Accepting request 1123214 from server:php:applications
Update to 7.14.6, Fix for CVE-2023-40619, boo#1215551 (forwarded request 1123213 from computersalat) OBS-URL: https://build.opensuse.org/request/show/1123214 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/phpPgAdmin?expand=0&rev=31
This commit is contained in:
Ana Guerrero
Git OBS Bridge
commit
e07d7485d4
@ -2,9 +2,9 @@ Index: classes/Misc.php
|
||||
===================================================================
|
||||
--- classes/Misc.php.orig
|
||||
+++ classes/Misc.php
|
||||
@@ -1333,6 +1333,10 @@
|
||||
$server_info = $this->getServerInfo();
|
||||
$reqvars = $this->getRequestVars('table');
|
||||
@@ -1354,6 +1354,10 @@
|
||||
echo '<div class="alert-banner"><p><a href="https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite" target="_blank" rel="noopener noreferrer">', htmlspecialchars($lang['sessionsecuritywarning']), '</a></p></div>';
|
||||
}
|
||||
|
||||
+ if (!$conf['extra_session_security']) {
|
||||
+ echo '<div class="alert-banner"><p><a href="http://phppgadmin.sourceforge.net/doku.php?id=faq#other_questions" target="_blank" rel="noopener noreferrer">', htmlspecialchars($lang['sessionsecuritywarning']), '</a></p></div>';
|
||||
@ -17,9 +17,9 @@ Index: conf/config.inc.php-dist
|
||||
===================================================================
|
||||
--- conf/config.inc.php-dist.orig
|
||||
+++ conf/config.inc.php-dist
|
||||
@@ -89,6 +89,15 @@
|
||||
// your browser preference.
|
||||
$conf['default_lang'] = 'auto';
|
||||
@@ -98,6 +98,15 @@
|
||||
// to this feature and will be vulnerable to CSRF attacks.
|
||||
$conf['extra_session_security'] = true;
|
||||
|
||||
+ // If extra session security is true, then PHP's session cookies will have
|
||||
+ // SameSite cookie flags set to prevent CSRF attacks. If you're using
|
||||
@ -33,64 +33,6 @@ Index: conf/config.inc.php-dist
|
||||
// AutoComplete uses AJAX interaction to list foreign key values
|
||||
// on insert fields. It currently only works on single column
|
||||
// foreign keys. You can choose one of the following values:
|
||||
Index: lang/english.php
|
||||
===================================================================
|
||||
--- lang/english.php.orig
|
||||
+++ lang/english.php
|
||||
@@ -807,6 +807,7 @@
|
||||
$lang['strloading'] = 'Loading...';
|
||||
$lang['strerrorloading'] = 'Error Loading';
|
||||
$lang['strclicktoreload'] = 'Click to reload';
|
||||
+ $lang['sessionsecuritywarning'] = 'You are running phpPgAdmin without session security.';
|
||||
|
||||
// Autovacuum
|
||||
$lang['strautovacuum'] = 'Autovacuum';
|
||||
Index: libraries/lib.inc.php
|
||||
===================================================================
|
||||
--- libraries/lib.inc.php.orig
|
||||
+++ libraries/lib.inc.php
|
||||
@@ -50,11 +50,36 @@
|
||||
require_once('./classes/Misc.php');
|
||||
$misc = new Misc();
|
||||
|
||||
- // Start session (if not auto-started)
|
||||
- if (!ini_get('session.auto_start')) {
|
||||
- session_name('PPA_ID');
|
||||
- session_start();
|
||||
- }
|
||||
+ // Session start: if extra_session_security is on, make sure cookie_samesite
|
||||
+ // is on (exit if we fail); otherwise, just start the session
|
||||
+ $our_session_name = 'PPA_ID';
|
||||
+ if ($conf['extra_session_security']) {
|
||||
+ if (version_compare(phpversion(), '7.3', '<')) {
|
||||
+ exit('PHPPgAdmin cannot be fully secured while running under PHP versions before 7.3. Please upgrade PHP if possible. If you cannot upgrade, and you\'re willing to assume the risk of CSRF attacks, you can change the value of "extra_session_security" to false in your config.inc.php file.');
|
||||
+ }
|
||||
+ if (ini_get('session.auto_start')) {
|
||||
+ // If session.auto_start is on, and the session doesn't have
|
||||
+ // session.cookie_samesite set, destroy and re-create the session
|
||||
+ if (session_name() !== $our_session_name) {
|
||||
+ $setting = strtolower(ini_get('session.cookie_samesite'));
|
||||
+ if ($setting !== 'lax' && $setting !== 'strict') {
|
||||
+ session_destroy();
|
||||
+ session_name($our_session_name);
|
||||
+ ini_set('session.cookie_samesite', 'Strict');
|
||||
+ session_start();
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ session_name($our_session_name);
|
||||
+ ini_set('session.cookie_samesite', 'Strict');
|
||||
+ session_start();
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!ini_get('session.auto_start')) {
|
||||
+ session_name($our_session_name);
|
||||
+ session_start();
|
||||
+ }
|
||||
+ }
|
||||
|
||||
// Do basic PHP configuration checks
|
||||
if (ini_get('magic_quotes_gpc')) {
|
||||
Index: tests/manual/issue-94/README.md
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
@ -270,9 +212,9 @@ Index: themes/global.css
|
||||
