Escape : also in remove_from_param
This commit is contained in:
parent
ac40be998d
commit
4e2a448e28
|
@ -84,7 +84,7 @@ include "../adminer/drivers/mysql.inc.php"; // must be included as last driver
|
|||
|
||||
define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost
|
||||
define("DB", $_GET["db"]); // for the sake of speed and size
|
||||
define("ME", str_replace(":", "%3a", preg_replace('~\?.*~', '', relative_uri())) . '?'
|
||||
define("ME", preg_replace('~\?.*~', '', relative_uri()) . '?'
|
||||
. (sid() ? SID . '&' : '')
|
||||
. (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '')
|
||||
. (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '')
|
||||
|
|
|
@ -725,7 +725,7 @@ function format_time($start) {
|
|||
* @return string
|
||||
*/
|
||||
function relative_uri() {
|
||||
return preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]);
|
||||
return str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]));
|
||||
}
|
||||
|
||||
/** Remove parameter from query string
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
<?php
|
||||
$VERSION = "4.7.7";
|
||||
$VERSION = "4.7.8-dev";
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
Adminer 4.7.8-dev:
|
||||
|
||||
Adminer 4.7.7 (released 2020-05-11):
|
||||
Fix open redirect if Adminer is accessible at //adminer.php%2F@
|
||||
|
||||
|
|
Loading…
Reference in a new issue