phpMyAdmin/phpMyAdmin-config.patch
Eric Schirra fdcead68a0 Accepting request 398442 from home:ecsos:server
update to 4.6.2
Also include:
- Security fixes:
+  * PMASA-2016-14 (CVE-2016-5097, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2016-14/
+    - User SQL queries can be revealed through URL GET parameters,
+      see PMASA-2016-14
+  * PMASA-2016-16 (CVE-2016-5099, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2016-16/
+    - Self XSS vulneratbility, see PMASA-2016-16

OBS-URL: https://build.opensuse.org/request/show/398442
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=258
2016-05-28 09:01:58 +00:00

286 lines
12 KiB
Diff

diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin-4.6.2-all-languages/config.sample.inc.php
--- phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php 2016-05-25 19:07:44.000000000 +0200
+++ phpMyAdmin-4.6.2-all-languages/config.sample.inc.php 2016-05-28 10:30:30.138092225 +0200
@@ -11,13 +11,56 @@
*/
/**
+ * Disable the default warning that is displayed on the DB Details Structure
+ * page if any of the required Tables for the relationfeatures could not be
+ * found
+ *
+ * Default: false
+ */
+/* $cfg['PmaNoRelation_DisableWarning'] = true;
+
+/**
+ * Zero Configuration mode.
+ *
+ * Enables Zero Configuration mode in which the user will be offered a choice
+ * to create phpMyAdmin configuration storage in the current database or use
+ * the existing one, if already present.
+ *
+ * Note: If there is no central configuration storage defined then you may end
+ * up with different set of phpMyAdmin configuration storage tables for
+ * different databases.
+ *
+ * Default: true
+ */
+$cfg['ZeroConf'] = false;
+
+/**
+ * Disable the default warning that is displayed if Suhosin is detected
+ *
+ * Default: false
+ */
+/* $cfg['SuhosinDisableWarning'] = true;
+
+/**
+ * Default language to use, if not browser-defined or user-defined
+ *
+ * Default: en
+ */
+/* $cfg['DefaultLang'] = 'de';
+
+/**
* This is needed for cookie based authentication to encrypt password in
* cookie
+ *
+ * YOU MUST FILL IN THIS FOR COOKIE AUTH!
*/
-$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
+$cfg['blowfish_secret'] = '';
/**
* Servers configuration
+ *
+ * for more info/explanation about these VARS have look at
+ * libraries/config.default.php
*/
$i = 0;
@@ -25,47 +68,155 @@ $i = 0;
* First server
*/
$i++;
-/* Authentication type */
-$cfg['Servers'][$i]['auth_type'] = 'cookie';
-/* Server parameters */
-$cfg['Servers'][$i]['host'] = 'localhost';
-$cfg['Servers'][$i]['connect_type'] = 'tcp';
-$cfg['Servers'][$i]['compress'] = false;
-$cfg['Servers'][$i]['AllowNoPassword'] = false;
+
+$cfg['Servers'][$i]['host'] = 'localhost';
+$cfg['Servers'][$i]['port'] = '';
+$cfg['Servers'][$i]['socket'] = '';
+$cfg['Servers'][$i]['ssl'] = false;
+$cfg['Servers'][$i]['connect_type'] = 'socket';
+$cfg['Servers'][$i]['extension'] = 'mysqli';
+$cfg['Servers'][$i]['compress'] = false;
+$cfg['Servers'][$i]['auth_type'] = 'cookie';
+$cfg['Servers'][$i]['user'] = 'root';
+$cfg['Servers'][$i]['password'] = '';
+$cfg['Servers'][$i]['AllowNoPassword'] = false;
+$cfg['Servers'][$i]['AllowRoot'] = true;
+$cfg['Servers'][$i]['SignonSession'] = '';
+$cfg['Servers'][$i]['SignonURL'] = '';
+$cfg['Servers'][$i]['LogoutURL'] = '';
+$cfg['Servers'][$i]['only_db'] = '';
+$cfg['Servers'][$i]['verbose'] = '';
+$cfg['Servers'][$i]['verbose_check'] = true;
+$cfg['Servers'][$i]['AllowDeny']['order'] = '';
+$cfg['Servers'][$i]['AllowDeny']['rules'] = array();
/**
* phpMyAdmin configuration storage settings.
+ *
+ * for more info/explanation about these VARS have look at
+ * libraries/config.default.php
*/
/* User used to manipulate with storage */
-// $cfg['Servers'][$i]['controlhost'] = '';
-// $cfg['Servers'][$i]['controlport'] = '';
-// $cfg['Servers'][$i]['controluser'] = 'pma';
-// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
+$cfg['Servers'][$i]['controlhost'] = 'localhost';
+$cfg['Servers'][$i]['controlport'] = '';
+/*
+$cfg['Servers'][$i]['controluser'] = 'pma';
+$cfg['Servers'][$i]['controlpass'] = 'pmapass';
-/* Storage database and tables */
-// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
-// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
-// $cfg['Servers'][$i]['relation'] = 'pma__relation';
-// $cfg['Servers'][$i]['table_info'] = 'pma__table_info';
-// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
-// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
-// $cfg['Servers'][$i]['column_info'] = 'pma__column_info';
-// $cfg['Servers'][$i]['history'] = 'pma__history';
-// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
-// $cfg['Servers'][$i]['tracking'] = 'pma__tracking';
-// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
-// $cfg['Servers'][$i]['recent'] = 'pma__recent';
-// $cfg['Servers'][$i]['favorite'] = 'pma__favorite';
-// $cfg['Servers'][$i]['users'] = 'pma__users';
-// $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
-// $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
-// $cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
-// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
-// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
-// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
-/* Contrib / Swekey authentication */
-// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
+/**
+ * The name of the database containing the phpMyAdmin configuration storage.
+ *
+ * For a whole set of additional features (bookmarks, comments, SQL-history,
+ * tracking mechanism, PDF-generation, column contents transformation, etc.)
