diff -Nru phpmyadmin-4.6.6/debian/changelog phpmyadmin-4.6.6/debian/changelog --- phpmyadmin-4.6.6/debian/changelog 2017-04-07 20:24:26.000000000 +0530 +++ phpmyadmin-4.6.6/debian/changelog 2020-03-22 21:37:57.000000000 +0530 @@ -1,3 +1,32 @@ +phpmyadmin (4:4.6.6-4+deb9u1) stretch-security; urgency=high + + * Team upload + * Several security fixes + - Cross-site scripting (XSS) vulnerability in db_central_columns.php + (PMASA-2018-1, CVE-2018-7260, Closes: #893539) + - Remove transformation plugin includes + (PMASA-2018-6, CVE-2018-19968) + - Fix Stored Cross-Site Scripting (XSS) in navigation tree + (PMASA-2018-8, CVE-2018-19970) + - Fix information leak (arbitrary file read) using SQL queries + (PMASA-2019-1, CVE-2019-6799, Closes: #920823) + - a specially crafted username can be used to trigger a SQL injection attack + (PMASA-2019-2, CVE-2019-6798, Closes: #920822) + - SQL injection in Designer feature + (PMASA-2019-3, CVE-2019-11768, Closes: #930048) + - CSRF vulnerability in login form + (PMASA-2019-4, CVE-2019-12616, Closes: #930017) + - SQL injection, escape username in the query + (PMASA-2020-1, CVE-2020-5504, Closes: #948718) + - Add a patch to escape some parameters when changing passwords + (PMASA-2020-2, CVE-2020-10804, Closes: #954667) + - Add a patch to escape database and table name + (PMASA-2020-3, CVE-2020-10802, Closes: #954665) + - Add a patch to secure sql_query parameter + (PMASA-2020-4, CVE-2020-10803, Closes: #954666) + + -- William Desportes Sun, 22 Mar 2020 17:07:57 +0100 + phpmyadmin (4:4.6.6-4) unstable; urgency=medium * Build depend on locales-all to ensure en_US.UTF-8 is available (see diff -Nru phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch --- phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,58 @@ +From: William Desportes +Date: Sun, 22 Mar 2020 17:46:13 +0100 +Subject: Implement signSqlQuery and checkSqlQuerySignature for PMASA-2020-4 + +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ + +I imported both functions and kept the diff minimal + +Author: William Desportes + +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/4bf8bfcaa16dd90d7b36c2c3f5e2d36c7b249bd2 +Origin: https://github.com/phpmyadmin/phpmyadmin/pull/15325 +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/80a7f0a75c72ec2b92216647ac66890ff58002f8 +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/0da6ad6ff47eef5449a25eea7cc09a14bd3dfce5 +--- + libraries/Util.php | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/libraries/Util.php b/libraries/Util.php +index 9b6eba4..b0ae104 100644 +--- a/libraries/Util.php ++++ b/libraries/Util.php +@@ -4980,5 +4980,35 @@ class Util + } + return trim((string)$value); + } ++ ++ /** ++ * Sign the sql query using hmac using the session token ++ * ++ * @param string $sqlQuery The sql query ++ * @return void ++ */ ++ public static function signSqlQuery($sqlQuery) ++ { ++ /** @var array $cfg */ ++ global $cfg; ++ $secret = isset($_SESSION[' HMAC_secret ']) ? $_SESSION[' HMAC_secret '] : ''; ++ return hash_hmac('sha256', $sqlQuery, $secret . $cfg['blowfish_secret']); ++ } ++ ++ /** ++ * Check that the sql query has a valid hmac signature ++ * ++ * @param string $sqlQuery The sql query ++ * @return void ++ */ ++ public static function checkSqlQuerySignature($sqlQuery, $signature) ++ { ++ /** @var array $cfg */ ++ global $cfg; ++ $secret = isset($_SESSION[' HMAC_secret ']) ? $_SESSION[' HMAC_secret '] : ''; ++ $hmac = hash_hmac('sha256', $sqlQuery, $secret . $cfg['blowfish_secret']); ++ return hash_equals($hmac, $signature); ++ } ++ + } + diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,239 @@ +Description: Remove transformation plugin includes + Tranformation plugins should be loaded by the autoloader. + Fixes CVE-2018-19968. