Fix XSS in login form (bug #436)

author Jakub Vrana <jakub@vrana.cz>

Sat, 7 Feb 2015 18:40:51 +0000 (10:40 -0800)

committer Jakub Vrana <jakub@vrana.cz>

Sat, 7 Feb 2015 18:40:51 +0000 (10:40 -0800)
author Jakub Vrana <jakub@vrana.cz>
Sat, 7 Feb 2015 18:40:51 +0000 (10:40 -0800)
committer Jakub Vrana <jakub@vrana.cz>
Sat, 7 Feb 2015 18:40:51 +0000 (10:40 -0800)
diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php

index 28fed00629c303b1cc6b0932eebe495e05487f9f..05bd14189837fa88d7ce4e18fe454b14fe89da08 100644 (file)
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -114,8 +114,13 @@ function unset_permanent() {
         cookie("adminer_permanent", implode(" ", $permanent));
  }
  
+/** Renders an error message and a login form
+* @param string plain text
+* @return null exits
+*/
  function auth_error($error) {
         global $adminer, $has_token;
+       $error = h($error);
         $session_name = session_name();
         if (isset($_GET["username"])) {
                 header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header
diff --git a/changes.txt b/changes.txt

index 764e530ab66b46e6f5ae085547e87e91c5b5fe07..7032f6f8ad1ed92be6add37c68d1115dca755307 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
  Adminer 4.2.0-dev:
+Fix XSS in login form (bug #436)
  Allow limiting number of displayed rows in SQL command
  Fix reading routine column collations
  Unlock session in alter database
author	Jakub Vrana <jakub@vrana.cz>
	Sat, 7 Feb 2015 18:40:51 +0000 (10:40 -0800)
committer	Jakub Vrana <jakub@vrana.cz>
	Sat, 7 Feb 2015 18:40:51 +0000 (10:40 -0800)
adminer/include/auth.inc.php		patch \| blob \| history
changes.txt		patch \| blob \| history