Michal Čihař - Archive for Jan. 1, 2016

Week before Christmas was pretty productive with dozen of fixed issues, merged pull requests and various code and infrastructure improvements.

There was nothing extraordinary in bug fixing. One thing worth mentioning is that we were again hit by another PHP weirdness - this time in the openssl library, which emits warnings as errors and stores them internally while the function works just fine and returns expected result. We didn't realize that not picking up the warnings will lead to MySQL connection failure when using SSL.

On the infrastructure side, I've automated updates to localized documentation, so it now automatically follows master (on daily basis), so it will no longer happen that it's forgotten to be updated for few months. As you can see, there is quite big amount of strings to translate there, so any help is welcome.

Also the SQL parser finally got it's translations, you are welcome to contribute there as well (it mostly covers syntax error messages).

This is last report for 2016, I'm spending this week with family and without computer :-).

Handled issues:

• #11477 Automate localized documentation updates
• #12848 Fed up with phpMyAdmin errors
• #12847 Get 500 Internal Server Error when trying to change an virtual column.
• #12293 MySQL SSL issues
• #12841 Error while moving columns
• #12069 Filtering tables on table listing of particular database
• #12838 Filtering tables on table listing of particular database
• #12815 Fix #12814 : Allow length parameter to be specified for DATETIME and TIME
• #12824 Fixes #12079
• #12730 Incorrect focus switching while working with added fields
• #12819 Running Phpunit With Fatal Error
• #12827 MariaDB SQL error adding new user
• #12828 auth_type http error message about MySQL version
• #12829 Safari only: JavaScript error with User accounts tab
• #12826 DefaultConnectionCollation ignored
• #12802 Custom footer not shown with auth_type http failed login
• #12825 Fixes #12802 custom fo…
• #12807 Do not delete session on fatal error
• #12803 Fix display of custom header and footer in certain edge cases.
• #94 WIP: Updated to use alpine edge and php7.
• #51 Feature the most usual download option
• #107 Fix #105: Fix parsing of FIELDS and LINES options in Select..Into
• #35 Use motranslator for translating

Last week was more focused on bug fixing in phpMyAdmin itself, though some of the libraries (like motranslator) got their attention as well. I've also finally looked at forgotten pull requests with new themes.

Especially OS X users will love fixing long outstanding bug with MySQL running in lower_case_table_names=2 mode. The MySQL server in this case returns table name in lower case in some situations and thus it didn't correctly compare with mixed case one. Hopefully this is fixed for now and I looking forward to another MySQL weirdness.

Another important fix is that future 4.6 releases will be compatible with PHP 7.1. We had the fixes ready in master branch, but 4.7.0 will be released in about three months, so it's better to push the fixes for new PHP version earlier (note that most of the errors were just in the testsuite, most of the code will work just fine).

Handled issues:

• #11816 Generated incorrect SQL command with lower_case_table_names=2 (OS X)
• #12813 Unable to execute stored procedure
• #12810 PHP error when mbstring is not installed
• #12811 Can't create phpMyAdmin user on Synology
• #12812 composer update encounters with an [ErrorException]
• #11700 Bug with table names containing uppercase letters (Windows 10)
• #12808 CREATE PROCEDURE not recognizing assignment operator :=
• #12793 Fixes #12079
• #12771 New Theme - Pmaterial uploaded
• #12809 Scrutinizer Auto-Fixes
• #12774 New pma logo
• #12806 PHP 7.1 fixes for QA_4_6
• #12800 PHP 7.1 compatibility warnings (phpseclib)
• #12797 PMA_getRealSize - Performance and Readability
• #12805 Improve documentation for servers with Suhosin; issue #12434
• #100 Config simply not working
• #49 Document support status of themes
• #9 use single quotes instead of double quotes when possible
• #6 int $number parameter marked as string
• #8 >= usage instead of > in read function
• #7 trim usage when ltrim/rtrim can be used instead
• #10 Parameter type changed
• #11 Updated Datatype.

wlc 0.7, a command line utility for Weblate, has been just released. There are several new commands like translation file download or statistics fetching.

Full list of changes:

• Added reset operation.
• Added statistrics for project.
• Added changes listing.
• Added file downloads.

wlc is built on API introduced in Weblate 2.6 and still being in development, you need Weblate 2.10 for some feature (already available on our hosting offering). You can find usage examples in the wlc documentation.

Quite on the schedule, Weblate 2.10 is out today. This release brings Git exporter module, improves support for machine translation services and adds various CSV exports and API interfaces.