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732 +Author: Lucas Kanashiro , Matthias Blümel +Last-Updated: 2019-05-31 + +--- a/libraries/insert_edit.lib.php ++++ b/libraries/insert_edit.lib.php +@@ -2188,20 +2188,22 @@ + $transform_options['wrapper_link'] + = PMA_URL_getCommon($_url_params); + $class_name = PMA_getTransformationClassName($include_file); +- /** @var TransformationsPlugin $transformation_plugin */ +- $transformation_plugin = new $class_name(); ++ if (class_exists($class_name)) { ++ /** @var TransformationsPlugin $transformation_plugin */ ++ $transformation_plugin = new $class_name(); + +- foreach ($edited_values as $cell_index => $curr_cell_edited_values) { +- if (isset($curr_cell_edited_values[$column_name])) { +- $edited_values[$cell_index][$column_name] +- = $extra_data['transformations'][$cell_index] ++ foreach ($edited_values as $cell_index => $curr_cell_edited_values) { ++ if (isset($curr_cell_edited_values[$column_name])) { ++ $edited_values[$cell_index][$column_name] ++ = $extra_data['transformations'][$cell_index] + = $transformation_plugin->applyTransformation( +- $curr_cell_edited_values[$column_name], +- $transform_options, +- '' +- ); +- } +- } // end of loop for each transformation cell ++ $curr_cell_edited_values[$column_name], ++ $transform_options, ++ '' ++ ); ++ } ++ } // end of loop for each transformation cell ++ } + } + return $extra_data; + } +@@ -2888,35 +2890,36 @@ + $file = $column_mime['input_transformation']; + $include_file = 'libraries/plugins/transformations/' . $file; + if (is_file($include_file)) { +- include_once $include_file; + $class_name = PMA_getTransformationClassName($include_file); +- $transformation_plugin = new $class_name(); +- $transformation_options = PMA_Transformation_getOptions( +- $column_mime['input_transformation_options'] +- ); +- $_url_params = array( +- 'db' => $db, +- 'table' => $table, +- 'transform_key' => $column['Field'], +- 'where_clause' => $where_clause +- ); +- $transformation_options['wrapper_link'] +- = PMA_URL_getCommon($_url_params); +- $current_value = ''; +- if (isset($current_row[$column['Field']])) { +- $current_value = $current_row[$column['Field']]; +- } +- if (method_exists($transformation_plugin, 'getInputHtml')) { +- $transformed_html = $transformation_plugin->getInputHtml( +- $column, $row_id, $column_name_appendix, +- $transformation_options, $current_value, $text_dir, +- $tabindex, $tabindex_for_value, $idindex ++ if (class_exists($class_name)) { ++ $transformation_plugin = new $class_name(); ++ $transformation_options = PMA_Transformation_getOptions( ++ $column_mime['input_transformation_options'] + ); +- } +- if (method_exists($transformation_plugin, 'getScripts')) { +- $GLOBALS['plugin_scripts'] = array_merge( +- $GLOBALS['plugin_scripts'], $transformation_plugin->getScripts() ++ $_url_params = array( ++ 'db' => $db, ++ 'table' => $table, ++ 'transform_key' => $column['Field'], ++ 'where_clause' => $where_clause + ); ++ $transformation_options['wrapper_link'] ++ = PMA_URL_getCommon($_url_params); ++ $current_value = ''; ++ if (isset($current_row[$column['Field']])) { ++ $current_value = $current_row[$column['Field']]; ++ } ++ if (method_exists($transformation_plugin, 'getInputHtml')) { ++ $transformed_html = $transformation_plugin->getInputHtml( ++ $column, $row_id, $column_name_appendix, ++ $transformation_options, $current_value, $text_dir, ++ $tabindex, $tabindex_for_value, $idindex ++ ); ++ } ++ if (method_exists($transformation_plugin, 'getScripts')) { ++ $GLOBALS['plugin_scripts'] = array_merge( ++ $GLOBALS['plugin_scripts'], $transformation_plugin->getScripts() ++ ); ++ } + } + } + } +--- a/libraries/transformations.lib.php ++++ b/libraries/transformations.lib.php +@@ -179,9 +179,10 @@ + $include_file = 'libraries/plugins/transformations/' . $file; + /* @var $class_name PMA\libraries\plugins\TransformationsInterface */ + $class_name = PMA_getTransformationClassName($include_file); +- // include and instantiate the class +- include_once $include_file; +- return $class_name::getInfo(); ++ if (class_exists($class_name)) { ++ return $class_name::getInfo(); ++ } ++ return ''; + } + + /** +@@ -196,9 +197,10 @@ + $include_file = 'libraries/plugins/transformations/' . $file; + /* @var $class_name PMA\libraries\plugins\TransformationsInterface */ + $class_name = PMA_getTransformationClassName($include_file); +- // include and instantiate the class +- include_once $include_file; +- return $class_name::getName(); ++ if (class_exists($class_name)) { ++ return $class_name::getInfo(); ++ } ++ return ''; + } + + /** +--- a/libraries/DisplayResults.php ++++ b/libraries/DisplayResults.php +@@ -3049,28 +3049,29 @@ + + if (file_exists($include_file)) { + +- include_once $include_file; + $class_name = PMA_getTransformationClassName($include_file); +- // todo add $plugin_manager +- $plugin_manager = null; +- $transformation_plugin = new $class_name( +- $plugin_manager +- ); ++ if (class_exists($class_name)) { ++ // todo add $plugin_manager ++ $plugin_manager = null; ++ $transformation_plugin = new $class_name( ++ $plugin_manager ++ ); + +- $transform_options = PMA_Transformation_getOptions( +- isset( +- $mime_map[$orgFullColName] ++ $transform_options = PMA_Transformation_getOptions( ++ isset( ++ $mime_map[$orgFullColName] ++ ['transformation_options'] ++ ) ++ ? $mime_map[$orgFullColName] + ['transformation_options'] +- ) +- ? $mime_map[$orgFullColName] +- ['transformation_options'] +- : '' +- ); ++ : '' ++ ); + +- $meta->mimetype = str_replace( +- '_', '/', +- $mime_map[$orgFullColName]['mimetype'] +- ); ++ $meta->mimetype = str_replace( ++ '_', '/', ++ $mime_map[$orgFullColName]['mimetype'] ++ ); ++ } + + } // end if file_exists + } // end if transformation is set +--- a/tbl_replace.php ++++ b/tbl_replace.php +@@ -217,28 +217,29 @@ + $filename = 'libraries/plugins/transformations/' + . $mime_map[$column_name]['input_transformation']; + if (is_file($filename)) { +- include_once $filename; + $classname = PMA_getTransformationClassName($filename); +- /** @var IOTransformationsPlugin $transformation_plugin */ +- $transformation_plugin = new $classname(); +- $transformation_options = PMA_Transformation_getOptions( +- $mime_map[$column_name]['input_transformation_options'] +- ); +- $current_value = $transformation_plugin->applyTransformation( +- $current_value, $transformation_options +- ); +- // check if transformation was successful or not +- // and accordingly set error messages & insert_fail +- if (method_exists($transformation_plugin, 'isSuccess') +- && !$transformation_plugin->isSuccess() +- ) { +- $insert_fail = true; +- $row_skipped = true; +- $insert_errors[] = sprintf( +- __('Row: %1$s, Column: %2$s, Error: %3$s'), +- $rownumber, $column_name, +- $transformation_plugin->getError() ++ if (class_exists($classname)) { ++ /** @var IOTransformationsPlugin $transformation_plugin */ ++ $transformation_plugin = new $classname(); ++ $transformation_options = PMA_Transformation_getOptions( ++ $mime_map[$column_name]['input_transformation_options'] + ); ++ $current_value = $transformation_plugin->applyTransformation( ++ $current_value, $transformation_options ++ ); ++ // check if transformation was successful or not ++ // and accordingly set error messages & insert_fail ++ if (method_exists($transformation_plugin, 'isSuccess') ++ && !$transformation_plugin->isSuccess() ++ ) { ++ $insert_fail = true; ++ $row_skipped = true; ++ $insert_errors[] = sprintf( ++ __('Row: %1$s, Column: %2$s, Error: %3$s'), ++ $rownumber, $column_name, ++ $transformation_plugin->getError() ++ ); ++ } + } + } + } diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,17 @@ +Description: Fix Stored Cross-Site Scripting (XSS) in navigation tree + Fixes CVE-2018-19970. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e +Author: Lucas Kanashiro , Matthias Blümel +Last-Updated: 2019-05-31 + +--- a/libraries/navigation/NavigationTree.php ++++ b/libraries/navigation/NavigationTree.php +@@ -761,7 +761,7 @@ + } + + $groups[$key] = new Node( +- $key, ++ htmlspecialchars($key), + Node::CONTAINER, + true + ); diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,20 @@ +Description: Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows + remote authenticated users to inject arbitrary web script or HTML via a crafted URL. + Fixes CVE-2019-7260. