Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package phpPgAdmin for openSUSE:Factory checked in at 2023-11-03 22:21:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/phpPgAdmin (Old) and /work/SRC/openSUSE:Factory/.phpPgAdmin.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "phpPgAdmin" Fri Nov 3 22:21:00 2023 rev:31 rq:1123214 version:7.14.6 Changes: -------- --- /work/SRC/openSUSE:Factory/phpPgAdmin/phpPgAdmin.changes 2023-04-13 14:10:58.724376225 +0200 +++ /work/SRC/openSUSE:Factory/.phpPgAdmin.new.17445/phpPgAdmin.changes 2023-11-03 22:21:47.203673176 +0100 @@ -1,0 +2,13 @@ +Fri Nov 3 10:58:05 UTC 2023 - [email protected] + +- Update to 7.14.6 + * fix for CVE-2023-40619 (boo#1215551) + * no real ChangeLog available +- Changed to fork 'ReimuHakurei' +- rebased patches + * csrf-samesite-fix.patch + * phpPgAdmin_config.inc.patch +- rename phpPgAdmin-config.inc.patch to phpPgAdmin_config.inc.patch +- add phpPgAdmin_appVersion.patch (remove suffix '-mod') + +------------------------------------------------------------------- Old: ---- phpPgAdmin-7.13.0.tar.bz2 phpPgAdmin-config.inc.patch New: ---- phpPgAdmin-7.14.6-mod.tar.gz phpPgAdmin_appVersion.patch phpPgAdmin_config.inc.patch BETA DEBUG BEGIN: Old: * phpPgAdmin_config.inc.patch - rename phpPgAdmin-config.inc.patch to phpPgAdmin_config.inc.patch - add phpPgAdmin_appVersion.patch (remove suffix '-mod') BETA DEBUG END: BETA DEBUG BEGIN: New:- rename phpPgAdmin-config.inc.patch to phpPgAdmin_config.inc.patch - add phpPgAdmin_appVersion.patch (remove suffix '-mod') New: * csrf-samesite-fix.patch * phpPgAdmin_config.inc.patch - rename phpPgAdmin-config.inc.patch to phpPgAdmin_config.inc.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpPgAdmin.spec ++++++ --- /var/tmp/diff_new_pack.YOIH7F/_old 2023-11-03 22:21:47.839696572 +0100 +++ /var/tmp/diff_new_pack.YOIH7F/_new 2023-11-03 22:21:47.843696719 +0100 @@ -18,6 +18,7 @@ Name: phpPgAdmin +%define lc_prj ReimuHakurei %define lc_name phppgadmin %define ap_docroot_old %{apache_serverroot}/htdocs %define ap_docroot %{_datadir} @@ -26,14 +27,17 @@ Summary: Administration of PostgreSQL over the web License: GPL-2.0-or-later Group: Productivity/Databases/Tools -Version: 7.13.0 +Version: 7.14.6 Release: 0 -%define rel_version REL_7-13-0 -URL: http://phppgadmin.sourceforge.net -Source0: https://github.com/%{lc_name}/%{lc_name}/releases/download/%{rel_version}/%{name}-%{version}.tar.bz2 +%define rel_version REL_7-14-6 +#URL: https://github.com/phppgadmin/phppgadmin +#Source0: https://github.com/%{lc_name}/%{lc_name}/releases/download/%{rel_version}/%{name}-%{version}.tar.bz2 +URL: https://github.com/ReimuHakurei/phpPgAdmin +Source0: %{name}-%{version}-mod.tar.gz Source1: %{name}.http Source2: %{name}.http.inc -Patch0: %{name}-config.inc.patch +Patch0: %{name}_config.inc.patch +Patch10: %{name}_appVersion.patch Patch100: csrf-samesite-fix.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -49,7 +53,7 @@ Features * Administer multiple servers -* Support for PostgreSQL 9.x.x, 10.x, 11.x, 12.x +* Support for PostgreSQL 9.x.x, 10.x, 11.x, 12.x, 14.x * Manage all aspects of: o Users & groups o Databases @@ -83,8 +87,9 @@ This subpackage contains the Apache configuration files %prep -%setup -q +%setup -q -n %{name}-%{version}-mod %patch0 +%patch10 %patch100 ### remove not needed files ++++++ csrf-samesite-fix.patch ++++++ --- /var/tmp/diff_new_pack.YOIH7F/_old 2023-11-03 22:21:47.863697454 +0100 +++ /var/tmp/diff_new_pack.YOIH7F/_new 2023-11-03 22:21:47.867697602 +0100 @@ -2,9 +2,9 @@ =================================================================== --- classes/Misc.php.orig +++ classes/Misc.php -@@ -1333,6 +1333,10 @@ - $server_info = $this->getServerInfo(); - $reqvars = $this->getRequestVars('table'); +@@ -1354,6 +1354,10 @@ + echo '<div class="alert-banner"><p><a href="https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite"; target="_blank" rel="noopener noreferrer">', htmlspecialchars($lang['sessionsecuritywarning']), '</a></p></div>'; + } + if (!