diff options
Diffstat (limited to 'meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch')
-rw-r--r-- | meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch new file mode 100644 index 0000000000..707334a517 --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch @@ -0,0 +1,37 @@ +From 0842f11158699a979437125756b26eeabedab9ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@fauth.dev> +Date: Fri, 5 Aug 2022 20:18:16 -0300 +Subject: [PATCH] Fix not escaped title when using drag and drop upload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: MaurĂcio Meneghini Fauth <mauricio@fauth.dev> + +Upstream-Status: Backport +CVE: CVE-2023-25727 + +Reference to upstream patch: +https://github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662e + +Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com> +--- + js/src/drag_drop_import.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/js/src/drag_drop_import.js b/js/src/drag_drop_import.js +index 55250c2..9b8710e 100644 +--- a/js/src/drag_drop_import.js ++++ b/js/src/drag_drop_import.js +@@ -130,7 +130,7 @@ var DragDropImport = { + var filename = $this.parent('span').attr('data-filename'); + $('body').append('<div class="pma_drop_result"><h2>' + + Messages.dropImportImportResultHeader + ' - ' + +- filename + '<span class="close">x</span></h2>' + value.message + '</div>'); ++ Functions.escapeHtml(filename) + '<span class="close">x</span></h2>' + value.message + '</div>'); + $('.pma_drop_result').draggable(); // to make this dialog draggable + } + }); +-- +2.39.1 + |