From 789ebc07bdac01ab8b99ad831eba872849eaa7fe Mon Sep 17 00:00:00 2001
From: Jakub Vrana <jakub@vrana.cz>
Date: Tue, 22 Oct 2019 08:30:32 +0200
Subject: [PATCH] Fix XSS if Adminer is accessible at URL /data:

---
 adminer/include/bootstrap.inc.php | 2 +-
 changes.txt                       | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php
index 9f09b326..00baf919 100644
--- a/adminer/include/bootstrap.inc.php
+++ b/adminer/include/bootstrap.inc.php
@@ -84,7 +84,7 @@ include "../adminer/drivers/mysql.inc.php"; // must be included as last driver
 
 define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost
 define("DB", $_GET["db"]); // for the sake of speed and size
-define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"]) . '?'
+define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?'
 	. (sid() ? SID . '&' : '')
 	. (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '')
 	. (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '')
diff --git a/changes.txt b/changes.txt
index 6d9f3a53..c07a8df0 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.7.4-dev:
+Fix XSS if Adminer is accessible at URL /data:
 
 Adminer 4.7.3 (released 2019-08-27):
 Allow editing foreign keys pointing to tables in other database/schema (bug #694)