Michal Čihař - Blog Archives for phpMyAdmin

As you could see from the release news it has been quite busy week in terms of fixing security issues. It has actually started just after announcement of security audit funded by Mozilla SOS Fund. It seems this is best way to attract attention security reviewers and we got really a lot of it.

So most of work in last two weeks was to deal with incoming security reports. Fortunately there is still nothing critical if you are not using ancient unpatched PHP version which is vulnerable to null termination of strings. This was quite hard work as immediately once we started to think about releasing version with fixes, new report came in and the process repeated several times. Fortunately we've made it to do three security releases (one for each supported branch) and it seems that we've not broken anything (at least there is no bug report indicating that).

Let's see what next weeks bring and how much security work will be there, but we definitely should focus on doing some reviews continuously rather than doing such one off actions.

On the other side in terms of handled public issues this week was really low volume:

• #12337 Can't change the comment field of an index of a table
• #9 Scrutinizer Auto-Fixes
• #10 Scrutinizer Auto-Fixes

Last week was again focused on code cleanup. The biggest part is splitting up the shapefile library out of our codebase. It's original upstream is not active for years and people started to use the library from our code instead, so separating it makes perfect sense.

While working on that, the library got some basic tests, but I'm still looking for more complex testcases to cover even situation we do not use in phpMyAdmin.

Besides this, there were some bug fixes in phpMyAdmin itself and it's Docker container. Additionally here was quite some security work after we've published information about passed security audit, but that will be described later.

Handled issues:

• #12310 500 Error when accessing stored Proc.
• #12318 Fix #12277 ENUM editor adds blank values
• #12309 Shapefile.lib extension
• #12303 Wrong table status size reported
• #12319 Fix some CodeSniffer warnings and errors
• #12307 JSON export includes comments which are invalid in JSON
• #12311 Shift+scrolling left on desktop goes back a page
• #12313 Profiling user defined function
• #12317 Editing server variables doesn't work
• #30 Docker PHPmyadmin Access?
• #35 Alpine 3.4 is out, per note in Dockerfile, should use 'latest' or '3.4' instead of edge
• #36 Update base image to alpine:latest
• #7 Improve loading tests
• #6 Add 3D test data
• #4 Add OpenStreetMap test data
• #5 Scrutinizer Auto-Fixes
• #3 Add tests
• #2 Scrutinizer Auto-Fixes
• #1 Scrutinizer Auto-Fixes

Last week was a bit more focused on improving our Docker container. It's still not perfect, but it works way better than before. I'm also learning Docker on the way, so the progress is not as fast as it could be.

When speaking about learning I've again learned some new things about PHP - this time it was fact that the debug_backtrace function returns reference to actual interpreters backtrace, so if you change something there, you change the parameters in the code above in the stack. It was quite hard to figure out, but fortunately easy to fix afterwards. Anyway if you have not matching library and PHP MySQL module, you could not connect to MySQL server with phpMyAdmin because of this.

Rest of work was regular bug screening and fixing, nothing really outstanding.

Handled issues:

• #12304 JSON export mis-escapes single quotes
• #12293 MySQL SSL issues
• #11936 setcookie and getcookie wrapper function for JS #11688
• #12308 Show "Warning Division by zero"
• #12169 problem with favorites message "There are no favorite tables."
• #12235 Fixes #11983 pop out SQL window
• #12278 [solved]blowfish_secret
• #12279 Unrecognized keyword. (near "CHARACTER SET" at position 4)
• #12251 Logged out at random
• #33 Install zip & bz2
• #32 Frequently losing session

Last week was a bit relaxed for me as I had few days off, so the amount of work was also quite limited.

Quite a lot of time was spent on investigating issue #12243, which in the end turned out to be problem in Fedora packaging as it's using outdated SQL parser library, which contains many bugs which have been fixed meanwhile. This is now reported in their bug tracker and hopefully get fixed soon. Anyway if you're running phpMyAdmin from Fedora / EPEL packages, you might be bitten by various bugs which are already fixed upstream.

