Michal Čihař - Blog Archives for phpMyAdmin

Weekly phpMyAdmin contributions 2016-W37

Last week was heavily focused on reviewing incoming code, mostly on our SQL parser. Thanks to several contributions we have made it even better.

The SQL parser s releases now include list of changes, so you can easily see what has been changed. While touching the SQL parser code, I've added some missing bits in testsuite code coverage and we're now really close to 100%.

Another useful thing for our library users is API documentation which is now available at https://develdocs.phpmyadmin.net/. It covers all libraries we've recently released (motranslator, sql-parser and shapefile).

Handled issues:

Weekly phpMyAdmin contributions 2016-W36

Last week was a bit calmer on my phpMyAdmin contributions as I've spent more time on other free software projects (namely Gammu).

Anyway there was still some amount of reviewing pull requests and bug screening and I've added PHP 7.1 to the testsuite on Travis while fixing some bugs this has revealed (thanks Deven for helping in this as well). Most notable these were bugs in our testsuite feeding invalid mock data in some situations. Without type warnings in upcoming PHP 7.1 these would be further unnoticed.

Handled issues:

Weekly phpMyAdmin contributions 2016-W35

Last week had still major focus on our Docker container, which is now better than ever :-). There also was a motranslator release to push some of the bug fixes to users.

Other than that there was usual amount of bug screening and fixing which you can see from list of issues below.

Handled issues:

Weblate 2.8

Quite on schedule (just one day later), Weblate 2.7 is out today. This release brings Subversion support or improved zen mode.

Full list of changes:

  • Documentation improvements.
  • Translations.
  • Updated bundled javascript libraries.
  • Added list_translators management command.
  • Django 1.8 is no longer supported.
  • Fixed compatibility with Django 1.10.
  • Added Subversion support.
  • Separated XML validity check from XML mismatched tags.
  • Fixed API to honor HIDE_REPO_CREDENTIALS settings.
  • Show source change in zen mode.
  • Alt+PageUp/PageDown/Home/End now works in zen mode as well.
  • Add tooltip showing exact time of changes.
  • Add option to select filters and search from translation page.
  • Added UI for translation removal.
  • Improved behavior when inserting placeables.
  • Fixed auto locking issues in zen mode.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Weekly phpMyAdmin contributions 2016-W34

Last week was a bit calmer with bigger focus on bug fixing, so that phpMyAdmin 4.6.5 works better thatn 4.6.4, where we managed to screw up some functionality due to too strict hardening fixes.

This includes reporting of too short secret when one was autogenerated, broken browsing of mysql.user or mysql.db tables or breakage when editing ENUM fields. All these are now fixed in QA_4_6.

Another major topic last week was our Docker container, which got heavily improved. To name the most important thing it now uses proper web server (nginx) and PHP FPM instead of PHP built in server, which is not really suitable for production use.

Handled issues:

motranslator 1.1

Four months after 1.0 release, motranslator 1.1 is out. If you happen to use it for untrusted data, this might be as well called security release, though this is still not good idea until we remove usage of eval() used to evaluate plural formula.

Full list of changes:

  • Improved handling of corrupted mo files
  • Minor performance improvements
  • Stricter validation of plural expression

The motranslator is a translation library used in current phpMyAdmin master (upcoming 4.7.0) with focus on speed and memory usage. It uses Gettext MO files to load the translations. It also comes with testsuite (100% coverage) and basic documentation.

Recommended way to install it is using composer from Packagist repository:

composer require phpmyadmin/motranslator

The Debian package will be available probably at point phpMyAdmin 4.7.0 will be out, but if you see need to have it earlier, just let me know.

Improving phpMyAdmin Docker container

Since I've created the phpMyAdmin container for Docker I've always felt strange about using PHP's built in web server there. It really made it poor choice for any production setup and probably was causing lot of problems users saw with this container. During the weekend, I've changed it to use more complex setup with Supervisor, nginx and PHP FPM.

As building this container is one of my first experiences with Docker (together with Weblate container), it was not as straightforward as I'd hope for, but in the end is seems to be working just fine. While touching the code, I've also improved testing of the Docker container to tests all supported setups and to better report in case of test fails.

The nice side effect of this is that the PHP code is no longer being executed under root in the container, so that should make it more sane for production use as well (honestly I never liked this approach that almost everything is executed as root in Docker containers).

Weekly phpMyAdmin contributions 2016-W33

Last week was finally a bit calmer on security issues side so I could look into other issues as well. I finally had time to review some of the pull requests and go through the newly opened issues, but still there is lot of work to do.

The biggest change was that we've launched new website. This was mostly finished some weeks ago, but now it is alive. Hopefully it looks better and cleaner as it was created with all current page content in mind and not continuously adding new things on the way. Anyway it feels a bit strange for me doing designer work when I'm not really good at it. Anyway this is probably fourth version of our website I've done...

One other thing worth mentioning is reintroduction of $cfg['PmaAbsoluteUri'] in upcoming 4.6.5 release. It turns out to be needed in some reverse proxy setups.

Handled issues:

Weekly phpMyAdmin contributions 2016-W32

Tonight phpMyAdmin 4.0.10.17, 4.4.15.8, and 4.6.4 were released and you can probably see that there are quite some security issues fixed. Most of them are not really exploitable unless your PHP and webserver are poorly configured, but still it's good idea to upgrade.

If you are running Debian unstable, use our phpMyAdmin PPA for Ubuntu or use phpMyAdmin Docker image upgrading should be as simple as pulling new version.

Besides fixing security issues, we're generally hardening our infrastructure. I'm really grateful that Emanuel Bronshtein (@e3amn2l) is doing great review of all of our code and helps us in this area. This will really make our code and infrastructure much better.

Handled issues:

Weekly phpMyAdmin contributions 2016-W31

Going back to more or less normal work mode, last week was again more focused on bug handling and improvements.

I've focused on our website, mostly due to some feedback we got from security reviews. It no longer lists MD5 checksums in favor for SHA1 and SHA256. The same change has been applied to themes as well. Besides that I've worked on making the website layout responsive, so that it works reasonably on small screens as well. In the end I've chosen to use Bootstrap for that. This work has been submitted as pull request for review. While working on the hashes, I've realized that we could do more to tell users to verify the downloaded version, so that ended up in second pull request, which adds post download popup showing information how to verify the download (preferring PGP if the release has been signed). Both changes are still pending, but will most likely be merged and put online this week.

Besides website, I've mostly spent time on reviewing pull requests, where we got quite some amount of them and were sitting in the tracker without any feedback. Many of them could be immediately merged, others have received feedback on how to improve them to make them ready for merge.

Handled issues: