Escape : also in remove_from_param

2020-05-11 12:35:19 +02:00 · 2020-05-11 12:35:19 +02:00 · 4e2a448e28
parent ac40be998d
commit 4e2a448e28
4 changed files with 5 additions and 3 deletions
--- a/adminer/include/bootstrap.inc.php
+++ b/adminer/include/bootstrap.inc.php
@ -84,7 +84,7 @@ include "../adminer/drivers/mysql.inc.php"; // must be included as last driver

 define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost
 define("DB", $_GET["db"]); // for the sake of speed and size
-define("ME", str_replace(":", "%3a", preg_replace('~\?.*~', '', relative_uri())) . '?'
+define("ME", preg_replace('~\?.*~', '', relative_uri()) . '?'
 	. (sid() ? SID . '&' : '')
 	. (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '')
 	. (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '')
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@ -725,7 +725,7 @@ function format_time($start) {
 * @return string
 */
 function relative_uri() {
-	return preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]);
+	return str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]));
 }

 /** Remove parameter from query string
--- a/adminer/include/version.inc.php
+++ b/adminer/include/version.inc.php
@ -1,2 +1,2 @@
 <?php
-$VERSION = "4.7.7";
+$VERSION = "4.7.8-dev";
--- a/changes.txt
+++ b/changes.txt
@ -1,3 +1,5 @@
+Adminer 4.7.8-dev:
+
 Adminer 4.7.7 (released 2020-05-11):
 Fix open redirect if Adminer is accessible at //adminer.php%2F@