Merge branch 'QA_5_1'

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>

ChangeLog

@@ -128,6 +128,7 @@ phpMyAdmin - ChangeLog
 - issue #16906 Use the control connection to create the storage database and tables and not the user connection
 - issue #16693 Fix can't see SQL after adding a new column
 - issue #12753 Show table structure after adding a new column
+- issue        Fix a PHP notice when logging out
 
 5.1.1 (2021-06-04)
 - issue #13325 Fixed created procedure shows up in triggers and events and vice-versa

composer.json

@@ -91,7 +91,7 @@
         "php-webdriver/webdriver": "^1.11",
         "phpmyadmin/coding-standard": "^3.0.0",
         "phpstan/extension-installer": "^1.1",
-        "phpstan/phpstan": "^0.12.98",
+        "phpstan/phpstan": "^0.12.99",
         "phpstan/phpstan-phpunit": "^0.12.17",
         "phpstan/phpstan-webmozart-assert": "^0.12.12",
         "phpunit/phpunit": "^8.5 || ^9.5",

libraries/classes/Url.php

@@ -118,7 +118,7 @@ public static function getHiddenFields(array $values, $pre = '', $is_token = fal
         $fields = '';
 
         /* Always include token in plain forms */
-        if ($is_token === false) {
+        if ($is_token === false && isset($_SESSION[' PMA_token '])) {
             $values['token'] = $_SESSION[' PMA_token '];
         }
 

test/classes/UrlTest.php

@@ -168,4 +168,16 @@ public function testGetFromRouteMaliciousScript(): void
             $generatedUrl
         );
     }
+
+    public function testGetHiddenFields(): void
+    {
+        $_SESSION = [];
+        $this->assertSame('', Url::getHiddenFields([]));
+
+        $_SESSION = [' PMA_token ' => '<b>token</b>'];
+        $this->assertSame(
+            '<input type="hidden" name="token" value="&lt;b&gt;token&lt;/b&gt;">',
+            Url::getHiddenFields([])
+        );
+    }
 }