Full list of changes:

• Added quality check to check whether plurals are translated differently.
• Fixed GitHub hooks for repositories with authentication.
• Added optional Git exporter module.
• Support for Microsoft Cognitive Services Translator API.
• Simplified project and component user interface.
• Added automatic fix to remove control chars.
• Added per language overview to project.
• Added support for CSV export.
• Added CSV download for stats.
• Added matrix view for quick overview of all translations
• Added basic API for changes and units.
• Added support for Apertium APy server for machine translations.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

My last week was about usual amount of bug screening and fixing. Overall it was quite calm bringing small progress in many areas and hard to highlight something.

There were also dozen of improvements to our Docker image, the most important being change to tags we provide - latest is now latest released version, while edge is getting changes from master branch (of docker repository, it still contains released phpMyAdmin).

Handled issues:

• #12790 Q: What are the reasons for supporting 4.0 longer than 4.4?
• #12795 Not for merge: Add PHP 5.4 and 5.3 to test matrix
• #12785 missing extension dependencies in composer.json
• #12792 SecurityError on new version link
• #12070 Can we get rid of odd and even classes in tables?
• #12786 the quick search box is not working in 4.6.5.1
• #12788 Support scriptless version / be more scriptless friendly / login broken
• #12789 console is showing wrong error message?
• #12779 CVEs for latest security fixes ?
• #12787 Incorrect path in documentation for config.user.inc.php
• #97 Non github releases
• #96 unnecessary php5-ctype installation
• #48 No mention of composer / docker installation in downloads/website
• #47 Add Checksums for static files in packages.json

Today Gammu 1.38.0 has been released. Changes in last two testing releases have been stabilized and this is the outcome. You can expect changes in API or SMSD tables as well as some additional features.

Also this is first stable release after several years which comes with Windows binaries. These are built using AppVeyor and will help bring Windows users back to latest versions.

Full list of changes and new features can be found on Gammu 1.38.0 release page.

Would you like to see more features in Gammu? You an support further Gammu development at Bountysource salt or by direct donation.

Today, Weblate got new home. The difference is not that big - it has been moved from my personal GitHub account to WeblateOrg organization.

The main motivation is to have all Weblate related repositories in one location (all others including wlc, Docker or website are already there). The move will also allow to better manage the project in future as having it in separate repositories provides less management options on GitHub than using organization.

In case you have cloned the git repository, please update

git remote set-url origin https://github.com/WeblateOrg/weblate.git

Of course all issue tracker locations have changed as well (I believe the redirect on GitHub will stay as long as I won't fork the repository, so expect it to work at least month). See GitHub documentation on repository moving.

I'm sorry for all the troubles, but I think this is really necessary move.

Last week was heavily focused on cleaning up our issue trackers. As you can see from huge list of issues I've closed there is always lot of things to handle. Many of those were not fixed though, it was just housekeeping of old questions where the submitter didn't come back after we've asked for clarification. On the code side there were some pull requests merges including those who needed non trivial fixes and authors didn't found time to implement them.

Another improvements were done on the Docker image, where several cleanups were done (more to follow this week).

Handled issues:

