Merge tag 'RELEASE_4_5_4' into STABLE

Released 4.5.4

.travis.yml

@@ -9,8 +9,6 @@ php:
   - "7.0"
   - "5.6"
   - "5.5"
-  - hhvm
-  - nightly
 
 sudo: false
 
@@ -52,20 +50,6 @@ after_script:
   - if [ -f vendor/bin/coveralls ] ; then php vendor/bin/coveralls -v || true ; fi
   - if [ -f php.log ] ; then cat php.log ; fi
 
-matrix:
-  allow_failures:
-    - php: 5.6
-      env: PHPUNIT_ARGS="--group selenium" SELENIUM="yes"
-    - php: hhvm
-      env: PHPUNIT_ARGS="--exclude-group selenium"
-    - php: nightly
-      env: PHPUNIT_ARGS="--exclude-group selenium"
-    - php: "7.0"
-      env: PHPUNIT_ARGS="--exclude-group selenium"
-  fast_finish: true
-  include:
-    - php: 5.6
-      env: PHPUNIT_ARGS="--group selenium" SELENIUM="yes"
 cache:
   directories:
     - $HOME/.composer/cache/

ChangeLog

@@ -1,6 +1,35 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.5.4.0 (not yet released)
+- issue #11724 live data edit of big sets is not working
+- issue        Table list not saved in db QBE bookmarked search
+- issue #11777 While 'changing a column', query fails with a syntax error after the 'CHARSET=' keyword
+- issue #11783 Avoid syntax error in javascript messages on invalid PHP setting for max_input_vars
+- issue #11784 Properly handle errors in upacking zip archive
+- issue #11785 Set PHP's internal encoding to UTF-8
+- issue #11786 Fixed Kanji encoding in some specific cases
+- issue #11787 Check whether iconv works before using it
+- issue #11788 Avoid conversion of MySQL error messages
+- issue #11792 Undefined index: parameters
+- issue #11802 Undefined index: field_name_orig
+- issue        Undefined index: host
+- issue #11810 'Add to central columns' (per column button) does nothing
+- issue #11727 SQL duplicate entry error trying to INSERT in designer_settings table
+- issue #11798 Fix handling of databases with dot in a name
+- issue #11820 Fix hiding of page content behind menu
+- issue #11780 FROM clause not generated after loading search bookmark
+- issue #11826 Fix creating/editing VIEW with DEFINER containing special chars
+- issue #11828 Do not invoke FLUSH PRIVILEGES when server in --skip-grant-tables
+- issue #11804 Misleading message for configuration storage
+- issue #11772 Table pagination does nothing when session expired
+- issue #11840 Index comments not working properly
+- issue #11791 Better handle local storage errors
+- issue #11752 Improve detection of privileges for privilege adjusting
+- issue #11854 Undefined property: stdClass::$releases at version check when disabled in config
+- issue #11814 SQL comment and variable stripped from bookmark on save
+- issue        Gracefully handle errors in regex based javascript search
+
 4.5.3.1 (2015-12-25)
 - issue #11774 Undefined offset 2
 - issue        [Security] Path disclosure, see PMASA-2015-6

README

@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 4.5.3.1
+Version 4.5.4
 
 A set of PHP-scripts to manage MySQL over the web.
 

db_create.php

@@ -17,6 +17,10 @@
 }
 require 'libraries/build_html_for_db.lib.php';
 
+if (! isset($_POST['new_db'])) {
+    PMA_Util::checkParameters(array('new_db'));
+}
+
 /**
  * Defines the url to return to in case of error in a sql statement
  */

db_designer.php

@@ -81,6 +81,8 @@
     return;
 }
 
+require 'libraries/db_common.inc.php';
+
 $script_display_field = PMA_getTablesInfo();
 $tab_column = PMA_getColumnsInfo();
 $script_tables = PMA_getScriptTabs();
@@ -126,8 +128,6 @@
 $scripts->addFile('pmd/iecanvas.js', true);
 $scripts->addFile('pmd/init.js');
 