===================================================================
|
||||
--- themes/global.css.orig
|
||||
+++ themes/global.css
|
||||
@@ -72,6 +72,26 @@ body.browser {
|
||||
@@ -92,6 +92,26 @@ body.browser {
|
||||
color: #9F6000;
|
||||
}
|
||||
.ac_values {width:100%}
|
||||
|
||||
+/** alert banner **/
|
||||
+.alert-banner {
|
||||
@ -297,15 +239,3 @@ Index: themes/global.css
|
||||
/** bottom link back to top **/
|
||||
.bottom_link {
|
||||
position: fixed;
|
||||
Index: themes/gotar/global.css
|
||||
===================================================================
|
||||
--- themes/gotar/global.css.orig
|
||||
+++ themes/gotar/global.css
|
||||
@@ -136,6 +136,7 @@ td.opbutton1 a, td.opbutton2 a {
|
||||
padding-left:6px;
|
||||
padding-right:6px;
|
||||
}
|
||||
+.alert-banner { margin-top: 0 }
|
||||
.topbar { border: 0 }
|
||||
.topbar, .topbar *, .trail, .tab, .crumb {
|
||||
border: 0;
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:dc9a5d74c49330af65664b3fd145df2b76c63f946e0de86e306b308ad104939c
|
||||
size 620530
|
||||
3
phpPgAdmin-7.14.6-mod.tar.gz
Normal file
3
phpPgAdmin-7.14.6-mod.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b33282d8c36873dff30a0a56039d31067fcdb2d3274701ec1d79c2d01b5e6e64
|
||||
size 1153991
|
||||
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 3 10:58:05 UTC 2023 - chris@computersalat.de
|
||||
|
||||
- Update to 7.14.6
|
||||
* fix for CVE-2023-40619 (boo#1215551)
|
||||
* no real ChangeLog available
|
||||
- Changed to fork 'ReimuHakurei'
|
||||
- rebased patches
|
||||
* csrf-samesite-fix.patch
|
||||
* phpPgAdmin_config.inc.patch
|
||||
- rename phpPgAdmin-config.inc.patch to phpPgAdmin_config.inc.patch
|
||||
- add phpPgAdmin_appVersion.patch (remove suffix '-mod')
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 13 10:55:19 UTC 2023 - ecsos <ecsos@opensuse.org>
|
||||
|
||||
|
||||
@ -18,6 +18,7 @@
|
||||
|
||||
Name: phpPgAdmin
|
||||
|
||||
%define lc_prj ReimuHakurei
|
||||
%define lc_name phppgadmin
|
||||
%define ap_docroot_old %{apache_serverroot}/htdocs
|
||||
%define ap_docroot %{_datadir}
|
||||
@ -26,14 +27,17 @@ Name: phpPgAdmin
|
||||
Summary: Administration of PostgreSQL over the web
|
||||
License: GPL-2.0-or-later
|
||||
Group: Productivity/Databases/Tools
|
||||
Version: 7.13.0
|
||||
Version: 7.14.6
|
||||
Release: 0
|
||||
%define rel_version REL_7-13-0
|
||||
URL: http://phppgadmin.sourceforge.net
|
||||
Source0: https://github.com/%{lc_name}/%{lc_name}/releases/download/%{rel_version}/%{name}-%{version}.tar.bz2
|
||||
%define rel_version REL_7-14-6
|
||||
#URL: https://github.com/phppgadmin/phppgadmin
|
||||
#Source0: https://github.com/%{lc_name}/%{lc_name}/releases/download/%{rel_version}/%{name}-%{version}.tar.bz2
|
||||
URL: https://github.com/ReimuHakurei/phpPgAdmin
|
||||
Source0: %{name}-%{version}-mod.tar.gz
|
||||
Source1: %{name}.http
|
||||
Source2: %{name}.http.inc
|
||||
Patch0: %{name}-config.inc.patch
|
||||
Patch0: %{name}_config.inc.patch
|
||||
Patch10: %{name}_appVersion.patch
|
||||
Patch100: csrf-samesite-fix.patch
|
||||
BuildArch: noarch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -49,7 +53,7 @@ perfect for PostgreSQL DBAs, newbies and hosting services.
|
||||
Features
|
||||
|
||||
* Administer multiple servers
|
||||
* Support for PostgreSQL 9.x.x, 10.x, 11.x, 12.x
|
||||
* Support for PostgreSQL 9.x.x, 10.x, 11.x, 12.x, 14.x
|
||||
* Manage all aspects of:
|
||||
o Users & groups
|
||||
o Databases
|
||||
@ -83,8 +87,9 @@ Supplements: packageand(apache2:%name)
|
||||
This subpackage contains the Apache configuration files
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -n %{name}-%{version}-mod
|
||||
%patch0
|
||||
%patch10
|
||||
%patch100
|
||||
|
||||
### remove not needed files
|
||||
|
||||
13
phpPgAdmin_appVersion.patch
Normal file
13
phpPgAdmin_appVersion.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: libraries/lib.inc.php
|
||||
===================================================================
|
||||
--- libraries/lib.inc.php.orig
|
||||
+++ libraries/lib.inc.php
|
||||
@@ -16,7 +16,7 @@
|
||||
$appName = 'phpPgAdmin';
|
||||
|
||||
// Application version
|
||||
- $appVersion = '7.14.6-mod';
|
||||
+ $appVersion = '7.14.6';
|
||||
|
||||
// PostgreSQL and PHP minimum version
|
||||
global $postgresqlMinVer;
|
||||
@ -2,7 +2,7 @@ Index: libraries/lib.inc.php
|
||||
===================================================================
|
||||
--- libraries/lib.inc.php.orig
|
||||
+++ libraries/lib.inc.php
|
||||
@@ -27,12 +27,12 @@
|
||||
@@ -28,12 +28,12 @@
|
||||
exit(sprintf('Version of PHP not supported. Please upgrade to version %s or later.', $phpMinVer));
|
||||
|
||||
// Check to see if the configuration file exists, if not, explain
|
||||
Loading…
Reference in New Issue
Block a user