Hi, > Thanks. Can you attach the debdiff between the current version in > buster and the proposed one to this bug?
Here it is. Alex
diff -Nru adminer-4.7.1/debian/adminer.apache2 adminer-4.7.1/debian/adminer.apache2 --- adminer-4.7.1/debian/adminer.apache2 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/adminer.apache2 2021-03-08 13:31:21.000000000 +0100 @@ -0,0 +1 @@ +conf debian/adminer.conf diff -Nru adminer-4.7.1/debian/adminer.conf adminer-4.7.1/debian/adminer.conf --- adminer-4.7.1/debian/adminer.conf 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/adminer.conf 2021-03-08 13:31:21.000000000 +0100 @@ -0,0 +1,6 @@ +Alias /adminer /etc/adminer + +<Directory /etc/adminer> + Require all granted + DirectoryIndex conf.php +</Directory> diff -Nru adminer-4.7.1/debian/changelog adminer-4.7.1/debian/changelog --- adminer-4.7.1/debian/changelog 2019-01-29 09:37:13.000000000 +0100 +++ adminer-4.7.1/debian/changelog 2021-05-26 09:06:37.000000000 +0200 @@ -1,3 +1,17 @@ +adminer (4.7.1-1+deb10u1) buster; urgency=medium + + * provide a compiled version and configuration files (Closes: #952755) + * privacy: default to disable check for new version + * Backport security patch series from upstream: + - Fix open redirect if Adminer is accessible at //adminer.php%2F@ + - Fix XSS if Adminer is accessible at URL /data + - CVE-2020-35572: Fix XSS in browsers which don't encode URL parameters + - CVE-2021-21311: Elasticsearch: Do not print response if HTTP code is + not 200 + - CVE-2021-29625: XSS in doc_link + + -- Alexandre Rossi <alexandre.ro...@gmail.com> Wed, 26 May 2021 09:06:37 +0200 + adminer (4.7.1-1) unstable; urgency=medium * New upstream release. diff -Nru adminer-4.7.1/debian/conf.php adminer-4.7.1/debian/conf.php --- adminer-4.7.1/debian/conf.php 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/conf.php 2021-03-08 13:31:21.000000000 +0100 @@ -0,0 +1,33 @@ +<?php + +define('ADMINER_DIR', '/usr/share/adminer'); + +function adminer_object() { + // required to run any plugin + include_once ADMINER_DIR . "/plugins/plugin.php"; + + // autoloader + foreach (glob(ADMINER_DIR . "/plugins/*.php") as $filename) { + include_once $filename; + } + + $plugins = array( + // specify enabled plugins here + new AdminerVersionNoverify(), // disable phoning home + //new AdminerLoginServers([ + // 'my' => ['server' => 'localhost', 'driver' => 'server'], // mysql + // 'pg' => ['server' => 'localhost', 'driver' => 'pgsql'], + //]), + ); + + /* It is possible to combine customization and plugins: + class AdminerCustomization extends AdminerPlugin { + } + return new AdminerCustomization($plugins); + */ + + return new AdminerPlugin($plugins); +} + +include ADMINER_DIR . "/adminer.php"; +?> diff -Nru adminer-4.7.1/debian/control adminer-4.7.1/debian/control --- adminer-4.7.1/debian/control 2019-01-29 09:37:13.000000000 +0100 +++ adminer-4.7.1/debian/control 2021-05-26 09:06:37.000000000 +0200 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Chris Lamb <la...