-require 'libraries/db_common.inc.php';
-
 list(
     $tables,
     $num_tables,

doc/conf.py

@@ -51,7 +51,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = '4.5.3.1'
+version = '4.5.4'
 # The full version, including alpha/beta/rc tags.
 release = version
 

export.php

@@ -43,6 +43,7 @@
     $post_params = array(
             'db',
             'table',
+            'what',
             'single_table',
             'export_type',
             'export_method',
@@ -163,11 +164,12 @@
     }
 
     $table = $GLOBALS['table'];
-    // sanitize this parameter which will be used below in a file inclusion
-    $what = PMA_securePath($_POST['what']);
 
     PMA_Util::checkParameters(array('what', 'export_type'));
 
+    // sanitize this parameter which will be used below in a file inclusion
+    $what = PMA_securePath($_POST['what']);
+
     // export class instance, not array of properties, as before
     /* @var $export_plugin ExportPlugin */
     $export_plugin = PMA_getPlugin(

gis_data_editor.php

@@ -23,6 +23,10 @@ function escape($variable)
 require_once 'libraries/gis/GIS_Factory.class.php';
 require_once 'libraries/gis/GIS_Visualization.class.php';
 
+if (! isset($_REQUEST['field'])) {
+    PMA_Util::checkParameters(array('field'));
+}
+
 // Get data if any posted
 $gis_data = array();
 if (PMA_isValid($_REQUEST['gis_data'], 'array')) {
@@ -185,6 +189,9 @@ function escape($variable)
 }
 
 for ($a = 0; $a < $geom_count; $a++) {
+    if (! isset($gis_data[$a])) {
+        continue;
+    }
 
     if ($geom_type == 'GEOMETRYCOLLECTION') {
         echo '<br/><br/>';

import.php

@@ -104,7 +104,9 @@
 if (! empty($sql_query)) {
 
     // apply values for parameters
-    if (! empty($_REQUEST['parameterized']) && is_array($_REQUEST['parameters'])) {
+    if (! empty($_REQUEST['parameterized'])
+        && ! empty($_REQUEST['parameters'])
+        && is_array($_REQUEST['parameters'])) {
         $parameters = $_REQUEST['parameters'];
         foreach ($parameters as $parameter => $replacement) {
             $quoted = preg_quote($parameter);
@@ -771,7 +773,7 @@
             $db, // db
             $table, // table
             null, // find_real_end
-            $sql_query, // sql_query_for_bookmark
+            $_REQUEST['sql_query'], // sql_query_for_bookmark
             null, // extra_data
             null, // message_to_show
             null, // message

import_status.php

@@ -75,12 +75,12 @@
 }
  */
 
-// AJAX requests can't be cached!
-PMA_noCacheHeader();
-
 // $_GET["message"] is used for asking for an import message
 if (isset($_GET["message"]) && $_GET["message"]) {
 
+    // AJAX requests can't be cached!
+    PMA_noCacheHeader();
+
     header('Content-type: text/html');
 
     // wait 0.3 sec before we check for $_SESSION variable,

js/ajax.js

@@ -488,19 +488,7 @@ var AJAX = {
             PMA_ajaxShowMessage(data.error, false);
             AJAX.active = false;
             AJAX.xhr = null;
-            if (parseInt(data.redirect_flag) == 1) {
-                // add one more GET param to display session expiry msg
-                if (window.location.href.indexOf('?') === -1) {
-                    window.location.href += '?session_expired=1';
-                } else {
-                    window.location.href += '&session_expired=1';
-                }
-                window.location.reload();
-            } else if (parseInt(data.reload_flag) == 1) {
-                // remove the token param and reload
-                window.location.href = window.location.href.replace(/&?token=[^&#]*/g, "");
-                window.location.reload();
-            }
+            PMA_handleRedirectAndReload(data);
             if (data.fieldWithError) {
                 $(':input.error').removeClass("error");
                 $('#'+data.fieldWithError).addClass("error");

js/codemirror/addon/lint/sql-lint.js

@@ -6,9 +6,7 @@ CodeMirror.sqlLint = function(text, updateLinting, options, cm) {
         return;
     }
 