+ * you need to create a set of special tables. Those tables can be located in
+ * your own database, or in a central database for a multi-user installation
+ * (this database would then be accessed by the controluser, so no other user
+ * should have rights to it).
+ *
+ * Default: ''
+ *
+ */
+/* $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
+
+/* Other Storage tables */
+
+$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
+$cfg['Servers'][$i]['relation'] = 'pma__relation';
+$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
+$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
+$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
+$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
+$cfg['Servers'][$i]['history'] = 'pma__history';
+$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
+$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
+$cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
+$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
+$cfg['Servers'][$i]['recent'] = 'pma__recent';
+$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
+$cfg['Servers'][$i]['users'] = 'pma__users';
+$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
+$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
+$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
+$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
+$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
+$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
+/* $cfg['Servers'][$i]['auth_swekey_config'] = '';
+
+
+
+/**
+ * Second Server
+ */
+
+/*
+$i++;
+$cfg['Servers'][$i]['host'] = 'localhost';
+$cfg['Servers'][$i]['port'] = '';
+$cfg['Servers'][$i]['socket'] = '';
+$cfg['Servers'][$i]['ssl'] = false;
+$cfg['Servers'][$i]['connect_type'] = 'socket';
+$cfg['Servers'][$i]['extension'] = 'mysqli';
+$cfg['Servers'][$i]['compress'] = false;
+$cfg['Servers'][$i]['auth_type'] = 'cookie';
+$cfg['Servers'][$i]['user'] = 'root';
+$cfg['Servers'][$i]['password'] = '';
+$cfg['Servers'][$i]['AllowNoPassword'] = false;
+$cfg['Servers'][$i]['AllowRoot'] = true;
+$cfg['Servers'][$i]['SignonSession'] = '';
+$cfg['Servers'][$i]['SignonURL'] = '';
+$cfg['Servers'][$i]['LogoutURL'] = '';
+$cfg['Servers'][$i]['only_db'] = '';
+$cfg['Servers'][$i]['verbose'] = '';
+$cfg['Servers'][$i]['verbose_check'] = true;
+$cfg['Servers'][$i]['AllowDeny']['order'] = '';
+$cfg['Servers'][$i]['AllowDeny']['rules'] = array();
+*/
+
+/*
+ * phpMyAdmin configuration storage settings.
+ */
+
+/*
+$cfg['Servers'][$i]['controlhost'] = 'localhost';
+$cfg['Servers'][$i]['controlport'] = '';
+$cfg['Servers'][$i]['controluser'] = 'pma';
+$cfg['Servers'][$i]['controlpass'] = 'pmapass';
+$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
+$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
+$cfg['Servers'][$i]['relation'] = 'pma__relation';
+$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
+$cfg['Servers'][$i]['table_coords'] = 'pma__table_cords';
+$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
+$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
+$cfg['Servers'][$i]['history'] = 'pma__history';
+$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
+$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
+$cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
+$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
+$cfg['Servers'][$i]['recent'] = 'pma__recent';
+$cfg['Servers'][$i]['users'] = 'pma__users';
+$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
+$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
+$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
+$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
+$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
+$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
+$cfg['Servers'][$i]['auth_swekey_config'] = '';
+*/
+
+/**
+ * If you have more than one server configured, you can set $cfg['ServerDefault']
+ * to any one of them to autoconnect to that server when phpMyAdmin is started,
+ * or set it to 0 to be given a list of servers without logging in
+ * If you have only one server configured, $cfg['ServerDefault'] *MUST* be
+ * set to that server.
+ *
+ * Default server (0 = no default server)
+ */
+$cfg['ServerDefault'] = 1;
+$cfg['Server'] = '0';
+unset($cfg['Servers'][0]);
/**
* End of servers configuration
diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php
--- phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php 2016-05-25 19:07:44.000000000 +0200
+++ phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php 2016-05-28 10:33:10.089295600 +0200
@@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) {
* Path to changelog file, can be gzip compressed. Useful when you want to
* have documentation somewhere else, eg. /usr/share/doc.
*/
-define('CHANGELOG_FILE', './ChangeLog');
+define('CHANGELOG_FILE', '@docdir@/ChangeLog');
/**
* Path to license file. Useful when you want to have documentation somewhere
* else, eg. /usr/share/doc.
*/
-define('LICENSE_FILE', './LICENSE');
+define('LICENSE_FILE', '@docdir@/LICENSE');
/**
* Path to config file generated using setup script.
*/
-define('SETUP_CONFIG_FILE', './config/config.inc.php');
+define('SETUP_CONFIG_FILE', '@sysconfdir@/config.inc.php');
/**
* Whether setup requires writable directory where config
@@ -46,7 +46,7 @@ define('SQL_DIR', './sql/');
* It is not used directly in code, just a convenient
* define used further in this file.
*/
-define('CONFIG_DIR', '');
+define('CONFIG_DIR', '@sysconfdir@/');
/**
* Filename of a configuration file.