Michal Čihař - Blog Archives for phpMyAdmin

Weekly phpMyAdmin contributions 2016-W33

Last week was finally a bit calmer on security issues side so I could look into other issues as well. I finally had time to review some of the pull requests and go through the newly opened issues, but still there is lot of work to do.

The biggest change was that we've launched new website. This was mostly finished some weeks ago, but now it is alive. Hopefully it looks better and cleaner as it was created with all current page content in mind and not continuously adding new things on the way. Anyway it feels a bit strange for me doing designer work when I'm not really good at it. Anyway this is probably fourth version of our website I've done...

One other thing worth mentioning is reintroduction of $cfg['PmaAbsoluteUri'] in upcoming 4.6.5 release. It turns out to be needed in some reverse proxy setups.

Handled issues:

Weekly phpMyAdmin contributions 2016-W32

Tonight phpMyAdmin 4.0.10.17, 4.4.15.8, and 4.6.4 were released and you can probably see that there are quite some security issues fixed. Most of them are not really exploitable unless your PHP and webserver are poorly configured, but still it's good idea to upgrade.

If you are running Debian unstable, use our phpMyAdmin PPA for Ubuntu or use phpMyAdmin Docker image upgrading should be as simple as pulling new version.

Besides fixing security issues, we're generally hardening our infrastructure. I'm really grateful that Emanuel Bronshtein (@e3amn2l) is doing great review of all of our code and helps us in this area. This will really make our code and infrastructure much better.

Handled issues:

Weekly phpMyAdmin contributions 2016-W31

Going back to more or less normal work mode, last week was again more focused on bug handling and improvements.

I've focused on our website, mostly due to some feedback we got from security reviews. It no longer lists MD5 checksums in favor for SHA1 and SHA256. The same change has been applied to themes as well. Besides that I've worked on making the website layout responsive, so that it works reasonably on small screens as well. In the end I've chosen to use Bootstrap for that. This work has been submitted as pull request for review. While working on the hashes, I've realized that we could do more to tell users to verify the downloaded version, so that ended up in second pull request, which adds post download popup showing information how to verify the download (preferring PGP if the release has been signed). Both changes are still pending, but will most likely be merged and put online this week.

Besides website, I've mostly spent time on reviewing pull requests, where we got quite some amount of them and were sitting in the tracker without any feedback. Many of them could be immediately merged, others have received feedback on how to improve them to make them ready for merge.

Handled issues:

Weekly phpMyAdmin contributions 2016-W30

After few weeks of silence, here is another weekly report. The silence was not caused by lack of work being done, but lack of work which could be publicly announced. Things seem to be much calmer now, so regular bug fixing or improvements are on the table now as well.

The biggest improvements this week is cleanup in connection parameters handling, which will allow to specify any additional configuration for control user connection (eg. SSL setup).

Handled issues:

PHP shapefile library

Since quite a long time phpMyAdmin had embedded the bfShapeFiles library for import of geospatial data. Over the time we had to apply fixes to it to stay compatible with newer PHP versions, but there was really no development. Unfortunately, as it seems to be only usable PHP library which can read and write ESRI shapefiles.

With recent switch of phpMyAdmin to dependency handling using Composer I wondered if we should get rid of the last embedded PHP library, which was this one - bfShapeFiles. As I couldn't find alive library which would work well for us, I resisted that for quite long, until pull request to improve it came in. At that point I've realized that it's probably better to separate it and start to improve it outside our codebase.

That's when phpmyadmin/shapefile was started. The code is based on bfShapeFiles, applies all fixes which were used in phpMyAdmin and adds improvements from the pull request. On top of that it has brand new testsuite (the coverage is still much lower than I'd like to have) and while writing the tests several parsing issues have been discovered and fixed. Anyway you can now get the source from GitHub or install using Composer from Packagist.

PS: While fixing parser bugs I've looked at other parsers as well to see how they handle some situations unclear in the specs and I had to fix Python pyshp on the way as well :-).

Weekly phpMyAdmin contributions 2016-W25

As you could see from the release news it has been quite busy week in terms of fixing security issues. It has actually started just after announcement of security audit funded by Mozilla SOS Fund. It seems this is best way to attract attention security reviewers and we got really a lot of it.

So most of work in last two weeks was to deal with incoming security reports. Fortunately there is still nothing critical if you are not using ancient unpatched PHP version which is vulnerable to null termination of strings. This was quite hard work as immediately once we started to think about releasing version with fixes, new report came in and the process repeated several times. Fortunately we've made it to do three security releases (one for each supported branch) and it seems that we've not broken anything (at least there is no bug report indicating that).

Let's see what next weeks bring and how much security work will be there, but we definitely should focus on doing some reviews continuously rather than doing such one off actions.

On the other side in terms of handled public issues this week was really low volume:

Weekly phpMyAdmin contributions 2016-W24

Last week was again focused on code cleanup. The biggest part is splitting up the shapefile library out of our codebase. It's original upstream is not active for years and people started to use the library from our code instead, so separating it makes perfect sense.

While working on that, the library got some basic tests, but I'm still looking for more complex testcases to cover even situation we do not use in phpMyAdmin.

Besides this, there were some bug fixes in phpMyAdmin itself and it's Docker container. Additionally here was quite some security work after we've published information about passed security audit, but that will be described later.

Handled issues:

Weekly phpMyAdmin contributions 2016-W23

Last week was a bit more focused on improving our Docker container. It's still not perfect, but it works way better than before. I'm also learning Docker on the way, so the progress is not as fast as it could be.

When speaking about learning I've again learned some new things about PHP - this time it was fact that the debug_backtrace function returns reference to actual interpreters backtrace, so if you change something there, you change the parameters in the code above in the stack. It was quite hard to figure out, but fortunately easy to fix afterwards. Anyway if you have not matching library and PHP MySQL module, you could not connect to MySQL server with phpMyAdmin because of this.

Rest of work was regular bug screening and fixing, nothing really outstanding.

Handled issues:

Weekly phpMyAdmin contributions 2016-W22

Last week was a bit relaxed for me as I had few days off, so the amount of work was also quite limited.

Quite a lot of time was spent on investigating issue #12243, which in the end turned out to be problem in Fedora packaging as it's using outdated SQL parser library, which contains many bugs which have been fixed meanwhile. This is now reported in their bug tracker and hopefully get fixed soon. Anyway if you're running phpMyAdmin from Fedora / EPEL packages, you might be bitten by various bugs which are already fixed upstream.

Also if you're looking for free software job, you can join me in working on phpMyAdmin, we're looking for second developer!

Handled issues: