Hello community, here is the log from the commit of package phpMyAdmin checked in at Thu Apr 13 17:30:10 CEST 2006. -------- --- phpMyAdmin/phpMyAdmin.changes 2006-01-25 21:47:24.000000000 +0100 +++ NOARCH/phpMyAdmin/phpMyAdmin.changes 2006-04-13 16:05:41.000000000 +0200 @@ -1,0 +2,11 @@ +Thu Apr 13 14:08:32 CEST 2006 - mmarek@suse.cz + +- updated to 2.8.0.3 + * fixes some XSS vulnerabilities + * improves php-5.1.2 compatibility + [#165772] +- moved $cfg['blowfish_secret'] to separate file, so that config.inc.php + isn't edited during install + (blowfish_secret.patch) + +------------------------------------------------------------------- Old: ---- phpMyAdmin-2.7.0-pl2.tar.bz2 New: ---- phpMyAdmin-2.8.0.3.tar.bz2 phpMyAdmin-blowfish_secret.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.NyAqVS/_old 2006-04-13 17:29:46.000000000 +0200 +++ /var/tmp/diff_new_pack.NyAqVS/_new 2006-04-13 17:29:46.000000000 +0200 @@ -1,11 +1,11 @@ # -# spec file for package phpMyAdmin (Version 2.7.0pl2) +# spec file for package phpMyAdmin (Version 2.8.0.3) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # -# Please submit bugfixes or comments via http://bugs.opensuse.org +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild @@ -16,10 +16,11 @@ Group: Productivity/Networking/Web/Frontends Requires: mod_php_any php-mysql php-bz2 php-gd php-zlib php-iconv php-mcrypt php-session Autoreqprov: on -Version: 2.7.0pl2 -Release: 3 -%define tarversion 2.7.0-pl2 +Version: 2.8.0.3 +Release: 1 +%define tarversion %{version} Source0: %{name}-%{tarversion}.tar.bz2 +Patch1: %{name}-blowfish_secret.patch URL: http://www.phpMyAdmin.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Administration of MySQL over the web @@ -62,6 +63,7 @@ %prep %setup -q -n %{name}-%{tarversion} +%patch1 find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \; find . -type f -name '*.orig' -exec rm {} \; @@ -71,8 +73,8 @@ %install install -m 755 -d $RPM_BUILD_ROOT%{serverroot}%{name} -cp config.default.php config.inc.php -cp -dR docs.css *.php *.html themes lang libraries css \ +cp libraries/config.default.php libraries/config.inc.php +cp -dR docs.css *.php *.html themes lang libraries css js \ $RPM_BUILD_ROOT%{serverroot}%{name} # generate file list @@ -83,9 +85,35 @@ rm -rf $RPM_BUILD_ROOT %post -if grep -q "\\\$cfg\['blowfish_secret'\] = ''" %{serverroot}%{name}/config.inc.php ; then +old_config="%{serverroot}%{name}/config.inc.php" +new_config="%{serverroot}%{name}/libraries/config.inc.php" +blowfish_secret="%{serverroot}%{name}/libraries/blowfish_secret.inc.php" +# handle upgrade from a version that had /config.inc.php (<=10.0) +# now it's /libraries/config.inc.php (>=10.1) +if test -f "$old_config"; then + echo "phpMyAdmin's config file location has changed from " >&2 + echo "$old_config to" >&2 + echo "$new_config" >&2 + echo "it will be automatically moved" >&2 + # emulate rpm behaviour when upgrading a %%config(noreplace) file + mv -f "$new_config" "$new_config.rpmnew" + mv -f "$old_config" "$new_config" +fi +# generate blowfish secret +# in <=10.0, this used to be directly in config.inc.php, +# which made it hard to detect whether the file was changed by the user or not +if grep -q "\\\$cfg\['blowfish_secret'\]" "$new_config" ; then + # if this is an upgrade from <=10.0, move the secret + # to blowfish_secret.inc.php + # this is hopefully the last time we change this config file in %%post + (echo "<?php" + grep "\\\$cfg\['blowfish_secret'\]" "$new_config" + echo "?>") >"$blowfish_secret" + sed -i "s/.*\\\$cfg\['blowfish_secret'\].*/include_once 'blowfish_secret.inc.php';/" "$new_config" +fi +if grep -q "\\\$cfg\['blowfish_secret'\] = ''" "$blowfish_secret" ; then echo "Generating blowfish secret for phpMyAdmin..." - sed -i "s/\\\$cfg\['blowfish_secret'\] = ''/\$cfg['blowfish_secret'] = '`pwgen -s -1 46`'/" %{serverroot}%{name}/config.inc.php + sed -i "s/\\\$cfg\['blowfish_secret'\] = ''/\$cfg['blowfish_secret'] = '`pwgen -s -1 46`'/" "$blowfish_secret" fi %files -f FILELIST @@ -94,9 +122,18 @@ %doc LICENSE README RELEASE-DATE* TODO translators.html %doc scripts/*.sql %dir %{serverroot}%{name} -%config(noreplace) %{serverroot}%{name}/config.inc.php +%config(noreplace) %{serverroot}%{name}/libraries/config.inc.php +%verify(not md5 size mtime) %config(noreplace) %{serverroot}%{name}/libraries/blowfish_secret.inc.php %changelog -n phpMyAdmin +* Thu Apr 13 2006 - mmarek@suse.cz +- updated to 2.8.0.3 + * fixes some XSS vulnerabilities + * improves php-5.1.2 compatibility + [#165772] +- moved $cfg['blowfish_secret'] to separate file, so that config.inc.php + isn't edited during install + (blowfish_secret.patch) * Wed Jan 25 2006 - mls@suse.de - converted neededforbuild to BuildRequires * Tue Jan 17 2006 - postadal@suse.cz ++++++ phpMyAdmin-2.7.0-pl2.tar.bz2 -> phpMyAdmin-2.8.0.3.tar.bz2 ++++++ ++++ 89244 lines of diff (skipped) ++++++ phpMyAdmin-blowfish_secret.patch ++++++ --- libraries/config.default.php +++ libraries/config.default.php @@ -42,7 +42,7 @@ * passphrase that will be used by blowfish. The maximum length seems to be 46 * characters. */ -$cfg['blowfish_secret'] = ''; +include_once 'blowfish_secret.inc.php'; /** * Server(s) configuration --- /dev/null +++ libraries/blowfish_secret.inc.php @@ -0,0 +1,3 @@ +<?php +$cfg['blowfish_secret'] = ''; +?> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...