main/phpmyadmin: security fix for CVE-2014-1879

2 files changed, 20 insertions, 2 deletions

diff --git a/main/phpmyadmin/APKBUILD b/main/phpmyadmin/APKBUILD
index ca79253451..0eb79f3bcb 100644
--- a/main/phpmyadmin/APKBUILD
+++ b/main/phpmyadmin/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer:  Matt Smith <mcs@darkregion.net>
 pkgname=phpmyadmin
 pkgver=3.4.11.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A Web-based PHP tool for administering MySQL"
 url="http://www.phpmyadmin.net/"
 arch="noarch"
@@ -15,6 +15,7 @@ subpackages="$pkgname-doc"
 _fullpkgname=phpMyAdmin-$pkgver-all-languages
 source="http://downloads.sourceforge.net/$pkgname/$_fullpkgname.tar.gz
 	$pkgname.apache2.conf
+	CVE-2014-1879.patch
 	"
 
 _builddir="$srcdir"/$_fullpkgname
@@ -85,4 +86,5 @@ doc() {
 }
 
 md5sums="e54cedac04ef1743eae381c9affd2fc1  phpMyAdmin-3.4.11.1-all-languages.tar.gz
-2d144825122042b4a2536ad789d66e8e  phpmyadmin.apache2.conf"
+2d144825122042b4a2536ad789d66e8e  phpmyadmin.apache2.conf
+656da7eed80951a99de50d2f343e6fe8  CVE-2014-1879.patch"
diff --git a/main/phpmyadmin/CVE-2014-1879.patch b/main/phpmyadmin/CVE-2014-1879.patch
new file mode 100644
index 0000000000..beb12d7542
--- /dev/null
+++ b/main/phpmyadmin/CVE-2014-1879.patch
@@ -0,0 +1,16 @@
+--- ./import.php.orig
++++ ./import.php
+@@ -409,11 +409,11 @@
+             $message->addParam($executed_queries);
+ 
+             $message->addString($import_notice);
+-            $message->addString('(' . $_FILES['import_file']['name'] . ')');
++            $message->addString('(' . htmlspecialchars($_FILES['import_file']['name']) . ')');
+         } else {
+             $message = PMA_Message::success(__('Import has been successfully finished, %d queries executed.'));
+             $message->addParam($executed_queries);
+-            $message->addString('(' . $_FILES['import_file']['name'] . ')');
++            $message->addString('(' . htmlspecialchars($_FILES['import_file']['name']) . ')');
+         }
+     }
+ }