-    function handleResponse(json) {
-        response = JSON.parse(json);
-
+    function handleResponse(response) {
         var found = [];
         for (var idx in response) {
             found.push({
@@ -29,6 +27,7 @@ CodeMirror.sqlLint = function(text, updateLinting, options, cm) {
     $.ajax({
         method: "POST",
         url: "lint.php",
+        dataType: 'json',
         data: {
             sql_query: text,
             token: PMA_commonParams.get('token'),

js/config.js

@@ -711,7 +711,7 @@ AJAX.registerOnload('config.js', function () {
         });
 
     // detect localStorage state
-    var ls_supported = window.localStorage || false;
+    var ls_supported = isStorageSupported('localStorage');
     var ls_exists = ls_supported ? (window.localStorage.config || false) : false;
     $('div.localStorage-' + (ls_supported ? 'un' : '') + 'supported').hide();
     $('div.localStorage-' + (ls_exists ? 'empty' : 'exists')).hide();
@@ -811,7 +811,7 @@ function updatePrefsDate()
  */
 function offerPrefsAutoimport()
 {
-    var has_config = (window.localStorage || false) && (window.localStorage.config || false);
+    var has_config = (isStorageSupported('localStorage')) && (window.localStorage.config || false);
     var $cnt = $('#prefs_autoload');
     if (!$cnt.length || !has_config) {
         return;

js/cross_framing_protection.js

@@ -4,7 +4,11 @@
  */
 if (self == top) {
     var style_element = document.getElementById("cfs-style");
-    style_element.parentNode.removeChild(style_element);
+    // check if style_element has already been removed
+    // to avoid frequently reported js error
+    if (typeof(style_element) != 'undefined' && style_element != null) {
+        style_element.parentNode.removeChild(style_element);
+    }
 } else {
     top.location = self.location;
 }

js/functions.js

@@ -92,6 +92,27 @@ $.ajaxPrefilter(function (options, originalOptions, jqXHR) {
     }
 });
 
+/**
+ * Hanle redirect and reload flags send as part of AJAX requests
+ *
+ * @param data ajax response data
+ */
+function PMA_handleRedirectAndReload(data) {
+    if (parseInt(data.redirect_flag) == 1) {
+        // add one more GET param to display session expiry msg
+        if (window.location.href.indexOf('?') === -1) {
+            window.location.href += '?session_expired=1';
+        } else {
+            window.location.href += '&session_expired=1';
+        }
+        window.location.reload();
+    } else if (parseInt(data.reload_flag) == 1) {
+        // remove the token param and reload
+        window.location.href = window.location.href.replace(/&?token=[^&#]*/g, "");
+        window.location.reload();
+    }
+}
+
 /**
  * Creates an SQL editor which supports auto completing etc.
  *
@@ -298,14 +319,31 @@ function suggestPassword(passwd_form)
     // restrict the password to just letters and numbers to avoid problems:
     // "editors and viewers regard the password as multiple words and
     // things like double click no longer work"
-    var pwchars = "abcdefhjmnpqrstuvwxyz23456789ABCDEFGHJKLMNPQRSTUVWYXZ";
+    var pwchars = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWYXZ";
     var passwordlength = 16;    // do we want that to be dynamic?  no, keep it simple :)
     var passwd = passwd_form.generated_pw;
+    var randomWords = new Int32Array(passwordlength);
+
     passwd.value = '';
 
