Michal Čihař - Blog Archives for phpMyAdmin

Quite on schedule (just one day later), Weblate 2.7 is out today. This release brings Subversion support or improved zen mode.

Full list of changes:

• Documentation improvements.
• Translations.
• Updated bundled javascript libraries.
• Added list_translators management command.
• Django 1.8 is no longer supported.
• Fixed compatibility with Django 1.10.
• Added Subversion support.
• Separated XML validity check from XML mismatched tags.
• Fixed API to honor HIDE_REPO_CREDENTIALS settings.
• Show source change in zen mode.
• Alt+PageUp/PageDown/Home/End now works in zen mode as well.
• Add tooltip showing exact time of changes.
• Add option to select filters and search from translation page.
• Added UI for translation removal.
• Improved behavior when inserting placeables.
• Fixed auto locking issues in zen mode.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Last week was a bit calmer with bigger focus on bug fixing, so that phpMyAdmin 4.6.5 works better thatn 4.6.4, where we managed to screw up some functionality due to too strict hardening fixes.

This includes reporting of too short secret when one was autogenerated, broken browsing of mysql.user or mysql.db tables or breakage when editing ENUM fields. All these are now fixed in QA_4_6.

Another major topic last week was our Docker container, which got heavily improved. To name the most important thing it now uses proper web server (nginx) and PHP FPM instead of PHP built in server, which is not really suitable for production use.

Handled issues:

• #12493 Allow CSP headers to be disabled
• #12480 Tablecolumns Length/Values can't be changed
• #12496 Trying to create enum field gives error and enum is 'enum(0)'
• #12251 Logged out at random
• #12485 Error: The secret passphrase in configuration (blowfish_secret) is too short.
• #12479 Share code for URL validation
• #12483 mysql.user and mysql.db show code instead of usernames

Four months after 1.0 release, motranslator 1.1 is out. If you happen to use it for untrusted data, this might be as well called security release, though this is still not good idea until we remove usage of eval() used to evaluate plural formula.

Full list of changes:

• Improved handling of corrupted mo files
• Minor performance improvements
• Stricter validation of plural expression

The motranslator is a translation library used in current phpMyAdmin master (upcoming 4.7.0) with focus on speed and memory usage. It uses Gettext MO files to load the translations. It also comes with testsuite (100% coverage) and basic documentation.

Recommended way to install it is using composer from Packagist repository:

composer require phpmyadmin/motranslator

The Debian package will be available probably at point phpMyAdmin 4.7.0 will be out, but if you see need to have it earlier, just let me know.

Since I've created the phpMyAdmin container for Docker I've always felt strange about using PHP's built in web server there. It really made it poor choice for any production setup and probably was causing lot of problems users saw with this container. During the weekend, I've changed it to use more complex setup with Supervisor, nginx and PHP FPM.

As building this container is one of my first experiences with Docker (together with Weblate container), it was not as straightforward as I'd hope for, but in the end is seems to be working just fine. While touching the code, I've also improved testing of the Docker container to tests all supported setups and to better report in case of test fails.

The nice side effect of this is that the PHP code is no longer being executed under root in the container, so that should make it more sane for production use as well (honestly I never liked this approach that almost everything is executed as root in Docker containers).

Last week was finally a bit calmer on security issues side so I could look into other issues as well. I finally had time to review some of the pull requests and go through the newly opened issues, but still there is lot of work to do.

The biggest change was that we've launched new website. This was mostly finished some weeks ago, but now it is alive. Hopefully it looks better and cleaner as it was created with all current page content in mind and not continuously adding new things on the way. Anyway it feels a bit strange for me doing designer work when I'm not really good at it. Anyway this is probably fourth version of our website I've done...

One other thing worth mentioning is reintroduction of $cfg['PmaAbsoluteUri'] in upcoming 4.6.5 release. It turns out to be needed in some reverse proxy setups.

Handled issues:

• #12471 use of != for checking if password equal to repeated password
• #12374 Reverse Proxy without PmaAbsoluteUri?
• #12457 Fixes #12380 Refactored http requests into one function "httpRequest" in Util.php
• #12333 Fixes #12330 - Shortcut for closing console
• #12430 Partitions editor: Allow to edit partition names; Add 'COLUMNS Partitioning' support.
• #12458 Translation improvements
• #12459 When editing table records, display readonly inputs for fields without write access.
• #12462 Reload Navigation if no previous entry stored
• #12384 Left panel not expanding when opening PMA DB by direct link
• #12429 git pull origin STABLE - reduce traffic
• #12460 Revert #12274
• #40 PMA_ABSOLUTE_URI not working anymore
• #47 Unable to nagivate
• #19 Upgrade embedded libraries
• #26 Download popup
• #17 Suggesting a donation on download
• #22 Bootstrap version of website

Tonight phpMyAdmin 4.0.10.17, 4.4.15.8, and 4.6.4 were released and you can probably see that there are quite some security issues fixed. Most of them are not really exploitable unless your PHP and webserver are poorly configured, but still it's good idea to upgrade.

