Michal Čihař - Blog Archives for phpMyAdmin

Last week got again more focus on bug fixing. Mostly those were again hardenings on our infrastructure and Docker image, but there were some fixes as well. Overall the phpMyAdmin docker image got much better and it will be be even better with upcoming 4.6.5 release which adds some improvements to the main codebase.

Handled issues:

• #12640 Missing SPF
• #12643 Missing SSL support in mail.phpmyadmin.net
• #12645 Add documentaton checks to be executed in Travis CI
• #12628 AJAX request for exporting SQL results causes 403 Forbidden error
• #12647 Use justBrowsing only if outputting the results from a single table
• #12646 Incorrect protocol number at 500 header
• #12631 Fix order of testing DBConnection with different parameters in Config method
• #12616 Refuse to work with mbstring.func_overload enabled
• #12632 Use IDENTIFIED BY 'auth_string' if password check plugin is active
• #64 Missing white-list of allowed HTTP methods (in nginx.conf)
• #63 increased attack surface by internal redirect in try_files option
• #67 Deny access to all hidden files
• #77 Improve nginx setup
• #73 User configuration not taken into account
• #74 Fix user configuration and add tests for it
• #76 Avoid encoding PHP version in socket or log name
• #68 Incorrect PHP log/socket name
• #71 Performance Improvements to Test
• #75 Optimize PHP opcache settings
• #69 not needed sections in php.ini
• #70 Missing optional dependencies:
• #33 Missing HSTS header
• #32 Missing Redirect to HTTPS from HTTP
• #34 HTTPS to HTTP Redirect
• #38 Exposed old (not latest) PMA interface with setup
• #6 Update id.po
• #4 Update id.po
• #5 Update id.po

Last week was mostly focused on motranslator and removing it's usage of eval(). After introducing library to do the expression evaluation, I've learned that there is already existing library having all features we need - symfony/expression-language. There could be better way to learn this, but still lesson learned and I will evaluate existing libraries more carefully next time. Now the motranslator 2.0 is out without eval() and with dependency on symfony/expression-language.

Besides that there was some discussion about improving quality of our documentation translations by using automated checks. The set of such checks is already provided by Weblate, but it really doesn't cover RST markup and some improvements could be borrowed from the dennis tool.

Handled issues:

• #12617 Fatal error: Call to undefined function __() in /usr/share/phpmyadmin/libraries/core.lib.php on line 235
• #5 Remove use of eval()
• #2 Fix issues found using dennis
• #3 Added Indonesian translation

Yesterday, the motranslator 2.0 has been released. As the version change suggests there are some important changes under the hood.

Full list of changes:

• Consistently use camelCase in API
• No more relies on using eval()
• Depends on symfony/expression-language for calculations

As you can see, yesterday announced SimpleMath is not used in the end and I've moved to use existing library. Somehow I misunderstood library description and I thought that it works as PHP, what would be problem for us (or would bring need to add parenthesis around ternary operator as we did with eval()). But this is not the case and ternary operator behaves sane in ExpressionLanguage, so we're good too use it.

Anyway if you were using MoTranslator, it might be good idea to upgrade and check if API changes affect you.

For quite some time we've been relying on using eval() function in phpMyAdmin in two places. One of them is gettext library, where we have to evaluate plural forms and second of them is MySQL configuration advisor, which does it's suggestions based on text file (the original idea was to make this file shared with other tools, but it never really worked out).

Using eval() in PHP is something what is better to avoid, but we were using it on data we ship, so it was considered safe. On the other side, there are hostings which deny using eval() altogether (as many of exploits are using this function), so it's better to avoid that. I've been looking for options for replacing eval() in motranslator (library we use for handling Gettext MO files) for quite some time, but never found library which would support all operators needed in Gettext plural formulas.

Yesterday I finally came to conclusion that writing own library to do this is best approach. This way it can in future extended to work with Advisor as well. Also we can make it pretty lightweight without additional dependencies (what was problem in some existing libraries I've found).

To make the story short, this is how SimpleMath was born. As of now, it has grown to version 0.2 (you can use Packagist to install it). For now it's really simple and it can be probably confused by various strange inputs, but it seems for work pretty well for our case. Currently supported features:

• Supports basic arithmetic operations +, -, *, /, %
• Supports parenthesis
• Supports right associative ternary operator
• Supports comparison operators ==, !=, >, <, >=, <=
• Supports basic logical operations &&, ||
• Supports variables (either PHP style $a or simple n)

Maybe it will be usable for somebody else as well, but even if not, it's the way for us to get rid of using eval() in our codebase.

