty($arr['host']) || ! empty($arr['user']) || ! empty($arr['pass'])) { + // We need host to be set + if (! isset($arr['host']) || strlen($arr['host']) == 0) { return false; } + // We do not want these to be present + $blocked = array('user', 'pass', 'port'); + foreach ($blocked as $part) { + if (isset($arr[$part]) && strlen($arr[$part]) != 0) { + return false; + } + } $domain = $arr["host"]; $domainWhiteList = array( /* Include current domain */ @@ -742,6 +749,7 @@ function PMA_isAllowedDomain($url) 'wiki.phpmyadmin.net', 'www.phpmyadmin.net', 'phpmyadmin.net', 'demo.phpmyadmin.net', 'docs.phpmyadmin.net', + 'demo.phpmyadmin.net', /* mysql.com domains */ 'dev.mysql.com','bugs.mysql.com', /* mariadb domains */ @@ -757,7 +765,7 @@ function PMA_isAllowedDomain($url) /* Following are doubtful ones. */ 'mysqldatabaseadministration.blogspot.com', ); - if (in_array(mb_strtolower($domain), $domainWhiteList)) { + if (in_array($domain, $domainWhiteList)) { return true; } diff --git a/test/classes/MessageTest.php b/test/classes/MessageTest.php index a7f2d55356..4dea48e370 100644 --- a/test/classes/MessageTest.php +++ b/test/classes/MessageTest.php @@ -107,6 +107,7 @@ class MessageTest extends PMATestCase { $this->object = new PMA\libraries\Message('', PMA\libraries\Message::ERROR); $this->object->setMessage('test<&>'); + $this->object->setBBCode(false); $this->assertEquals($this->object, PMA\libraries\Message::rawError('test<&>')); } @@ -120,6 +121,7 @@ class MessageTest extends PMATestCase { $this->object = new PMA\libraries\Message('', PMA\libraries\Message::NOTICE); $this->object->setMessage('test<&>'); + $this->object->setBBCode(false); $this->assertEquals($this->object, PMA\libraries\Message::rawNotice('test<&>')); } @@ -133,6 +135,7 @@ class MessageTest extends PMATestCase { $this->object = new PMA\libraries\Message('', PMA\libraries\Message::SUCCESS); $this->object->setMessage('test<&>'); + $this->object->setBBCode(false); $this->assertEquals($this->object, PMA\libraries\Message::rawSuccess('test<&>')); } diff --git a/test/libraries/core/PMA_isAllowedDomain_test.php b/test/libraries/core/PMA_isAllowedDomain_test.php index 586e6bcfb3..9f544c0d9c 100644 --- a/test/libraries/core/PMA_isAllowedDomain_test.php +++ b/test/libraries/core/PMA_isAllowedDomain_test.php @@ -43,6 +43,9 @@ class PMA_isAllowedDomain_test extends PHPUnit_Framework_TestCase array('https://www.phpmyadmin.net/', true), array('http://duckduckgo.com\\@github.com', false), array('https://github.com/', true), + array('https://github.com:123/', false), + array('https://user:pass@github.com:123/', false), + array('https://user:pass@github.com/', false), array('https://server.local/', true), array('./relative/', false), ); |