@debian.org> Build-Depends: - debhelper-compat (= 11), + debhelper-compat (= 11), php-cli, dh-apache2 Standards-Version: 4.3.0 Homepage: https://www.adminer.org/ Vcs-Git: https://salsa.debian.org/lamby/pkg-adminer.git @@ -20,6 +20,7 @@ php-mysql, php-pgsql, php-sqlite3, + ${misc:Recommends}, Suggests: default-mysql-server | virtual-mysql-server | postgresql | sqlite3, Description: Web-based database administration tool diff -Nru adminer-4.7.1/debian/install adminer-4.7.1/debian/install --- adminer-4.7.1/debian/install 2019-01-29 09:37:13.000000000 +0100 +++ adminer-4.7.1/debian/install 2021-03-08 13:31:21.000000000 +0100 @@ -4,3 +4,4 @@ editor usr/share/adminer externals usr/share/adminer plugins usr/share/adminer +debian/conf.php etc/adminer/ diff -Nru adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch --- adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch 2021-05-26 09:06:37.000000000 +0200 @@ -0,0 +1,44 @@ +From 6a2de873e194cf4bf3f2edb489ba98580a17a632 Mon Sep 17 00:00:00 2001 +From: Jakub Vrana <ja...@vrana.cz> +Date: Mon, 11 May 2020 11:49:46 +0200 +Subject: [PATCH] Fix open redirect if Adminer is accessible at + //adminer.php%2F@ (thanks to Prakash Sharma) + +diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php +index 00baf919..621ec465 100644 +--- a/adminer/include/bootstrap.inc.php ++++ b/adminer/include/bootstrap.inc.php +@@ -84,7 +84,7 @@ + + define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost + define("DB", $_GET["db"]); // for the sake of speed and size +-define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?' ++define("ME", str_replace(":", "%3a", preg_replace('~\?.*~', '', relative_uri())) . '?' + . (sid() ? SID . '&' : '') + . (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '') + . (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '') +diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php +index 787ab79b..adcf1fbd 100644 +--- a/adminer/include/functions.inc.php ++++ b/adminer/include/functions.inc.php +@@ -721,12 +721,19 @@ function format_time($start) { + return lang('%.3f s', max(0, microtime(true) - $start)); + } + ++/** Get relative REQUEST_URI ++* @return string ++*/ ++function relative_uri() { ++ return preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]); ++} ++ + /** Remove parameter from query string + * @param string + * @return string + */ + function remove_from_uri($param = "") { +- return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', "$_SERVER[REQUEST_URI]&"), 0, -1); ++ return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', relative_uri() . "&"), 0, -1); + } + + /** Generate page number for pagination diff -Nru adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch --- adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch 2021-05-26 09:06:37.000000000 +0200 @@ -0,0 +1,18 @@ +From 789ebc07bdac01ab8b99ad831eba872849eaa7fe Mon Sep 17 00:00:00 2001 +From: Jakub Vrana <ja...@vrana.cz> +Date: Tue, 22 Oct 2019 08:30:32 +0200 +Subject: [PATCH] Fix XSS if Adminer is accessible at URL /data: + +diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php +index 9f09b326..00baf919 100644 +--- a/adminer/include/bootstrap.inc.php ++++ b/adminer/include/bootstrap.inc.php +@@ -84,7 +84,7 @@ + + define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost + define("DB", $_GET["db"]); // for the sake of speed and size +-define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"]) . '?' ++define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?' + . (sid() ? SID . '&' : '') + . (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '') + . (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '') diff -Nru adminer-4.7.1/debian/patches/CVE-2020-35572.patch adminer-4.7.1/debian/patches/CVE-2020-35572.patch --- adminer-4.7.1/debian/patches/CVE-2020-35572.patch 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/patches/CVE-2020-35572.patch 2021-05-26 09:06:37.000000000 +0200 @@ -0,0 +1,17 @@ +From 5c395afc098e501be3417017c6421968aac477bd Mon Sep 17 00:00:00 2001 +From: Jakub Vrana <ja...