Also if you're looking for free software job, you can join me in working on phpMyAdmin, we're looking for second developer!

Handled issues:

• #12284 FAQ 3.21 document issue unable to log in with characters such as á
• #12290 Invalid zipfile at export
• #12243 Invalid sql with export import

Last week I found time to dig into some ancient issues and managed to fix them. There was some security work as well as we've managed to issue 3 security announcements (nothing really important, but still worth of fixing).

There was usual amount of bug fixing as well, but I'd say there is nothing noteworthy in the bugs, just there was quite a lot of them :-).

What is still ongoing is migration of content from wiki to our documentation. I've again moved dozen of pages and deleted some outdated, so the User guide looks better and better.

Handled issues:

• #12273 Remove mcrypt mention in setup documentation
• #12274 fixed checking of user rights to make it look for database privileges
• #12275 Remove inline styles from elements with id='filterText' (partial fix …
• #12249 Cannot login using PMA 4.6.x with Microsoft Edge or IE 11
• #12248 Import and export tab empty
• #12229 Acces denied after upgrading to 4.6.1
• #5555 Export: catch MySQL error messages
• #6168 pma_lang and pma_collation_connection cookies timeout
• #6274 Export non-permanent settings to PHP (no pmadb)
• #6351 Improve caching
• #11565 No UI to relog when using auth_type = config
• #12148 false guessing on session timeout
• #12122 Security issue file permission check.
• #11898 After a session timeout, it won't accept my credentials
• #12082 Exporting with ARCHIVE engine - index problem
• #12145 The message "Current selection does not contain a unique column. Grid edit, checkbox, Edit, Copy and Delete features are not available." is shown even though i have a unique column
• #12174 Exporting new & existing templates default to 'Compression: zipped'
• #12192 Avoid storing full backtrace in error handler
• #12209 "let the user choose" going to error 500
• #12266 127.0.0.1:8888/phpmyadmin/ returns Unable to connect from browser
• #12231 Error message text "The mysqli|mysql extension is missing"
• #12219 Lock Table problem with phpmyadmin
• #31 Build on docker hub is failing

Another week is over and it's time to report contributions from it. Issue wise not much things were fixed, but quite a lot of time was spent on reviewing reported issues.

Another continued effort was migrating content from wiki to our documentation. Unfortunately this is also not yet completed as some of the documents have diverged quite a lot and integrating them back is not as straightforward as I'd like it to be.

Handled issues:

• #12260 after update phpMyAdmin, on error at language
• #12180 Opening PHPMyAdmin in a new tab takes MINUTES to load first time, then it works normally (in that databse)
• #12258 Set table vertical align to center
• #12250 Make ThemeManager a singleton instead of storing it in the session

wlc 0.3, a command line utility for Weblate, has been just released. This is probably first release which is worth using so it's probably also worth of bigger announcement.

It is built on API introduced in Weblate 2.6 and still being in development. Several commands from wlc will not work properly if executed against Weblate 2.6, first fully supported version will be 2.7 (current git is okay as well, it is now running on both demo and hosting servers).

How to use it? First you will probably want to store the credentials, so that your requests are authenticated (you can do unauthenticated requests as well, but obviously only read only and on public objects), so lets create ~/.config/weblate:

[weblate]
url = https://hosted.weblate.org/api/

[keys]
https://hosted.weblate.org/api/ = APIKEY

Now you can do basic commands:

$ wlc show weblate/master/cs
...
last_author: Michal Čihař
last_change: 2016-05-13T15:59:25
revision: 62f038bb0bfe360494fb8dee30fd9d34133a8663
share_url: https://hosted.weblate.org/engage/weblate/cs/
total: 1361
total_words: 6144
translate_url: https://hosted.weblate.org/translate/weblate/master/cs/
translated: 1361
translated_percent: 100.0
translated_words: 6144
url: https://hosted.weblate.org/api/translations/weblate/master/cs/
web_url: https://hosted.weblate.org/projects/weblate/master/cs/

You can find more examples in wlc documentation.