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3e8745e8845633ae8a0054b5ee4d8babd5 +Author: Matthias Blümel +Last-Updated: 2019-05-31 + +--- a/db_central_columns.php ++++ b/db_central_columns.php +@@ -87,7 +87,9 @@ + parse_str($_POST['col_name'], $col_name); + $tmp_msg = PMA_deleteColumnsFromList($col_name['selected_fld'], false); + } +-if (isset($_REQUEST['total_rows']) && $_REQUEST['total_rows']) { ++if (!empty($_REQUEST['total_rows']) ++ && PMA_isValid($_REQUEST['total_rows'], 'integer') ++) { + $total_rows = $_REQUEST['total_rows']; + } else { + $total_rows = PMA_getCentralColumnsCount($db); diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,21 @@ +Description: A vulnerability was reported where a specially crafted database name can be + used to trigger an SQL injection attack through the designer feature. + Fix CVE-2019-11768 + + This patch is based on upstream patches: + https://github.com/phpmyadmin/phpmyadmin/commit/c1ecafc38319e8f768c9259d4d580e42acd5ee86 + +Author: Matthias Blümel +Last-Updated: 2019-06-05 + +--- a/js/pmd/move.js ++++ b/js/pmd/move.js +@@ -735,7 +735,7 @@ + + var $form = $('
') + .append('') +- .append('') ++ .append($('').val(db)) + .append('') + .append('') + .append('') diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,46 @@ +Description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. + + This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec + +Author: Matthias Blümel +Last-Updated: 2019-06-05 + +--- a/libraries/plugins/auth/AuthenticationCookie.php ++++ b/libraries/plugins/auth/AuthenticationCookie.php +@@ -295,7 +295,7 @@ + $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = ''; + $GLOBALS['from_cookie'] = false; + +- if (! empty($_REQUEST['pma_username'])) { ++ if (! empty($_POST['pma_username'])) { + + // Verify Captcha if it is required. + if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) +@@ -339,10 +339,10 @@ + } + + // The user just logged in +- $GLOBALS['PHP_AUTH_USER'] = PMA_sanitizeMySQLUser($_REQUEST['pma_username']); +- $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ++ $GLOBALS['PHP_AUTH_USER'] = PMA_sanitizeMySQLUser($_POST['pma_username']); ++ $GLOBALS['PHP_AUTH_PW'] = empty($_POST['pma_password']) + ? '' +- : $_REQUEST['pma_password']; ++ : $_POST['pma_password']; + if ($GLOBALS['cfg']['AllowArbitraryServer'] + && isset($_REQUEST['pma_servername']) + ) { +--- a/libraries/common.inc.php ++++ b/libraries/common.inc.php +@@ -739,8 +739,8 @@ + . ' ' . $cfg['Server']['auth_type'] + ); + } +- if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { +- $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); ++ if (isset($_POST['pma_password']) && strlen($_POST['pma_password']) > 256) { ++ $_POST['pma_password'] = substr($_POST['pma_password'], 0, 256); + } + $fqnAuthClass = 'PMA\libraries\plugins\auth\\' . $auth_class; + // todo: add plugin manager diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,35 @@ +Description: An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported + where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. + Fix CVE-2019-6798 + https://www.phpmyadmin.net/security/PMASA-2019-2/ + + This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/469934cf7d3bd19a839eb78670590f7511399435 +Author: Matthias Blümel +Last-Updated: 2019-05-31 + +--- a/libraries/db_designer.lib.php ++++ b/libraries/db_designer.lib.php +@@ -193,7 +193,8 @@ + . PMA\libraries\Util::backquote($cfgRelation['db']) . '.' + . PMA\libraries\Util::backquote($cfgRelation['designer_settings']) + . ' WHERE ' . PMA\libraries\Util::backquote('username') . ' = "' +- . $GLOBALS['cfg']['Server']['user'] . '";'; ++ . $GLOBALS['dbi']->escapeString($GLOBALS['cfg']['Server']['user']) ++ . '";'; + + $result = $GLOBALS['dbi']->fetchSingleRow($query); + +--- a/libraries/pmd_common.php ++++ b/libraries/pmd_common.php +@@ -766,8 +766,8 @@ + . PMA\libraries\Util::backquote($cfgDesigner['db']) + . "." . PMA\libraries\Util::backquote($cfgDesigner['table']) + . " (username, settings_data)" +- . " VALUES('" . $cfgDesigner['user'] . "'," +- . " '" . json_encode($save_data) . "');"; ++ . " VALUES('" . $GLOBALS['dbi']->escapeString($cfgDesigner['user']) ++ . "', '" . json_encode($save_data) . "');"; + + $success = PMA_queryAsControlUser($query); + } diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,78 @@ +Description: Fix information leak (arbitrary file read) using SQL queries + Fix CVE-2019-6799 + https://www.phpmyadmin.net/security/PMASA-2019-1/ + + This patch is based on upstream patches: + https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 + https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec + Avoid regression in 'Table > Import > Load CSV with LOAD DATA' by backporting: + https://github.com/phpmyadmin/phpmyadmin/commit/d02d61ada7c8e29753fd37440b511a1088efb060 + + Note: mitigated by /etc/phpmyadmin/apache.conf's open_basedir: + - php5-mysql: open_basedir fully disables LOAD DATA LOCAL INFILE; + - php5-mysqlnd: open_basedir is respected but some sensitive files + remain accessible, notably '/etc/phpmyadmin/config-db.php'. + + Note: nothing to do with AllowArbitraryServer, works on local MySQL server as well. + + Note: https://bugs.php.net/bug.php?id=77496 applies php5-mysqlnd but not php5-mysql. + Also phmymadmin 4.2.12 unconditionally enables LOCAL DATA LOCAL INFILE. + +Author: Sylvain Beucler , Matthias Blümel +Last-Updated: 2019-05-31 + +--- a/import.php ++++ b/import.php +@@ -12,6 +12,11 @@ + define('PMA_ENABLE_LDI', 1); + } + ++/* Enable LOAD DATA LOCAL INFILE for LDI plugin */ ++if (isset($_POST['format']) && $_POST['format'] == 'ldi') { ++ define('PMA_ENABLE_LDI', 1); ++} ++ + /** + * Get the variables sent or posted to this script and a core script + */ +--- a/libraries/dbi/DBIMysql.php ++++ b/libraries/dbi/DBIMysql.php +@@ -52,6 +52,10 @@ + ) { + global $cfg; + ++ if (ini_get('mysql.allow_local_infile')) { ++ PMA_fatalError(__('Please disable mysql.allow_local_infile in your PHP configuration or install the mysqli extension.')); ++ } ++ + if (empty($client_flags)) { + if ($cfg['PersistentConnections'] || $persistent) { + $link = @mysql_pconnect($server, $user, $password); +--- a/libraries/dbi/DBIMysqli.php ++++ b/libraries/dbi/DBIMysqli.php +@@ -137,12 +137,6 @@ + + $link = mysqli_init(); + +- if (defined('PMA_ENABLE_LDI')) { +- mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true); +- } else { +- mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false); +- } +- + $client_flags = 0; + + /* Optionally compress connection */ +@@ -224,6 +218,12 @@ + return false; + } + ++ if (defined('PMA_ENABLE_LDI')) { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true); ++ } else { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false); ++ } ++ + return $link; + } + diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,32 @@ +From: William Desportes +Date: Sun, 22 Mar 2020 16:57:32 +0100 +Subject: Patch for PMASA-2020-3, CVE-2020-10802 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10802 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-3/ + +Author: Maurício Meneghini Fauth +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/a8acd7a42cf743186528b0453f90aaa32bfefabe +Last-Update: 2020-03-22 +--- + libraries/controllers/table/TableSearchController.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libraries/controllers/table/TableSearchController.php b/libraries/controllers/table/TableSearchController.php +index 2166585..46c35c5 100644 +--- a/libraries/controllers/table/TableSearchController.php ++++ b/libraries/controllers/table/TableSearchController.php +@@ -481,8 +481,8 @@ class TableSearchController extends TableController + public function getDataRowAction() + { + $extra_data = array(); +- $row_info_query = 'SELECT * FROM `' . $_REQUEST['db'] . '`.`' +- . $_REQUEST['table'] . '` WHERE ' . $_REQUEST['where_clause']; ++ $row_info_query = 'SELECT * FROM `' . Util::backquote($_REQUEST['db']) . '`.