+    // First we're going to try to use a built-in CSPRNG
+    if (window.crypto && window.crypto.getRandomValues) {
+        window.crypto.getRandomValues(randomWords);
+    }
+    // Because of course IE calls it msCrypto instead of being standard
+    else if (window.msCrypto && window.msCrypto.getRandomValues) {
+        window.msCrypto.getRandomValues(randomWords);
+    } else {
+        // Fallback to Math.random
+        for (var i = 0; i < passwordlength; i++) {
+            randomWords[i] = Math.floor(Math.random() * pwchars.length);
+        }
+    }
+
     for (var i = 0; i < passwordlength; i++) {
-        passwd.value += pwchars.charAt(Math.floor(Math.random() * pwchars.length));
+        passwd.value += pwchars.charAt(Math.abs(randomWords[i]) % pwchars.length);
     }
+
     passwd_form.text_pma_pw.value = passwd.value;
     passwd_form.text_pma_pw2.value = passwd.value;
     return true;
@@ -465,6 +503,9 @@ function PMA_addDatepicker($this_element, type, options)
         onClose: function (dateText, dp_inst) {
             // The value is no more from the date picker
             $this_element.data('comes_from', '');
+            if (typeof $this_element.data('datepicker') !== 'undefined') {
+                $this_element.data('datepicker').inline = false;
+            }
         }
     };
     if (type == "datetime" || type == "timestamp") {
@@ -4292,7 +4333,10 @@ function PMA_getCellValue(td) {
     var $td = $(td);
     if ($td.is('.null')) {
         return '';
-    } else if (! $td.is('.to_be_saved') && $td.data('original_data')) {
+    } else if ((! $td.is('.to_be_saved')
+        || $td.is('.set'))
+        && $td.data('original_data')
+    ) {
         return $td.data('original_data');
     } else {
         return $td.text();

js/makegrid.js

@@ -795,7 +795,7 @@ function PMA_makegrid(t, enableResize, enableReorder, enableVisib, enableGridEdi
                     }
 
                     // if the select/editor is changed un-check the 'checkbox_null_<field_name>_<row_index>'.
-                    if ($td.is('.enum, .set:not(.truncated)')) {
+                    if ($td.is('.enum, .set')) {
                         $editArea.on('change', 'select', function (e) {
                             $checkbox.prop('checked', false);
                         });
@@ -925,7 +925,7 @@ function PMA_makegrid(t, enableResize, enableReorder, enableVisib, enableGridEdi
                         $(g.cEdit).find('.edit_box').val($(this).val());
                     });
                 }
-                else if ($td.is('.set:not(.truncated)')) {
+                else if ($td.is('.set')) {
                     //handle set fields
                     $editArea.addClass('edit_area_loading');
 
@@ -943,10 +943,17 @@ function PMA_makegrid(t, enableResize, enableReorder, enableVisib, enableGridEdi
                         'curr_value' : curr_value
                     };
 
+                    // if the data is truncated, get the full data
+                    if ($td.is('.truncated')) {
+                        post_params.get_full_values = true;
+                        post_params.where_clause = PMA_urldecode(where_clause);
+                    }
+
                     g.lastXHR = $.post('sql.php', post_params, function (data) {
                         g.lastXHR = null;
                         $editArea.removeClass('edit_area_loading');
                         $editArea.append(data.select);
+                        $td.data('original_data', $(data.select).val().join());
                         $editArea.append('<div class="cell_edit_hint">' + g.cellEditHint + '</div>');
                     }); // end $.post()
 
@@ -1411,7 +1418,7 @@ function PMA_makegrid(t, enableResize, enableReorder, enableVisib, enableGridEdi
             } else {
                 if ($this_field.is('.bit')) {
                     this_field_params[field_name] = $(g.cEdit).find('.edit_box').val();
-                } else if ($this_field.is('.set:not(.truncated)')) {
+                } else if ($this_field.is('.set')) {
                     $test_element = $(g.cEdit).find('select');
                     this_field_params[field_name] = $test_element.map(function () {
                         return $(this).val();