@vrana.cz> +Date: Sat, 6 Feb 2021 19:04:15 +0100 +Subject: [PATCH] Fix XSS in browsers which don't encode URL parameters (bug + #775) + +--- a/adminer/sql.inc.php ++++ b/adminer/sql.inc.php +@@ -222,7 +222,7 @@ + } + echo "<p>"; + textarea("query", $q, 20); +- echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . remove_from_uri("sql|limit|error_stops|only_errors") . "');"); ++ echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . js_escape(remove_from_uri("sql|limit|error_stops|only_errors|history")) . "');"); + echo "<p>$execute\n"; + echo lang('Limit rows') . ": <input type='number' name='limit' class='size' value='" . h($_POST ? $_POST["limit"] : $_GET["limit"]) . "'>\n"; + diff -Nru adminer-4.7.1/debian/patches/CVE-2021-21311.patch adminer-4.7.1/debian/patches/CVE-2021-21311.patch --- adminer-4.7.1/debian/patches/CVE-2021-21311.patch 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/patches/CVE-2021-21311.patch 2021-05-26 09:06:37.000000000 +0200 @@ -0,0 +1,17 @@ +From ccd2374b0b12bd547417bf0dacdf153826c83351 Mon Sep 17 00:00:00 2001 +From: Jakub Vrana <ja...@vrana.cz> +Date: Fri, 5 Feb 2021 16:16:23 +0100 +Subject: [PATCH] Elasticsearch: Do not print response if HTTP code is not 200 + Thanks to Adam Crosser and Brian Sizemore + +--- a/adminer/drivers/elastic.inc.php ++++ b/adminer/drivers/elastic.inc.php +@@ -27,7 +27,7 @@ + return $file; + } + if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) { +- $this->error = $file; ++ $this->error = lang('Invalid credentials.') . " $http_response_header[0]"; + return false; + } + $return = json_decode($file, true); diff -Nru adminer-4.7.1/debian/patches/CVE-2021-29625.patch adminer-4.7.1/debian/patches/CVE-2021-29625.patch --- adminer-4.7.1/debian/patches/CVE-2021-29625.patch 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/patches/CVE-2021-29625.patch 2021-05-26 09:06:37.000000000 +0200 @@ -0,0 +1,18 @@ +From: 4043092ec2c0de2258d60a99d0c5958637d051a7 +Author: Jakub Vrana <ja...@vrana.cz> +Date: Fri May 14 06:39:01 2021 +0200 +Subject: Escape link in doc_link (bug #797) + +diff --git a/adminer/include/editing.inc.php b/adminer/include/editing.inc.php +index 88d66d44..5556b014 100644 +--- a/adminer/include/editing.inc.php ++++ b/adminer/include/editing.inc.php +@@ -542,7 +542,7 @@ function doc_link($paths, $text = "<sup>?</sup>") { + $urls['sql'] = "https://mariadb.com/kb/en/library/"; + $paths['sql'] = (isset($paths['mariadb']) ? $paths['mariadb'] : str_replace(".html", "/", $paths['sql'])); + } +- return ($paths[$jush] ? "<a href='$urls[$jush]$paths[$jush]'" . target_blank() . ">$text</a>" : ""); ++ return ($paths[$jush] ? "<a href='" . h($urls[$jush] . $paths[$jush]) . "'" . target_blank() . ">$text</a>" : ""); + } + + /** Wrap gzencode() for usage in ob_start() diff -Nru adminer-4.7.1/debian/patches/plugin-version-noverify-fix adminer-4.7.1/debian/patches/plugin-version-noverify-fix --- adminer-4.7.1/debian/patches/plugin-version-noverify-fix 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/patches/plugin-version-noverify-fix 2021-05-26 09:06:37.000000000 +0200 @@ -0,0 +1,17 @@ +Author: Alexandre Rossi <alexandre.ro...