Update

It seems that Symfony ExpressionLanguage Component is doing pretty much same, but more flexible and faster, so SimpleMath will be probably dead soon and we will switch to using Symphony component.

Last week was pretty short for me, only two days at computer, so amount of work done is limited as well. I've fixed few minor issues and reviewed pull requests. There was some security work as well, but that's something you will see in the future.

Handled issues:

• #12582 Use Response instead of Message's display method to print error
• #12615 any-character instead of dot in regex
• #12607 http link in https://keybase.io/phpmyadmin_sec
• #12596 Fix #12327: Show as PHP No longer works
• #12584 If multiple queries are submitted, save the commulative bookmark only once
• #12601 Fix #12455: Query history stores separate entry for every letter typed
• #12605 Old file
• #12606 Change setup link from master to STABLE
• #12595 Remove Util::pow
• #72 Adding PMA_VERBOSE and PMA_VERBOSES environment variables
• #90 Fix parsing of subquery in FROM clause
• #87 Implement parsing and building for Delete Statement
• #88 Add parsing of CASE Expressions

Last week was quite similar to previous weeks - most time has been spent on reviewing pull requests, improving documentation and improving Docker container.

On the Docker container, I've enabled open_basedir restrictions, so the attack surface is a bit lower. However there are still lot of hardening suggestions open in the issue tracker.

Handled issues:

• #12597 localized_docs build steps create dirty diff on Fedora 24
• #12598 Indonesian translations under language code 'in'
• #12594 Incorrect Regex: (192a168b0c1111 will pass)
• #12475 Double Assigning to $GLOBALS['showtable']
• #12508 Code Duplication
• #12505 Missing function PMA_sanitizeFilename
• #12511 Bypassing some regex used in ArbitraryServerRegexp
• #12297 featurerequest: add config parameter for logging errors to a file or syslog server
• #12332 Slowness issue with many tables
• #12367 Menu Expanding & Running Queries issues in LB setup
• #12484 Suggestion: Put most significant location information first in the title tag
• #12456 Setup and all other script fails to load when upgrading (from 2.11)
• #12499 Force index fails
• #12585 only_db was unexpectedly written to pma_userconfig
• #12590 Adding ENUM column in 4.6.4 don't works
• #89 Cleanup comment metadata

Last week was again mostly spent on reviewing pull requests and screening issues. This little housecleaning work is sometimes surprisingly time consuming :-).

Besides that I've again reviewed potential security weaknesses in our process reported by Emanuel Bronshtein. This lead to various hardenings in our Docker container, Debian packages or our website. There are still places to improve, but we're getting better with every commit.

Additionally there was release for motranslator and SQL parser, both of these are now properly listed on GitHub releases page.

Handled issues:

• #12578 Fix error in adcaf7c
• #12580 Assign LIMIT clause only to syntactically correct queries
• #12574 SELECT * FROM INFORMATION_SCHEMA.SCHEMATA error
• #12568 Remove token from links and icon links in Navigation bar
• #12556 Fix #12300 : Uncheck the Add CREATE PROCEDURE / FUNCTION etc. checkbox for a selective export
• #12544 Fix #12530: Show enabled links for Edit and Execute after proper priv checks
• #12555 Allow vertical scrolling to read longer text values in grid editing
• #12557 Don't use PMA_DROP_IMPORT on Table insert if it has Blob field
• #12565 German Translation under Replication is wrong
• #54 allow to describe host with description
• #52 Is it necessary to run it as root?
• #53 Start PHP-FPM as nobody
• #31 Project's birthday is September 9
• #86 incorrect "Latest release" in sql-parser
• #83 XSS in the highlighter
• #84 Escape sequence injection in Formatting SQL query (cli fromat)
• #85 Fix parsing of user@host without backquotes

Last week was heavily focused on reviewing incoming code, mostly on our SQL parser. Thanks to several contributions we have made it even better.

The SQL parser s releases now include list of changes, so you can easily see what has been changed. While touching the SQL parser code, I've added some missing bits in testsuite code coverage and we're now really close to 100%.

