Skip to content

Commit

Permalink
Merge pull request #285 from phpmyadmin/security/284
Browse files Browse the repository at this point in the history
Escape Git information on the index page
  • Loading branch information
ibennetch authored Nov 21, 2019
2 parents 81af472 + 1119de6 commit 16959bf
Showing 2 changed files with 14 additions and 9 deletions.
15 changes: 10 additions & 5 deletions libraries/classes/Display/GitRevision.php
Original file line number Diff line number Diff line change
@@ -43,27 +43,32 @@ public static function display()
);
$commit_hash = '<strong title="'
. htmlspecialchars($GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_MESSAGE'))
. '">' . $commit_hash . '</strong>';
. '">' . htmlspecialchars($commit_hash) . '</strong>';
if ($GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_ISREMOTECOMMIT')) {
$commit_hash = '<a href="'
. Core::linkURL(
'https://github.com/phpmyadmin/phpmyadmin/commit/'
. $GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_COMMITHASH')
. htmlspecialchars($GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_COMMITHASH'))
)
. '" rel="noopener noreferrer" target="_blank">' . $commit_hash . '</a>';
}

$branch = $GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_BRANCH');
if ($GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_ISREMOTEBRANCH')) {
$isRemoteBranch = $GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_ISREMOTEBRANCH');
if ($isRemoteBranch) {
$branch = '<a href="'
. Core::linkURL(
'https://github.com/phpmyadmin/phpmyadmin/tree/'
. $GLOBALS['PMA_Config']->get('PMA_VERSION_GIT_BRANCH')
)
. '" rel="noopener noreferrer" target="_blank">' . $branch . '</a>';
. '" rel="noopener noreferrer" target="_blank">' . htmlspecialchars($branch) . '</a>';
}
if ($branch !== false) {
$branch = sprintf(__('%1$s from %2$s branch'), $commit_hash, $branch);
$branch = sprintf(
__('%1$s from %2$s branch'),
$commit_hash,
$isRemoteBranch ? $branch : htmlspecialchars($branch)
);
} else {
$branch = $commit_hash . ' (' . __('no branch') . ')';
}
8 changes: 4 additions & 4 deletions libraries/classes/Footer.php
Original file line number Diff line number Diff line change
@@ -83,10 +83,10 @@ private function _getDemoMessage()
include './revision-info.php';
$message .= sprintf(
__('Currently running Git revision %1$s from the %2$s branch.'),
'<a target="_blank" rel="noopener noreferrer" href="' . $repobase . $fullrevision . '">'
. $revision . '</a>',
'<a target="_blank" rel="noopener noreferrer" href="' . $repobranchbase . $branch . '">'
. $branch . '</a>'
'<a target="_blank" rel="noopener noreferrer" href="' . htmlspecialchars($repobase . $fullrevision) . '">'
. htmlspecialchars($revision) . '</a>',
'<a target="_blank" rel="noopener noreferrer" href="' . htmlspecialchars($repobranchbase . $branch) . '">'
. htmlspecialchars($branch) . '</a>'
);
} else {
$message .= __('Git information missing!');

0 comments on commit 16959bf

Please # to comment.