Michal Čihař - Blog Archives for phpMyAdmin

Weekly phpMyAdmin contributions 2016-W47

Last week we've finally managed to release phpMyAdmin 4.6.5 (and quickly followed by hotfix 4.6.5.1). This included several security fixes (see my comment on our security status yesterday and lot of bugfixes as we've really failed to release quickly this time. Next release should follow two month release schedule, so let's see how we will manage that.

There was some work on the code and libraries as well. The ShapeFile library has reached 1.0 milestone after several fixes and testsuite improvements, so if you are looking for PHP library to handle ESRI Shape Files, this is the best choice right now.

Handled issues:

phpMyAdmin security issues

You might wonder why there is so high number of phpMyAdmin security announcements this year. This situations has two main reasons and I will comment a bit on those.

First of all we've got quite a lot of attention of people doing security reviews this year. It has all started with Mozilla SOS Fund funded audit. It has discovered few minor issues which were fixed in the 4.6.2 release. However this was really just the beginning of the story and the announcement has attracted quite some attention to us. In upcoming weeks the security@phpmyadmin.net mailbox was full of reports and we really struggled to handle such amount. Handling that amount actually lead to creating more formalized approach to handling them as we clearly were no longer able to deal with them based on email only. Anyway most work here was done by Emanuel Bronshtein, who is really looking at every piece of our code and giving useful tips to harden our code base and infrastructure.

Second thing which got changed is that we release security announcements for security hardening even when there might not be any practical attack possible. Typical example here might be PMASA-2016-61, where using hash_equals is definitely safer, but even if the timing attack would be doable here, the practical result of figuring out admin configured allow/deny rules is usually not critical. Many of the issues also cover quite rare setups (or server misconfigurations, which we've silently fixed in past) like PMASA-2016-54 being possibly caused by server executing shell scripts shipped together with phpMyAdmin.

Overall phpMyAdmin indeed got safer this year. I don't think that there was any bug that would be really critical, on the other side we've made quite a lot of hardenings and we use current best practices when dealing with sensitive data. On the other side, I'm pretty sure our code was not in worse shape than any similarly sized projects with 18 years of history, we just become more visible thanks to security audit and people looked deeper into our code base.

Besides security announcements this all lead to generic hardening of our code and infrastructure, what might be not that visible, but are important as well:

  • All our websites are server by https only
  • All our releases are PGP signed
  • We actively encourage users to verify the downloaded files
  • All new Git tags are PGP signed as well

Weekly phpMyAdmin contributions 2016-W46

Last week was mostly focused on our libraries. I got merged several patches to our SQL parser from Deven and I've spent quite some time on ShapeFile library, which got several improvements.

It all started with one issue being reported and it actually pushed me to fix older issue - lack of tests. Few commits later the coverage went up to 92% and several bugs were fixed on the way, as some parts of the code were simply broken and nobody has used them so far.

Handled issues:

Weekly phpMyAdmin contributions 2016-W45

After week of silence (and sickness) I again did some work on phpMyAdmin. Again it was mostly focused on cleaning up piled issues and pull requests and it worked quite well.

Several of them needed minor changes before they can be safely merged and they were waiting for these for several weeks. In the end I've processed most of them and merged them with needed cleanups or polishing.

Handled issues:

Weblate 2.9

Slightly behind schedule (it should have been released in October), Weblate 2.9 is out today. This release brings Subversion support or improved zen mode.

Full list of changes:

  • Extended parameters for createadmin management command.
  • Extended import_json to be able to handle with existing components.
  • Added support for YAML files.
  • Project owners can now configure translation component and project details.
  • Use "Watched" instead of "Subscribed" projects.
  • Projects can be watched directly from project page.
  • Added multi language status widget.
  • Highlight secondary language if not showing source.
  • Record suggestion deletion in history.
  • Improved intuitivity of languages selection in profile.
  • Fixed showing whiteboard messages for component.
  • Keep preferences tab selected after saving.
  • Show source string comment more prominently.
  • Automatically install Gettext PO merge driver for Git repositories.
  • Added search and replace feature.
  • Added support for uploading visual context (screnshots) for translations.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Weekly phpMyAdmin contributions 2016-W43

Last week was a bit calmer and was really focused mostly on the bug screening and merging pull requests than on actual work. I've however managed to release new version of SQL parser with several fixes contributed by Deven.

Handled issues:

New features on Hosted Weblate

Today, new version has been deployed on Hosted Weblate. It brings many long requested features and enhancements.

Adding project to watched got way simpler, you can now do it on the project page using watch button:

Watch project

Another feature which will be liked by project admins is that they can now change project metadata without contacting me. This works for both project and component level:

Project settings

And adding some fancy things, there is new badge showing status of translations into all languages. This is how it looks for Weblate itself:

Translation status

As you can see it can get pretty big for projects with many translations, but you get complete picture of the translation status in it.

You can find all these features in upcoming Weblate 2.9 which should be released next week. Complete list of changes in Weblate 2.9 is described in our documentation.

Weekly phpMyAdmin contributions 2016-W42

Last week got again more focus on bug fixing. Mostly those were again hardenings on our infrastructure and Docker image, but there were some fixes as well. Overall the phpMyAdmin docker image got much better and it will be be even better with upcoming 4.6.5 release which adds some improvements to the main codebase.

Handled issues:

Weekly phpMyAdmin contributions 2016-W41

Last week was mostly focused on motranslator and removing it's usage of eval(). After introducing library to do the expression evaluation, I've learned that there is already existing library having all features we need - symfony/expression-language. There could be better way to learn this, but still lesson learned and I will evaluate existing libraries more carefully next time. Now the motranslator 2.0 is out without eval() and with dependency on symfony/expression-language.

Besides that there was some discussion about improving quality of our documentation translations by using automated checks. The set of such checks is already provided by Weblate, but it really doesn't cover RST markup and some improvements could be borrowed from the dennis tool.

Handled issues:

motranslator 2.0

Yesterday, the motranslator 2.0 has been released. As the version change suggests there are some important changes under the hood.

Full list of changes:

  • Consistently use camelCase in API
  • No more relies on using eval()
  • Depends on symfony/expression-language for calculations

As you can see, yesterday announced SimpleMath is not used in the end and I've moved to use existing library. Somehow I misunderstood library description and I thought that it works as PHP, what would be problem for us (or would bring need to add parenthesis around ternary operator as we did with eval()). But this is not the case and ternary operator behaves sane in ExpressionLanguage, so we're good too use it.

Anyway if you were using MoTranslator, it might be good idea to upgrade and check if API changes affect you.