Another useful thing for our library users is API documentation which is now available at https://develdocs.phpmyadmin.net/. It covers all libraries we've recently released (motranslator, sql-parser and shapefile).

Handled issues:

• #12560 Avoid encoding release username in tarballs
• #12547 prevent direct calls of include files
• #12553 Fix #12320 : Copying a user does not copy usergroup
• #12548 Fix Export and Copy of Tables with Generated/Virtual columns
• #12397 Review mb_strlen uses
• #12510 Add https://keybase.io/phpmyadmin_sec to security page
• #12444 Comment command does not work correctly
• #12282 whitespaces before and after the column names
• #12512 BBCode not transfered to HTML
• #12550 idle requests every 2 seconds
• #11628 INSERT ... ON DUPLICATE KEY
• #28 Add DebConf16 team photo and short description to Team page
• #42 Example usage and wiki
• #81 Please provide a Changelog
• #82 fix default options in Formater constructor
• #80 Add support for PHP 5.3 [WIP]
• #77 Fix parsing of REPLACE INTO ... Statements
• #79 Stop SelectStatement parsing and revert back in case of ON DUPLICATE KEY …
• #76 Fix parsing of INSERT...SELECT and INSERT...SET syntax
• #70 Fix #59: Non-reserved keywords should be allowed as a field name
• #75 Add correct parsing of SET CHARACTER SET, CHARSET , NAMES statements
• #71 Fix #55 : Add support for spatial datatypes

Last week was a bit calmer on my phpMyAdmin contributions as I've spent more time on other free software projects (namely Gammu).

Anyway there was still some amount of reviewing pull requests and bug screening and I've added PHP 7.1 to the testsuite on Travis while fixing some bugs this has revealed (thanks Deven for helping in this as well). Most notable these were bugs in our testsuite feeding invalid mock data in some situations. Without type warnings in upcoming PHP 7.1 these would be further unnoticed.

Handled issues:

• #12302 Use number_format parameters instead of Util::localizeNumber
• #12537 Using number_format parameters instead of Util::localizeNumber
• #12507 Documentation Update after PMASA-2016-54 fix
• #12528 Documentation Update after PMASA-2016-54 fix #12507
• #12470 Store 'tab_' + tab_id into a variable
• #12541 Fixes #12470 Stores tab_id hash into a variable instead of location.hash
• #12540 Fixes #12470 Stores tab_id hash into a variable instead of location.hash
• #12532 Fix #12531 : Properly flag queries as DROP DATABASE
• #12539 Fix numeric errors in PHP7.1
• #51 [enhancement] Version only php-fpm, without nginx and supervisord
• #68 Fix #49: Add Support for 'CREATE TABLE table_copy LIKE table;'
• #67 Fix #53: Allow parsing of COMMENT operation in ALTER statement
• #69 Fix spaces after expression in PartitionDefinition's build
• #66 Fix #10: Add a check if we find a new start to new statement before delimiter

Last week had still major focus on our Docker container, which is now better than ever :-). There also was a motranslator release to push some of the bug fixes to users.

Other than that there was usual amount of bug screening and fixing which you can see from list of issues below.

Handled issues:

• #12405 Create PHP code in Insert Tab
• #12522 Fixes #12509 Removes unused function PMA_addJSVar
• #12509 Dead code
• #12524 Check for token mismatches only if it's a POST request
• #12520 phpmyadmin bot comment has links redirecting to a 404
• #12521 no functions possible in 4.0.x at all?
• #12303 Wrong table status size reported
• #12517 An error in Linter.php has been fixed.
• #12513 Invalid IFRAME tag
• #12516 Missing intval
• #12515 Add entries to .gitignore
• #12380 One code to handle HTTP requests
• #12465 Fixes #12380 Refactored http requests into one function "httpRequest" in Util.php
• #12502 Proper type support for mysqli_real_connect() parameters
• #32 Frequently losing session
• #49 PMA_ARBITRARY seems to be ignored in the latest image build (but its ok with the phpmyadmin/phpmyadmin:4.6.4-1 image)
• #20 Image does not shutdown gracefully
• #26 Change STOPSIGNAL: SIGINT
• #48 Use supervisor + nginx + php-fpm
• #63 fixup of example in documentation