Hello community, here is the log from the commit of package adminer for openSUSE:Factory checked in at 2019-10-23 15:51:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/adminer (Old) and /work/SRC/openSUSE:Factory/.adminer.new.2352 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "adminer" Wed Oct 23 15:51:09 2019 rev:21 rq:741894 version:4.7.4 Changes: -------- --- /work/SRC/openSUSE:Factory/adminer/adminer.changes 2019-08-29 17:29:20.467250877 +0200 +++ /work/SRC/openSUSE:Factory/.adminer.new.2352/adminer.changes 2019-10-23 15:51:14.382719859 +0200 @@ -1,0 +2,13 @@ +Tue Oct 22 13:32:40 UTC 2019 - ji...@boombatower.com + +- Update to version 4.7.4: + * Release 4.7.4 + * Fix XSS if Adminer is accessible at URL /data: + * Do not put unused doc links to single driver compiled version + * Fix PostgreSQL doc root + * Save bytes + * add links to oracle docs + * add links to postgres docs + * Bump version + +------------------------------------------------------------------- Old: ---- adminer-4.7.3.tar.xz New: ---- adminer-4.7.4.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ adminer.spec ++++++ --- /var/tmp/diff_new_pack.iZIkpT/_old 2019-10-23 15:51:15.842721437 +0200 +++ /var/tmp/diff_new_pack.iZIkpT/_new 2019-10-23 15:51:15.846721441 +0200 @@ -22,7 +22,7 @@ %bcond_with mongodb %bcond_with mssql Name: adminer -Version: 4.7.3 +Version: 4.7.4 Release: 0 Summary: Database management in a single PHP file License: GPL-2.0-only OR Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.iZIkpT/_old 2019-10-23 15:51:15.886721485 +0200 +++ /var/tmp/diff_new_pack.iZIkpT/_new 2019-10-23 15:51:15.886721485 +0200 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="disabled"> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> - <param name="revision">refs/tags/v4.7.3</param> + <param name="revision">refs/tags/v4.7.4</param> <param name="url">https://github.com/vrana/adminer.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.iZIkpT/_old 2019-10-23 15:51:15.902721502 +0200 +++ /var/tmp/diff_new_pack.iZIkpT/_new 2019-10-23 15:51:15.902721502 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/vrana/adminer.git</param> - <param name="changesrevision">32955f780271467572024b1dc91728d959efc1b6</param> + <param name="changesrevision">b9594d13d6af838760936634a9a234e3d7c70e18</param> </service> </servicedata> ++++++ adminer-4.7.3.tar.xz -> adminer-4.7.4.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/adminer/db.inc.php new/adminer-4.7.4/adminer/db.inc.php --- old/adminer-4.7.3/adminer/db.inc.php 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/adminer/db.inc.php 2019-10-22 08:33:20.000000000 +0200 @@ -65,7 +65,6 @@ search_tables(); } } - $doc_link = doc_link(array('sql' => 'show-table-status.html')); echo "<div class='scrollable'>\n"; echo "<table cellspacing='0' class='nowrap checkable'>\n"; echo script("mixin(qsl('table'), {onclick: tableClick, ondblclick: partialArg(tableClick, true)});"); @@ -74,12 +73,12 @@ echo '<th>' . lang('Table'); echo '<td>' . lang('Engine') . doc_link(array('sql' => 'storage-engines.html')); echo '<td>' . lang('Collation') . doc_link(array('sql' => 'charset-charsets.html', 'mariadb' => 'supported-character-sets-and-collations/')); - echo '<td>' . lang('Data Length') . $doc_link; - echo '<td>' . lang('Index Length') . $doc_link; - echo '<td>' . lang('Data Free') . $doc_link; + echo '<td>' . lang('Data Length') . doc_link(array('sql' => 'show-table-status.html', 'pgsql' => 'functions-admin.html#FUNCTIONS-ADMIN-DBOBJECT', 'oracle' => 'REFRN20286')); + echo '<td>' . lang('Index Length') . doc_link(array('sql' => 'show-table-status.html', 'pgsql' => 'functions-admin.html#FUNCTIONS-ADMIN-DBOBJECT')); + echo '<td>' . lang('Data Free') . doc_link(array('sql' => 'show-table-status.html')); echo '<td>' . lang('Auto Increment') . doc_link(array('sql' => 'example-auto-increment.html', 'mariadb' => 'auto_increment/')); - echo '<td>' . lang('Rows') . $doc_link; - echo (support("comment") ? '<td>' . lang('Comment') . $doc_link : ''); + echo '<td>' . lang('Rows') . doc_link(array('sql' => 'show-table-status.html', 'pgsql' => 'catalog-pg-class.html#CATALOG-PG-CLASS', 'oracle' => 'REFRN20286')); + echo (support("comment") ? '<td>' . lang('Comment') . doc_link(array('sql' => 'show-table-status.html', 'pgsql' => 'functions-info.html#FUNCTIONS-INFO-COMMENT-TABLE')) : ''); echo "</thead>\n"; $tables = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/adminer/foreign.inc.php new/adminer-4.7.4/adminer/foreign.inc.php --- old/adminer-4.7.3/adminer/foreign.inc.php 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/adminer/foreign.inc.php 2019-10-22 08:33:20.000000000 +0200 @@ -97,7 +97,7 @@ 'mariadb' => "foreign-keys/", 'pgsql' => "sql-createtable.html#SQL-CREATETABLE-REFERENCES", 'mssql' => "ms174979.aspx", - 'oracle' => "clauses002.htm#sthref2903", + 'oracle' => "https://docs.oracle.com/cd/B19306_01/server.102/b14200/clauses002.htm#sthref2903", )); ?