Michal Čihař - Blog Archives for English

Last week was mostly focused on motranslator and removing it's usage of eval(). After introducing library to do the expression evaluation, I've learned that there is already existing library having all features we need - symfony/expression-language. There could be better way to learn this, but still lesson learned and I will evaluate existing libraries more carefully next time. Now the motranslator 2.0 is out without eval() and with dependency on symfony/expression-language.

Besides that there was some discussion about improving quality of our documentation translations by using automated checks. The set of such checks is already provided by Weblate, but it really doesn't cover RST markup and some improvements could be borrowed from the dennis tool.

Handled issues:

• #12617 Fatal error: Call to undefined function __() in /usr/share/phpmyadmin/libraries/core.lib.php on line 235
• #5 Remove use of eval()
• #2 Fix issues found using dennis
• #3 Added Indonesian translation

Hosted Weblate provides also free hosting for free software projects. I'm quite slow in processing the hosting requests, but when I do that, I process them in a batch and add several projects at once.

This time, the newly hosted projects include:

• JaMuz - Music management tool
• World-Weather - An Android app that uses the Open Weather Map API
• GNUSim8085 - A graphical simulator, assembler and debugger for the Intel 8085 microprocesso
• Commons Mobile App - Upload pictures from Android to Wikimedia Commons
• Debian Edu Documentation
• Duplicati - Store securely encrypted backups on cloud storage services

Yesterday, the motranslator 2.0 has been released. As the version change suggests there are some important changes under the hood.

Full list of changes:

• Consistently use camelCase in API
• No more relies on using eval()
• Depends on symfony/expression-language for calculations

As you can see, yesterday announced SimpleMath is not used in the end and I've moved to use existing library. Somehow I misunderstood library description and I thought that it works as PHP, what would be problem for us (or would bring need to add parenthesis around ternary operator as we did with eval()). But this is not the case and ternary operator behaves sane in ExpressionLanguage, so we're good too use it.

Anyway if you were using MoTranslator, it might be good idea to upgrade and check if API changes affect you.

For quite some time we've been relying on using eval() function in phpMyAdmin in two places. One of them is gettext library, where we have to evaluate plural forms and second of them is MySQL configuration advisor, which does it's suggestions based on text file (the original idea was to make this file shared with other tools, but it never really worked out).

Using eval() in PHP is something what is better to avoid, but we were using it on data we ship, so it was considered safe. On the other side, there are hostings which deny using eval() altogether (as many of exploits are using this function), so it's better to avoid that. I've been looking for options for replacing eval() in motranslator (library we use for handling Gettext MO files) for quite some time, but never found library which would support all operators needed in Gettext plural formulas.

Yesterday I finally came to conclusion that writing own library to do this is best approach. This way it can in future extended to work with Advisor as well. Also we can make it pretty lightweight without additional dependencies (what was problem in some existing libraries I've found).

To make the story short, this is how SimpleMath was born. As of now, it has grown to version 0.2 (you can use Packagist to install it). For now it's really simple and it can be probably confused by various strange inputs, but it seems for work pretty well for our case. Currently supported features:

• Supports basic arithmetic operations +, -, *, /, %
• Supports parenthesis
• Supports right associative ternary operator
• Supports comparison operators ==, !=, >, <, >=, <=
• Supports basic logical operations &&, ||
• Supports variables (either PHP style $a or simple n)

Maybe it will be usable for somebody else as well, but even if not, it's the way for us to get rid of using eval() in our codebase.

Update

It seems that Symfony ExpressionLanguage Component is doing pretty much same, but more flexible and faster, so SimpleMath will be probably dead soon and we will switch to using Symphony component.

Stardicter 0.10, the set of scripts to convert some freely available dictionaries to StarDict format, has been released today. There are mostly minor changes and it's time to push them out in official release.

There is one change worth mentioning though - the original site for English - Czech dictionary (http://slovnik.zcu.cz/) has stopped to work and has been moved to https://www.svobodneslovniky.cz/. Hopefully this new location will live at least as long as the original one and will bring back new contributors (honestly the original dictionary gained mostly spam entries in last months). The dictionary data are now hosted in Git repository on GitHub.

Last week was pretty short for me, only two days at computer, so amount of work done is limited as well. I've fixed few minor issues and reviewed pull requests. There was some security work as well, but that's something you will see in the future.

Handled issues:

• #12582 Use Response instead of Message's display method to print error
• #12615 any-character instead of dot in regex
• #12607 http link in https://keybase.io/phpmyadmin_sec
• #12596 Fix #12327: Show as PHP No longer works
• #12584 If multiple queries are submitted, save the commulative bookmark only once
• #12601 Fix #12455: Query history stores separate entry for every letter typed
• #12605 Old file
• #12606 Change setup link from master to STABLE
• #12595 Remove Util::pow
• #72 Adding PMA_VERBOSE and PMA_VERBOSES environment variables
• #90 Fix parsing of subquery in FROM clause
• #87 Implement parsing and building for Delete Statement
• #88 Add parsing of CASE Expressions

Last week was quite similar to previous weeks - most time has been spent on reviewing pull requests, improving documentation and improving Docker container.