After week of vacation I got back to work. There was lot of bug screening this week, it seems that people are finally migrating to 4.6 and discovering new problems there. Fortunately 4.6.1 has been released fixing most annoying issues.

Several issues were quite tricky to debug issue happening solely on Windows servers and looked quite tricky from beginning (breaking utf-8 chars). It turned out to be caused by preg_replace calls on the content, which could break utf-8 chars in some cases.

Handled issues:

• #12246 phpmyadmin with Mysql 5.7 - Empty value for 'port' specified
• #12252 Login failure Ubuntu 16.04 PHP7. Follow up to #12227
• #11705 Error code: 200 when loading table's structure (Windows 10)
• #12227 login page failure to load, php7.0
• #12249 Cannot login using PMA 4.6.x with Microsoft Edge or IE 11
• #12118 Chinese language currently do not work in version 4.6.0
• #12245 mbstring extension is missing
• #12239 Export tab isempty
• #12244 Too long URL with js/get_scripts.php
• #12240 Error with adding new fields to the table
• #12234 Designer Export Schema 414
• #11553 SQL Error upon login
• #12225 Make documentation accessible by HTTPS
• #12230 Error message "pma__tracking was not locked with LOCK TABLES"

Today it's fifteen years from my first contribution to free software. I've changed several jobs since that time, all of them involved quite a lot of free software and now I'm fully working on free software.

The first contribution happened to be on phpMyAdmin and did consist of Czech translation:

Subject: Updated Czech translation of phpMyAdmin
From: Michal Cihar <cihar@email.cz>
To: swix@users.sourceforge.net
Date: Mon, 14 May 2001 11:23:36 +0200
X-Mailer: KMail [version 1.2]

Hi

I've updated (translated few added messages) Czech translation of phpMyAdmin. 
I send it to you in two encodings, because I thing that in distribution 
should be included version in ISO-8859-2 which is more standard than Windows 
1250.

Regards
    Michal Cihar

Many other contributions came afterwards, several projects died on the way, but it has been a great ride so far. To see some of these you can look at my software page which contains both current and past projects and also includes later opensourced tools I've created earlier (mostly for Windows).

These days you can find me being active on phpMyAdmin, Gammu, python-gammu and Wammu, Debian and Weblate.

Last week was quite split into many smaller tasks - working on our libraries (both SQL parser and motranslator got new releases with bug fixes), fixing bugs for upcoming 4.6.1 and working on documentation.

From the libraries side, probably most visible is release of motranslator 1.0, just to claim it's now stable enough. Let's see if somebody else will pick it up as well or it will stay only for our use.

Most time was however spent on our documentation. We've agreed to move wiki from our server to GitHub wiki and reduce content available on the wiki. So far it's really mixture of user documentation, notes and developer documentation. The final shape should be that wiki will contain only developer documentation and all end user documentation will go to our documentation. So far I've gone through about half of user docs pages, deleted duplicated ones and moved content to our documentation. It is most visible on the user guide which now contains way more information and hopefully it will get more complete in near future.

Handled issues:

• #12208 Get fatal javascript error version 4.6
• #12223 ALTER TABLE statements are not saved in history
• #11966 Rewrite Tracker to use SQL parser
• #12039 Refactored Tracker to use SqlParser, Issue #11966
• #12171 Issue with request for Edit view using web interface
• #12144 SQL parser shows errors when using MySQL function name as table alias
• #12205 Unrecognized keyword FULL and OUTER
• #12217 ReferenceError: pred_password is not defined
• #12215 Error: unrecognized expression
• #12212 Call to undefined function __() in libraries/sanitizing.lib.php on line 135
• #12214 fata error
• #12123 Error during upgrade from 4.5.5.1 to 4.6.0
• #29 Lock Table problem with phpmyadmin