> <p> <input type="submit" value="<?php echo lang('Save'); ?>"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/adminer/include/bootstrap.inc.php new/adminer-4.7.4/adminer/include/bootstrap.inc.php --- old/adminer-4.7.3/adminer/include/bootstrap.inc.php 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/adminer/include/bootstrap.inc.php 2019-10-22 08:33:20.000000000 +0200 @@ -84,7 +84,7 @@ define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost define("DB", $_GET["db"]); // for the sake of speed and size -define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"]) . '?' +define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?' . (sid() ? SID . '&' : '') . (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '') . (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/adminer/include/editing.inc.php new/adminer-4.7.4/adminer/include/editing.inc.php --- old/adminer-4.7.3/adminer/include/editing.inc.php 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/adminer/include/editing.inc.php 2019-10-22 08:33:20.000000000 +0200 @@ -531,9 +531,9 @@ $urls = array( 'sql' => "https://dev.mysql.com/doc/refman/$version/en/", 'sqlite' => "https://www.sqlite.org/", - 'pgsql' => "https://www.postgresql.org/docs/$version/static/", + 'pgsql' => "https://www.postgresql.org/docs/$version/", 'mssql' => "https://msdn.microsoft.com/library/", - 'oracle' => "https://download.oracle.com/docs/cd/B19306_01/server.102/b14200/", + 'oracle' => "https://www.oracle.com/pls/topic/lookup?ctx=db" . preg_replace('~^.* (\d+)\.(\d+)\.\d+\.\d+\.\d+.*~s', '\1\2', $server_info) . "&id=", ); if (preg_match('~MariaDB~', $server_info)) { $urls['sql'] = "https://mariadb.com/kb/en/library/"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/adminer/include/version.inc.php new/adminer-4.7.4/adminer/include/version.inc.php --- old/adminer-4.7.3/adminer/include/version.inc.php 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/adminer/include/version.inc.php 2019-10-22 08:33:20.000000000 +0200 @@ -1,2 +1,2 @@ <?php -$VERSION = "4.7.3"; +$VERSION = "4.7.4"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/adminer/processlist.inc.php new/adminer-4.7.4/adminer/processlist.inc.php --- old/adminer-4.7.3/adminer/processlist.inc.php 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/adminer/processlist.inc.php 2019-10-22 08:33:20.000000000 +0200 @@ -27,7 +27,7 @@ echo "<th>$key" . doc_link(array( 'sql' => "show-processlist.html#processlist_" . strtolower($key), 'pgsql' => "monitoring-stats.html#PG-STAT-ACTIVITY-VIEW", - 'oracle' => "../b14237/dynviews_2088.htm", + 'oracle' => "REFRN30223", )); } echo "</thead>\n"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/changes.txt new/adminer-4.7.4/changes.txt --- old/adminer-4.7.3/changes.txt 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/changes.txt 2019-10-22 08:33:20.000000000 +0200 @@ -1,3 +1,6 @@ +Adminer 4.7.4 (released 2019-10-22): +Fix XSS if Adminer is accessible at URL /data: + Adminer 4.7.3 (released 2019-08-27): Allow editing foreign keys pointing to tables in other database/schema (bug #694) Fix blocking of concurrent instances in PHP >7.2 (bug #703) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/adminer-4.7.3/compile.php new/adminer-4.7.4/compile.php --- old/adminer-4.7.3/compile.php 2019-08-27 17:58:21.000000000 +0200 +++ new/adminer-4.7.4/compile.php 2019-10-22 08:33:20.000000000 +0200 @@ -403,6 +403,12 @@ $file = str_replace('<?php echo html_select("auth[driver]", $drivers, DRIVER) . "\n"; ?>', "<input type='hidden' name='auth[driver]' value='" . ($driver == "mysql" ? "server" : $driver) . "'>" . reset($drivers), $file); } $file = preg_replace('(;../externals/jush/modules/jush-(?!textarea\.|txt\.|js\.|' . preg_quote($driver == "mysql" ? "sql" : $driver) . '\.)[^.]+.js)', '', $file); + $file = preg_replace_callback('~doc_link\(array\((.*)\)\)~sU', function ($match) use ($driver) { + list(, $links) = $match; + $links = preg_replace("~'(?!(" . ($driver == "mysql" ? "sql|mariadb" : $driver) . ")')[^']*' => [^,]*,?~", '', $links); + return (trim($links) ? "doc_link(array($links))" : "''"); + }, $file); + //! strip doc_link() definition } if ($project == "editor") { $file = preg_replace('~;.\.\/externals/jush/jush\.css~', '', $file);