On the Docker container, I've enabled open_basedir restrictions, so the attack surface is a bit lower. However there are still lot of hardening suggestions open in the issue tracker.

Handled issues:

• #12597 localized_docs build steps create dirty diff on Fedora 24
• #12598 Indonesian translations under language code 'in'
• #12594 Incorrect Regex: (192a168b0c1111 will pass)
• #12475 Double Assigning to $GLOBALS['showtable']
• #12508 Code Duplication
• #12505 Missing function PMA_sanitizeFilename
• #12511 Bypassing some regex used in ArbitraryServerRegexp
• #12297 featurerequest: add config parameter for logging errors to a file or syslog server
• #12332 Slowness issue with many tables
• #12367 Menu Expanding & Running Queries issues in LB setup
• #12484 Suggestion: Put most significant location information first in the title tag
• #12456 Setup and all other script fails to load when upgrading (from 2.11)
• #12499 Force index fails
• #12585 only_db was unexpectedly written to pma_userconfig
• #12590 Adding ENUM column in 4.6.4 don't works
• #89 Cleanup comment metadata

Last week was again mostly spent on reviewing pull requests and screening issues. This little housecleaning work is sometimes surprisingly time consuming :-).

Besides that I've again reviewed potential security weaknesses in our process reported by Emanuel Bronshtein. This lead to various hardenings in our Docker container, Debian packages or our website. There are still places to improve, but we're getting better with every commit.

Additionally there was release for motranslator and SQL parser, both of these are now properly listed on GitHub releases page.

Handled issues:

• #12578 Fix error in adcaf7c
• #12580 Assign LIMIT clause only to syntactically correct queries
• #12574 SELECT * FROM INFORMATION_SCHEMA.SCHEMATA error
• #12568 Remove token from links and icon links in Navigation bar
• #12556 Fix #12300 : Uncheck the Add CREATE PROCEDURE / FUNCTION etc. checkbox for a selective export
• #12544 Fix #12530: Show enabled links for Edit and Execute after proper priv checks
• #12555 Allow vertical scrolling to read longer text values in grid editing
• #12557 Don't use PMA_DROP_IMPORT on Table insert if it has Blob field
• #12565 German Translation under Replication is wrong
• #54 allow to describe host with description
• #52 Is it necessary to run it as root?
• #53 Start PHP-FPM as nobody
• #31 Project's birthday is September 9
• #86 incorrect "Latest release" in sql-parser
• #83 XSS in the highlighter
• #84 Escape sequence injection in Formatting SQL query (cli fromat)
• #85 Fix parsing of user@host without backquotes

wlc 0.6, a command line utility for Weblate, has been just released. There have been some minor fixes, but the most important news is that Windows and OS X are now supported platforms as well.

Full list of changes:

• Fixed error when invoked without command.
• Tested on Windows and OS X (in addition to Linux).

wlc is built on API introduced in Weblate 2.6 and still being in development. Several commands from wlc will not work properly if executed against Weblate 2.6, first fully supported version is 2.7 (it is now running on both demo and hosting servers). You can usage examples in the wlc documentation.

Last week was heavily focused on reviewing incoming code, mostly on our SQL parser. Thanks to several contributions we have made it even better.

The SQL parser s releases now include list of changes, so you can easily see what has been changed. While touching the SQL parser code, I've added some missing bits in testsuite code coverage and we're now really close to 100%.

Another useful thing for our library users is API documentation which is now available at https://develdocs.phpmyadmin.net/. It covers all libraries we've recently released (motranslator, sql-parser and shapefile).

Handled issues:

• #12560 Avoid encoding release username in tarballs
• #12547 prevent direct calls of include files
• #12553 Fix #12320 : Copying a user does not copy usergroup
• #12548 Fix Export and Copy of Tables with Generated/Virtual columns
• #12397 Review mb_strlen uses
• #12510 Add https://keybase.io/phpmyadmin_sec to security page
• #12444 Comment command does not work correctly
• #12282 whitespaces before and after the column names
• #12512 BBCode not transfered to HTML
• #12550 idle requests every 2 seconds
• #11628 INSERT ... ON DUPLICATE KEY
• #28 Add DebConf16 team photo and short description to Team page
• #42 Example usage and wiki
• #81 Please provide a Changelog
• #82 fix default options in Formater constructor
• #80 Add support for PHP 5.3 [WIP]
• #77 Fix parsing of REPLACE INTO ... Statements
• #79 Stop SelectStatement parsing and revert back in case of ON DUPLICATE KEY …
• #76 Fix parsing of INSERT...SELECT and INSERT...SET syntax
• #70 Fix #59: Non-reserved keywords should be allowed as a field name
• #75 Add correct parsing of SET CHARACTER SET, CHARSET , NAMES statements
• #71 Fix #55 : Add support for spatial datatypes