• #12777 Fix #12757 SQL syntax errror on MariaDB < 10.0.2
• #12757 Error when creating new user on MariaDB 5.5.53
• #12770 Fix #12769 : Current user might vary from the actual defined user
• #12703 Refactor PMA_setGlobalVariablesForEngine
• #12719 Fixes #12703
• #12655 Azure WebApp: phpMyAdmin SiteExtensions Import/Export not working
• #12627 LIMIT 1 gets appended to commands, when I click on delete or create row and error 1064 pops up
• #12566 Filter rows is not working.
• #12599 syntax error after WHERE statement
• #12371 PHPMyAdmin goes crazy on running SQL query
• #12183 PMA dies - cannot find class PMA\libraries\Error
• #12714 Grouping in navigation panel works not well
• #12705 Could you add in custom colors / fonts?
• #12583 New feature for #12247, delete option added to header pop up removing local storage
• #12247 Add option to delete local settings
• #12765 Export adding extra backslash on linebreaks
• #12768 Fixed SQL export with newlines
• #12767 Prevent extra back-slash while exporting new-lines
• #12699 Make possible to turn of notification "There was a problem accessing your browser storage,".
• #12763 localhost/phpmyadmin showing wierd thing?
• #12758 HTTP URLs/Links instead of HTTPS
• #12762 Syntax Error: WHERE BINARY(my_column) != BNINARY(UPPER(my_column)
• #12588 remove hard dependency on allow_url_fopen = On in ReCaptcha
• #12761 Replace escapeHtml with encodeURIComponent in url variable
• #12716 Change package guzzle/guzzle for guzzlehttp/guzzle
• #12739 JS errors when open in new tab
• #12754 dead code (unused flipstring function)
• #12755 incorrect comments
• #12723 Refactor getHTML for auth plugins dropdown
• #12741 make PMA_isAllowedDomain case insensitive, fix links on home page
• #12715 Merge remote-tracking branch 'refs/remotes/phpmyadmin/master'
• #12720 Merge remote-tracking branch 'refs/remotes/phpmyadmin/master'
• #12663 Dead code (unused "$_isAjaxPage")
• #12721 Fixes #12663 remove unused property "$_isAjaxPage"
• #12746 unclosed HTML tags
• #12752 Update Header.php
• #12690 Fixes #12514
• #12744 Duplicate demo.phpmyadmin.net entry in PMA_isAllowedDomain
• #12745 udan11/sql-parser instead of phpmyadmin/sql-parser in comment at vendor_config.php
• #12748 Broken setup index at https://demo.phpmyadmin.net/master-config/setup
• #12713 404 github links & incorrect Git revision in demo.phpmyadmin.net
• #12722 Force phpMyAdmin to HTTPS
• #95 incomplete configuration migration to /etc
• #79 Remove not needed files in doc folder
• #92 Try to reorder commands for better Docker layer caching
• #93 Cleanup documentation folder
• #91 Split setting variable from export
• #86 Warnings from Haskell Dockerfile Linter
• #90 Bump version to 4.6.5.1
• #46 No longer offer 4.4 for download
• #45 incorrect commits in security advisories
• #44 Document not acceptable sites
• #103 PHP 7.2 fixes
• #102 HTTP URL to tools.ietf.org instead of HTTPS

Last week we've finally managed to release phpMyAdmin 4.6.5 (and quickly followed by hotfix 4.6.5.1). This included several security fixes (see my comment on our security status yesterday and lot of bugfixes as we've really failed to release quickly this time. Next release should follow two month release schedule, so let's see how we will manage that.

There was some work on the code and libraries as well. The ShapeFile library has reached 1.0 milestone after several fixes and testsuite improvements, so if you are looking for PHP library to handle ESRI Shape Files, this is the best choice right now.

Handled issues:

• #12734 Uncaught Error: Call to undefined function mb_detect_encoding()
• #12733 Why GET parameters in URL ? (better are POST)
• #88 sql folder is missing which results in error
• #89 Cancel removal of /www/sql
• #87 ShellCheck warnings for sh files
• #27 Missing commits
• #32 Missing Redirect to HTTPS from HTTP
• #39 Exposing Apache Version
• #43 Missing favicon.ico in develdocs.phpmyadmin.net
• #101 Fix incorrect error in union queries
• #19 Dbf improvements

You might wonder why there is so high number of phpMyAdmin security announcements this year. This situations has two main reasons and I will comment a bit on those.

First of all we've got quite a lot of attention of people doing security reviews this year. It has all started with Mozilla SOS Fund funded audit. It has discovered few minor issues which were fixed in the 4.6.2 release. However this was really just the beginning of the story and the announcement has attracted quite some attention to us. In upcoming weeks the security@phpmyadmin.net mailbox was full of reports and we really struggled to handle such amount. Handling that amount actually lead to creating more formalized approach to handling them as we clearly were no longer able to deal with them based on email only. Anyway most work here was done by Emanuel Bronshtein, who is really looking at every piece of our code and giving useful tips to harden our code base and infrastructure.

Second thing which got changed is that we release security announcements for security hardening even when there might not be any practical attack possible. Typical example here might be PMASA-2016-61, where using hash_equals is definitely safer, but even if the timing attack would be doable here, the practical result of figuring out admin configured allow/deny rules is usually not critical. Many of the issues also cover quite rare setups (or server misconfigurations, which we've silently fixed in past) like PMASA-2016-54 being possibly caused by server executing shell scripts shipped together with phpMyAdmin.

Overall phpMyAdmin indeed got safer this year. I don't think that there was any bug that would be really critical, on the other side we've made quite a lot of hardenings and we use current best practices when dealing with sensitive data. On the other side, I'm pretty sure our code was not in worse shape than any similarly sized projects with 18 years of history, we just become more visible thanks to security audit and people looked deeper into our code base.

Besides security announcements this all lead to generic hardening of our code and infrastructure, what might be not that visible, but are important as well:

• All our websites are server by https only
• All our releases are PGP signed
• We actively encourage users to verify the downloaded files
• All new Git tags are PGP signed as well