$conf['extra_session_security']) { + echo '<div class="alert-banner"><p><a href="http://phppgadmin.sourceforge.net/doku.php?id=faq#other_questions"; target="_blank" rel="noopener noreferrer">', htmlspecialchars($lang['sessionsecuritywarning']), '</a></p></div>'; @@ -17,9 +17,9 @@ =================================================================== --- conf/config.inc.php-dist.orig +++ conf/config.inc.php-dist -@@ -89,6 +89,15 @@ - // your browser preference. - $conf['default_lang'] = 'auto'; +@@ -98,6 +98,15 @@ + // to this feature and will be vulnerable to CSRF attacks. + $conf['extra_session_security'] = true; + // If extra session security is true, then PHP's session cookies will have + // SameSite cookie flags set to prevent CSRF attacks. If you're using @@ -33,64 +33,6 @@ // AutoComplete uses AJAX interaction to list foreign key values // on insert fields. It currently only works on single column // foreign keys. You can choose one of the following values: -Index: lang/english.php -=================================================================== ---- lang/english.php.orig -+++ lang/english.php -@@ -807,6 +807,7 @@ - $lang['strloading'] = 'Loading...'; - $lang['strerrorloading'] = 'Error Loading'; - $lang['strclicktoreload'] = 'Click to reload'; -+ $lang['sessionsecuritywarning'] = 'You are running phpPgAdmin without session security.'; - - // Autovacuum - $lang['strautovacuum'] = 'Autovacuum'; -Index: libraries/lib.inc.php -=================================================================== ---- libraries/lib.inc.php.orig -+++ libraries/lib.inc.php -@@ -50,11 +50,36 @@ - require_once('./classes/Misc.php'); - $misc = new Misc(); - -- // Start session (if not auto-started) -- if (!ini_get('session.auto_start')) { -- session_name('PPA_ID'); -- session_start(); -- } -+ // Session start: if extra_session_security is on, make sure cookie_samesite -+ // is on (exit if we fail); otherwise, just start the session -+ $our_session_name = 'PPA_ID'; -+ if ($conf['extra_session_security']) { -+ if (version_compare(phpversion(), '7.3', '<')) { -+ exit('PHPPgAdmin cannot be fully secured while running under PHP versions before 7.3. Please upgrade PHP if possible. If you cannot upgrade, and you\'re willing to assume the risk of CSRF attacks, you can change the value of "extra_session_security" to false in your config.inc.php file.'); -+ } -+ if (ini_get('session.auto_start')) { -+ // If session.auto_start is on, and the session doesn't have -+ // session.cookie_samesite set, destroy and re-create the session -+ if (session_name() !== $our_session_name) { -+ $setting = strtolower(ini_get('session.cookie_samesite')); -+ if ($setting !== 'lax' && $setting !== 'strict') { -+ session_destroy(); -+ session_name($our_session_name); -+ ini_set('session.cookie_samesite', 'Strict'); -+ session_start(); -+ } -+ } -+ } else { -+ session_name($our_session_name); -+ ini_set('session.cookie_samesite', 'Strict'); -+ session_start(); -+ } -+ } else { -+ if (!ini_get('session.auto_start')) { -+ session_name($our_session_name); -+ session_start(); -+ } -+ } - - // Do basic PHP configuration checks - if (ini_get('magic_quotes_gpc')) { Index: tests/manual/issue-94/README.md =================================================================== --- /dev/null @@ -270,9 +212,9 @@ =================================================================== --- themes/global.css.orig +++ themes/global.css -@@ -72,6 +72,26 @@ body.browser { +@@ -92,6 +92,26 @@ body.browser { + color: #9F6000; } - .ac_values {width:100%} +/** alert banner **/ +.alert-banner { @@ -297,16 +239,4 @@ /** bottom link back to top **/ .bottom_link { position: fixed; -Index: themes/gotar/global.css -=================================================================== ---- themes/gotar/global.css.orig -+++ themes/gotar/global.css -@@ -136,6 +136,7 @@ td.opbutton1 a, td.opbutton2 a { - padding-left:6px; - padding-right:6px; - } -+.alert-banner { margin-top: 0 } - .topbar { border: 0 } - .topbar, .topbar *, .trail, .tab, .crumb { - border: 0; ++++++ phpPgAdmin_appVersion.patch ++++++ Index: libraries/lib.inc.php =================================================================== --- libraries/lib.inc.php.orig +++ libraries/lib.inc.php @@ -16,7 +16,7 @@ $appName = 'phpPgAdmin'; // Application version - $appVersion = '7.14.6-mod'; + $appVersion = '7.14.6'; // PostgreSQL and PHP minimum version global $postgresqlMinVer; ++++++ phpPgAdmin_config.inc.patch ++++++ Index: libraries/lib.inc.php =================================================================== --- libraries/lib.inc.php.orig +++ libraries/lib.inc.php @@ -28,12 +28,12 @@ exit(sprintf('Version of PHP not supported. Please upgrade to version %s or later.', $phpMinVer)); // Check to see if the configuration file exists, if not, explain - if (file_exists('conf/config.inc.php')) { + if (file_exists('/etc/phpPgAdmin/config.inc.php')) { $conf = array(); - include('./conf/config.inc.php'); + include('/etc/phpPgAdmin/config.inc.php'); } else { - echo 'Configuration error: Copy conf/config.inc.php-dist to conf/config.inc.php and edit appropriately.'; + echo 'Configuration error: Can not include config /etc/phpPgAdmin/config.inc.php.'; exit; }