@gmail.com> +Description: Fix VersionNoverify plugin +Forwarded: https://sourceforge.net/p/adminer/bugs-and-features/705/ + +Index: adminer.git/plugins/version-noverify.php +=================================================================== +--- adminer.git.orig/plugins/version-noverify.php 2019-09-06 10:10:29.544811633 +0200 ++++ adminer.git/plugins/version-noverify.php 2019-09-06 10:11:18.181666258 +0200 +@@ -8,7 +8,7 @@ + */ + class AdminerVersionNoverify { + +- function navigation($missing) { ++ function head() { + echo script("verifyVersion = function () {};"); + } + diff -Nru adminer-4.7.1/debian/patches/series adminer-4.7.1/debian/patches/series --- adminer-4.7.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/patches/series 2021-05-26 09:06:37.000000000 +0200 @@ -0,0 +1,6 @@ +CVE-2021-29625.patch +plugin-version-noverify-fix +789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch +6a2de873e194cf4bf3f2edb489ba98580a17a632.patch +CVE-2020-35572.patch +CVE-2021-21311.patch diff -Nru adminer-4.7.1/debian/README.Debian adminer-4.7.1/debian/README.Debian --- adminer-4.7.1/debian/README.Debian 1970-01-01 01:00:00.000000000 +0100 +++ adminer-4.7.1/debian/README.Debian 2021-03-08 13:31:21.000000000 +0100 @@ -0,0 +1,59 @@ +# Setup overview + +The compiled version of adminer is located at /usr/share/adminer/adminer.php + +The recommended ways to deploy adminer are: +- symlinking adminer.php into your directory of choice viewable by a + php-enabled webserver. +- if you want to enable plugins, pointing your webserver configuration to + /etc/adminer with conf.php a directory index. Editing conf.php lets you + enable plugins. + +The compiled version for the editor is located at /usr/share/adminer/editor.php + +# Setup for standalone workstation + +The simplest way to run adminer consists in the following: +$ cd /usr/share/adminer +$ php -S localhost:8000 + +and you'll find adminer at http://localhost:8000/adminer/ . + +# Setup with apache + +Enabling the adminer configuration should make adminer available at +http://server/adminer work provided you have libapache2-mod-php enabled. + +$ sudo a2enconf adminer + +# Setup with apache+uwsgi + +uwsgi configuration file: + + [uwsgi] + master = True + cheap = True + + plugins = 0:php + + project_dir = /etc/adminer + chdir = %(project_dir) + php-docroot = %(project_dir) + php-index = conf.php + + plugins = router_rewrite + route = ^/adminer/(.*) rewrite:/conf.php + + buffer-size = 8192 + + # PHP sessions storage + cache2 = name=dbadmsessions,items=200,store=/var/lib/www/adminer/uwsgi.cache,expires=3600 + php-set = session.save_handler=uwsgi + php-set = session.save_path=dbadmsessions + +apache: + + ProxyPassMatch "^/adminer/(.*)?$" "unix:/var/run/uwsgi/adminer.socket|uwsgi://uwsgi-uds-adminer/" + <Location /adminer> + Require all granted + </Location> diff -Nru adminer-4.7.1/debian/rules adminer-4.7.1/debian/rules --- adminer-4.7.1/debian/rules 2019-01-29 09:37:13.000000000 +0100 +++ adminer-4.7.1/debian/rules 2021-03-08 13:31:21.000000000 +0100 @@ -3,7 +3,7 @@ SHARE := $(CURDIR)/debian/$(shell dh_listpackages)/usr/share %: - dh $@ + dh $@ --with apache2 override_dh_installchangelogs: dh_installchangelogs changes.txt @@ -15,3 +15,17 @@ set -e; for X in designs plugins; do \ mv -v $(SHARE)/adminer/$$X/readme.txt $(SHARE)/doc/adminer/readme-$$X.txt; \ done + +override_dh_auto_build: + dh_auto_build + php compile.php + mv adminer-*.php adminer.php + php compile.php editor + mv editor-*.php editor.php + +override_dh_apache2: + dh_apache2 --noenable + +override_dh_auto_clean: + rm -f adminer*.php editor*.php + dh_auto_clean