Fix the Bug#4237 [ https://sourceforge.net/p/phpmyadmin/bugs/4237/ ]#893
Closed
JayNakrani wants to merge 1 commit intophpmyadmin:masterphpmyadmin/phpmyadmin:masterfrom
JayNakrani:bugs#4237Copy head branch name to clipboard
Closed
Fix the Bug#4237 [ https://sourceforge.net/p/phpmyadmin/bugs/4237/ ]#893JayNakrani wants to merge 1 commit intophpmyadmin:masterphpmyadmin/phpmyadmin:masterfrom JayNakrani:bugs#4237Copy head branch name to clipboard
JayNakrani wants to merge 1 commit intophpmyadmin:masterphpmyadmin/phpmyadmin:masterfrom
JayNakrani:bugs#4237Copy head branch name to clipboard
Conversation
Contributor
|
Thanks for the pull request, however I find a security problem: since there is no domain whitelist, an attacker can trick someone into clicking on a link like http://example.com/phpmyadmin/url.php?http://badsite.com. |
Contributor
Author
|
Okay, I'll implement the domain whitelist and create a new pull request. |
Closed
nijel
added a commit
that referenced
this pull request
Mar 3, 2014
Changes: 6.0.062 (2014-03-02) - The method startLayer() now accepts the NULL value for the $print parameter to not set the print layer option. 6.0.061 (2014-02-18) - Bug #893 "Parsing error on streamed xref for secured pdf" was fixed. 6.0.060 (2014-02-16) - Bug #891 "Error on parsing hexa fields" was fixed. - Bug #892 "Parsing pdf with trailing space at start" was fixed. 6.0.059 (2014-02-03) - SVG 'use' support was imporved. 6.0.058 (2014-01-31) - Bug #886 "Bugs with SVG using <defs> and <use>" was fixed. 6.0.057 (2014-01-26) - Bug #883 "Parsing error" was fixed. 6.0.056 (2014-01-25) - The automatic cache folder selection now works also with some restricted hosting environments. - CSS text-transform property is now supported (requires the multibyte string library for php) - see examle n. 061 (Thanks to Walter Ferraz). - Bug #884 "Parsing error prev tag looking for" was fixed. Signed-off-by: Michal Čihař <michal@cihar.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Now with these changes, sensitive information like token and others do not go with outgoing HTTP Requests.
Also the Bug Report only mentioned URLs associated with SQL queries, but as I found out, token was present in almost all outgoing links (like Wiki, Documentation, etc..). That problem is also solved in these changes.
Travis-CI build fails because, it is comparing the new results with some old result which has token in all its outgoing URLs, and so string comparisons fails on those URLs. See build log.