`' ++ . Util::backquote($_REQUEST['table']) . '` WHERE ' . $_REQUEST['where_clause']; + $result = $this->dbi->query( + $row_info_query . ";", null, DatabaseInterface::QUERY_STORE + ); diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,50 @@ +From: William Desportes +Date: Sun, 22 Mar 2020 17:41:53 +0100 +Subject: Patch for PMASA-2020-4, CVE-2020-10803 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10803 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ + +Author: Maurício Meneghini Fauth +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/6b9b2601d8af916659cde8aefd3a6eaadd10284a +Last-Update: 2020-03-22 +--- + libraries/DisplayResults.php | 2 ++ + tbl_get_field.php | 8 ++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/libraries/DisplayResults.php b/libraries/DisplayResults.php +index 1b8f27f..298219c 100644 +--- a/libraries/DisplayResults.php ++++ b/libraries/DisplayResults.php +@@ -5316,6 +5316,8 @@ class DisplayResults + ) = $this->_getPartialText($result); + } + ++ $url_params['where_clause_sign'] = Util::signSqlQuery($url_params['where_clause']); ++ + /* Create link to download */ + + // in PHP < 5.5, empty() only checks variables +diff --git a/tbl_get_field.php b/tbl_get_field.php +index 95f8b67..9d3e918 100644 +--- a/tbl_get_field.php ++++ b/tbl_get_field.php +@@ -33,6 +33,14 @@ if (!$GLOBALS['dbi']->getColumns($db, $table)) { + PMA\libraries\Util::mysqlDie(__('Invalid table name')); + } + ++if (! isset($_GET['where_clause']) ++ || ! isset($_GET['where_clause_sign']) ++ || ! PMA\libraries\Util::checkSqlQuerySignature($_GET['where_clause'], $_GET['where_clause_sign']) ++) { ++ PMA_fatalError(__('There is an issue with your request.')); ++ exit; ++} ++ + /* Grab data */ + $sql = 'SELECT ' . PMA\libraries\Util::backquote($_GET['transform_key']) + . ' FROM ' . PMA\libraries\Util::backquote($table) diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,109 @@ +From: William Desportes +Date: Sun, 22 Mar 2020 18:16:43 +0100 +Subject: Patch for PMASA-2020-2, CVE-2020-10804 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10804 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-2/ + +Author: Maurício Meneghini Fauth +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/89fbcd7c39e6b3979cdb2f64aa4cd5f4db27eaad +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/3258978c38bee8cb4b99f249dffac9c8aaea2d80 + +Last-Update: 2020-03-22 +--- + libraries/server_privileges.lib.php | 22 ++++++++++++++-------- + user_password.php | 10 ++++++---- + 2 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/libraries/server_privileges.lib.php b/libraries/server_privileges.lib.php +index 5ea083b..314d11c 100644 +--- a/libraries/server_privileges.lib.php ++++ b/libraries/server_privileges.lib.php +@@ -1935,8 +1935,11 @@ function PMA_getCurrentAuthenticationPlugin( + && $mode == 'change' + ) { + $row = $GLOBALS['dbi']->fetchSingleRow( +- 'SELECT `plugin` FROM `mysql`.`user` WHERE ' +- . '`User` = "' . $username . '" AND `Host` = "' . $hostname . '" LIMIT 1' ++ 'SELECT `plugin` FROM `mysql`.`user` WHERE `User` = "' ++ . $GLOBALS['dbi']->escapeString($username) ++ . '" AND `Host` = "' ++ . $GLOBALS['dbi']->escapeString($hostname) ++ . '" LIMIT 1' + ); + // Table 'mysql'.'user' may not exist for some previous + // versions of MySQL - in that case consider fallback value +@@ -1952,8 +1955,11 @@ function PMA_getCurrentAuthenticationPlugin( + } + + $row = $GLOBALS['dbi']->fetchSingleRow( +- 'SELECT `plugin` FROM `mysql`.`user` WHERE ' +- . '`User` = "' . $username . '" AND `Host` = "' . $hostname . '"' ++ 'SELECT `plugin` FROM `mysql`.`user` WHERE `User` = "' ++ . $GLOBALS['dbi']->escapeString($username) ++ . '" AND `Host` = "' ++ . $GLOBALS['dbi']->escapeString($hostname) ++ . '"' + ); + if (isset($row) && $row && ! empty($row['plugin'])) { + $authentication_plugin = $row['plugin']; +@@ -2083,8 +2089,8 @@ function PMA_updatePassword($err_url, $username, $hostname) + . " `authentication_string` = '" . $hashedPassword + . "', `Password` = '', " + . " `plugin` = '" . $authentication_plugin . "'" +- . " WHERE `User` = '" . $username . "' AND Host = '" +- . $hostname . "';"; ++ . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username) ++ . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';"; + } else { + // USE 'SET PASSWORD ...' syntax for rest of the versions + // Backup the old value, to be reset later +@@ -2094,8 +2100,8 @@ function PMA_updatePassword($err_url, $username, $hostname) + $orig_value = $row['@@old_passwords']; + $update_plugin_query = "UPDATE `mysql`.