If you are running Debian unstable, use our phpMyAdmin PPA for Ubuntu or use phpMyAdmin Docker image upgrading should be as simple as pulling new version.

Besides fixing security issues, we're generally hardening our infrastructure. I'm really grateful that Emanuel Bronshtein (@e3amn2l) is doing great review of all of our code and helps us in this area. This will really make our code and infrastructure much better.

Handled issues:

• #12448 Avoid using Short-Keys in GPG
• #12446 Not listing 4th column in table 'dos'
• #43 Verify downloaded sources
• #46 Specify version in variable
• #38 Cannot change configuration options
• #41 PMA DB/Configuration Storage Missing from Docker Container Capability
• #45 Verify downloaded tarball using PGP
• #42 config.userdef.inc.php hook to allow user configured settings.
• #44 User configurattion

Going back to more or less normal work mode, last week was again more focused on bug handling and improvements.

I've focused on our website, mostly due to some feedback we got from security reviews. It no longer lists MD5 checksums in favor for SHA1 and SHA256. The same change has been applied to themes as well. Besides that I've worked on making the website layout responsive, so that it works reasonably on small screens as well. In the end I've chosen to use Bootstrap for that. This work has been submitted as pull request for review. While working on the hashes, I've realized that we could do more to tell users to verify the downloaded version, so that ended up in second pull request, which adds post download popup showing information how to verify the download (preferring PGP if the release has been signed). Both changes are still pending, but will most likely be merged and put online this week.

Besides website, I've mostly spent time on reviewing pull requests, where we got quite some amount of them and were sitting in the tracker without any feedback. Many of them could be immediately merged, others have received feedback on how to improve them to make them ready for merge.

Handled issues:

• #12432 tbl_structure.php does not load the page header when editing a field
• #12423 Fix replication status output in database tables list.
• #12395 Error 200 when trying to create a new table
• #12408 Store composer.lock in git for releases
• #12417 credits.rst - Finnish language (missing surname)
• #12422 Improved indents, alignment and rtl in Original theme
• #12421 Translation improvements
• #12420 Fix advisory rule 'Slow launch time'
• #12339 Undefined index: port on 4.6.3
• #12424 Index page change password function fail
• #12383 WD PR4100 phpMyAdmin MySQL server error.
• #12426 Please add php session blocking into the FAQ
• #23 Document all milestone releases
• #25 Replace MD5 CheckSum with SHA1/SHA256
• #24 Missing Verification Details

After few weeks of silence, here is another weekly report. The silence was not caused by lack of work being done, but lack of work which could be publicly announced. Things seem to be much calmer now, so regular bug fixing or improvements are on the table now as well.

The biggest improvements this week is cleanup in connection parameters handling, which will allow to specify any additional configuration for control user connection (eg. SSL setup).

Handled issues:

• #12303 Wrong table status size reported
• #11993 Implement gettext expression evaluator
• #5726 Tighter control over user interface
• #12218 SSL config for controluser
• #12288 Connect to control server via socket
• #12283 Add support for SSL connection for controluser, issue 12218
• #12389 Fixes #12378 - Support for IPv6 proxies
• #12378 Support IPv6 proxies
• #12413 Drop users AJAX response is incorrect in localized (non-English) setup
• #12416 Fix replication status output in Server > Databases
• #12414 'Original' theme has some display issues (4.6.3).
• #12409 Restore Overhead column in Server > Databases > Enable Statistics.
• #12407 Setup SSL for planet.phpmyadmin.net
• #12405 Create PHP code in Insert Tab
• #12387 "Commands out of sync" on JSON column
• #12402 Can not browse table with JSON field
• #12364 "command out of sync" error on tables with json data type column

I'm reporting two weeks at once as I had several days of and there was not that much of work done. Pretty much everything was bug screening, relaxing after previous security fixes and starting with new round of them.

Handled issues:

• #37 Add Themes
• #39 MySQL connection error in 4.6.2-3

Since quite a long time phpMyAdmin had embedded the bfShapeFiles library for import of geospatial data. Over the time we had to apply fixes to it to stay compatible with newer PHP versions, but there was really no development. Unfortunately, as it seems to be only usable PHP library which can read and write ESRI shapefiles.

With recent switch of phpMyAdmin to dependency handling using Composer I wondered if we should get rid of the last embedded PHP library, which was this one - bfShapeFiles. As I couldn't find alive library which would work well for us, I resisted that for quite long, until pull request to improve it came in. At that point I've realized that it's probably better to separate it and start to improve it outside our codebase.

That's when phpmyadmin/shapefile was started. The code is based on bfShapeFiles, applies all fixes which were used in phpMyAdmin and adds improvements from the pull request. On top of that it has brand new testsuite (the coverage is still much lower than I'd like to have) and while writing the tests several parsing issues have been discovered and fixed. Anyway you can now get the source from GitHub or install using Composer from Packagist.

PS: While fixing parser bugs I've looked at other parsers as well to see how they handle some situations unclear in the specs and I had to fix Python pyshp on the way as well :-).