`user` SET" + . " `plugin` = '" . $authentication_plugin . "'" +- . " WHERE `User` = '" . $username . "' AND Host = '" +- . $hostname . "';"; ++ . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username) ++ . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';"; + + // Update the plugin for the user + if (!($GLOBALS['dbi']->tryQuery($update_plugin_query))) { +diff --git a/user_password.php b/user_password.php +index d2063e5..b879b96 100644 +--- a/user_password.php ++++ b/user_password.php +@@ -165,7 +165,8 @@ function PMA_changePassword($password, $message, $change_password_message) + if ($serverType == 'MySQL' + && PMA_MYSQL_INT_VERSION >= 50706 + ) { +- $sql_query = 'ALTER USER \'' . $username . '\'@\'' . $hostname ++ $sql_query = 'ALTER USER \'' . $GLOBALS['dbi']->escapeString($username) ++ . '\'@\'' . $GLOBALS['dbi']->escapeString($hostname) + . '\' IDENTIFIED WITH ' . $orig_auth_plugin . ' BY ' + . (($password == '') ? '\'\'' : '\'***\''); + } else if (($serverType == 'MySQL' +@@ -232,7 +233,8 @@ function PMA_changePassUrlParamsAndSubmitQuery( + $serverType = PMA\libraries\Util::getServerType(); + + if ($serverType == 'MySQL' && PMA_MYSQL_INT_VERSION >= 50706) { +- $local_query = 'ALTER USER \'' . $username . '\'@\'' . $hostname . '\'' ++ $local_query = 'ALTER USER \'' . $GLOBALS['dbi']->escapeString($username) ++ . '\'@\'' . $GLOBALS['dbi']->escapeString($hostname) . '\'' + . ' IDENTIFIED with ' . $orig_auth_plugin . ' BY ' + . (($password == '') + ? '\'\'' +@@ -258,8 +260,8 @@ function PMA_changePassUrlParamsAndSubmitQuery( + . " `authentication_string` = '" . $hashedPassword + . "', `Password` = '', " + . " `plugin` = '" . $orig_auth_plugin . "'" +- . " WHERE `User` = '" . $username . "' AND Host = '" +- . $hostname . "';"; ++ . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username) ++ . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';"; + } else { + $local_query = 'SET password = ' . (($password == '') + ? '\'\'' diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,25 @@ +From: William Desportes +Date: Sat, 11 Jan 2020 23:27:29 +0100 +Subject: Patch for PMASA-2020-1, CVE-2020-5504 + +Fix CVE-2020-5504 + +Author: William Desportes +Origin: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b +--- + libraries/server_privileges.lib.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/server_privileges.lib.php b/libraries/server_privileges.lib.php +index 48acff0..5ea083b 100644 +--- a/libraries/server_privileges.lib.php ++++ b/libraries/server_privileges.lib.php +@@ -3144,7 +3144,7 @@ function PMA_getExtraDataForAjaxBehavior( + + if (isset($_REQUEST['validate_username'])) { + $sql_query = "SELECT * FROM `mysql`.`user` WHERE `User` = '" +- . $_REQUEST['username'] . "';"; ++ . $GLOBALS['dbi']->escapeString($_REQUEST['username']) . "';"; + $res = $GLOBALS['dbi']->query($sql_query); + $row = $GLOBALS['dbi']->fetchRow($res); + if (empty($row)) { diff -Nru phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch --- phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,33 @@ +From: William Desportes +Date: Sun, 22 Mar 2020 17:27:35 +0100 +Subject: Fix tests for CVE-2019-12616 + +--- + test/classes/plugin/auth/AuthenticationCookieTest.php | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/test/classes/plugin/auth/AuthenticationCookieTest.php b/test/classes/plugin/auth/AuthenticationCookieTest.php +index b8f3fd4..b8af26b 100644 +--- a/test/classes/plugin/auth/AuthenticationCookieTest.php ++++ b/test/classes/plugin/auth/AuthenticationCookieTest.php +@@ -414,7 +414,7 @@ class AuthenticationCookieTest extends PMATestCase + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; + $_POST["g-recaptcha-response"] = ''; +- $_REQUEST['pma_username'] = 'testPMAUser'; ++ $_POST['pma_username'] = 'testPMAUser'; + + $this->assertFalse( + $this->object->authCheck() +@@ -522,9 +522,9 @@ class AuthenticationCookieTest extends PMATestCase + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; + $_REQUEST['old_usr'] = ''; +- $_REQUEST['pma_username'] = 'testPMAUser'; ++ $_POST['pma_username'] = 'testPMAUser'; + $_REQUEST['pma_servername'] = 'testPMAServer'; +- $_REQUEST['pma_password'] = 'testPMAPSWD'; ++ $_POST['pma_password'] = 'testPMAPSWD'; + $GLOBALS['cfg']['AllowArbitraryServer'] = true; + + $this->assertTrue( diff -Nru phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch --- phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch 1970-01-01 05:30:00.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch 2020-03-22 21:37:57.000000000 +0530 @@ -0,0 +1,111 @@ +From: William Desportes +Date: Sun, 22 Mar 2020 18:02:05 +0100 +Subject: Patch for PMASA-2020-4, CVE-2020-10803 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10803 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ + +Author: Maurício Meneghini Fauth +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5 +Last-Update: 2020-03-22 +--- + test/classes/DisplayResultsTest.php | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/test/classes/DisplayResultsTest.php b/test/classes/DisplayResultsTest.php +index 26a0184..3821826 100644 +--- a/test/classes/DisplayResultsTest.php ++++ b/test/classes/DisplayResultsTest.php +@@ -43,6 +43,7 @@ class DisplayResultsTest extends PMATestCase + $GLOBALS['PMA_Config']->enableBc(); + $GLOBALS['text_dir'] = 'ltr'; + $GLOBALS['collation_connection'] = 'utf-8'; ++ $_SESSION[' HMAC_secret '] = 'test'; + + $dbi = $this->getMockBuilder('PMA\libraries\DatabaseInterface') + ->disableOriginalConstructor() +@@ -1326,7 +1327,7 @@ class DisplayResultsTest extends PMATestCase + $meta = new StdClass(); + $meta->type = 'BLOB'; + $meta->orgtable = 'bar'; +- $url_params = array('db' => 'foo', 'table' => 'bar'); ++ $url_params = array('db' => 'foo', 'table' => 'bar', 'where_clause' => 'where_clause'); + + return array( + array( +@@ -1340,9 +1341,7 @@ class DisplayResultsTest extends PMATestCase + $meta, + $url_params, + null, +- '1001' ++ 'class="disableAjax">1001' + ), + array( + true, +@@ -1355,9 +1354,7 @@ class DisplayResultsTest extends PMATestCase + $meta, + $url_params, + null, +- '0x123456' ++ 'class="disableAjax">0x123456' + ), + array( + true, +@@ -1370,9 +1367,7 @@ class DisplayResultsTest extends PMATestCase + $meta, + $url_params, + null, +- '[BLOB - 4 B]' ++ 'class="disableAjax">[BLOB - 4 B]' + ), + array( + false, +@@ -1434,7 +1429,7 @@ class DisplayResultsTest extends PMATestCase + $_SESSION['tmpval']['display_binary'] = $display_binary; + $_SESSION['tmpval']['display_blob'] = $display_blob; + $GLOBALS['cfg']['LimitChars'] = 50; +- $this->assertEquals( ++ $this->assertContains( + $output, + $this->_callPrivateFunction( + '_handleNonPrintableContents', +@@ -1474,7 +1469,7 @@ class DisplayResultsTest extends PMATestCase + $meta2->decimals = 0; + $meta2->name = 'varchar'; + $meta2->orgname = 'varchar'; +- $url_params = array('db' => 'foo', 'table' => 'tbl'); ++ $url_params = array('db' => 'foo', 'table' => 'tbl', 'where_clause' => 'where_clause'); + + return array( + array( +@@ -1492,11 +1487,7 @@ class DisplayResultsTest extends PMATestCase + array(), + 0, + 'binary', +- '[BLOB - 4 B]' ++ 'class="disableAjax">[BLOB - 4 B]' + ), + array( + 'noblob', +@@ -1593,7 +1584,7 @@ class DisplayResultsTest extends PMATestCase + $_SESSION['tmpval']['relational_display'] = false; + $GLOBALS['cfg']['LimitChars'] = 50; + $GLOBALS['cfg']['ProtectBinary'] = $protectBinary; +- $this->assertEquals( ++ $this->assertContains( + $output, + $this->_callPrivateFunction( + '_getDataCellForNonNumericColumns', diff -Nru phpmyadmin-4.6.6/debian/patches/series phpmyadmin-4.6.6/debian/patches/series --- phpmyadmin-4.6.6/debian/patches/series 2017-04-07 20:03:36.000000000 +0530 +++ phpmyadmin-4.6.6/debian/patches/series 2020-03-22 21:37:57.000000000 +0530 @@ -1,2 +1,16 @@ Truncate-only-long-passwords.patch debian.patch +CVE-2018-7260.patch +CVE-2018-19968.patch +CVE-2018-19970.patch +CVE-2019-6798.patch +CVE-2019-6799.patch +CVE-2019-11768.patch +CVE-2019-12616.patch +CVE-2020-5504.patch +CVE-2020-10802.patch +fix-tests-for-CVE-2019-12616.patch +CVE-2020-10803.patch +add-functions-for-CVE-2020-10803.patch +fix-tests-for-CVE-2020-10803.patch +CVE-2020-10804.patch