Merge branch 'QA_5_0' into STABLE

.gitattributes

@@ -4,7 +4,11 @@
 .travis.yml export-ignore
 .scrutinizer.yml export-ignore
 .jshintrc export-ignore
+.stylelintrc.json export-ignore
+.eslintrc.json export-ignore
+.eslintignore export-ignore
 .weblate export-ignore
-codeconv.yml export-ignore
-.php_cs export-ignore
+codecov.yml export-ignore
 build.xml export-ignore
+phpcs.xml.dist export-ignore
+phpstan.neon.dist export-ignore

.travis.yml

@@ -28,7 +28,6 @@ after_script:
   - if [ -f vendor/bin/codacycoverage ] ; then php vendor/bin/codacycoverage clover || true ; fi
   - if [ -f php.log ] ; then cat php.log ; fi
   - if [ -f nginx-error.log ] ; then cat nginx-error.log ; fi
-  - if [ -f build/logs/phpunit.json ] ; then ./scripts/phpunit-top-tests build/logs/phpunit.json ; fi
   - if [ -f config.inc.php ] ; then rm -rf config.inc.php; fi
   - if [ "$CI_MODE" = "selenium" ] ; then ~/browserstack/BrowserStackLocal --daemon stop; fi
 
@@ -53,6 +52,7 @@ jobs:
   include:
     - stage: "Lint and analyse code"
       name: "Lint files"
+      before_install: phpenv config-rm xdebug.ini
       before_script: skip
       after_script: skip
       after_success: skip
@@ -64,6 +64,7 @@ jobs:
 
     - stage: "Lint and analyse code"
       name: "Run phpstan"
+      before_install: phpenv config-rm xdebug.ini
       before_script: skip
       after_script: skip
       after_success: skip
@@ -129,7 +130,8 @@ jobs:
         - CI_MODE=test
         - YARN_GPG=no
       before_install:
-        - choco install php composer mariadb
+        - choco install php composer
+        - choco install mariadb --version=10.4.8
         - export PATH=/c/tools/php74:/c/ProgramData/ComposerSetup/bin:/c/"Program Files"/"MariaDB 10.4"/bin:$PATH
         - PHP_EXTENSIONS="mysqli curl bz2 gd2 pdo_mysql"
         - for php_ext in $PHP_EXTENSIONS ; do sed -i -e "s/^;extension=${php_ext}/extension=${php_ext}/" /c/tools/php74/php.ini ; done

ChangeLog

@@ -1,6 +1,73 @@
 phpMyAdmin - ChangeLog
 ======================
 
+5.0.2 (2020-03-20)
+- issue        Fixed deprecation warning "implode(): Passing glue string after array is deprecated." function on export page
+- issue #15767 Fixed can not copy user account since 5.0 - "error #1133"
+- issue #15772 Fixed error code 500 during pagination of the tables in a database
+- issue #16009 Fix php error "Trying to access array offset on value of type null" on column distinct values feature
+- issue #15741 Fix fatal javascript error on clicking "Pick from Central Columns"
+- issue #15773 Fixed a view named "views" adds an expand button
+- issue #15432 Fixed names of the pages in the designer should be unique
+- issue #14310 Fixed column selector "See more" removes "Preview SQL" and "Save" area
+- issue        Fixed wrong jQuery function call in table search page
+- issue #15761 Fix uncaught TypeError when using "$cfg['ServerDefault'] = 0;"
+- issue #15780 Fixed unexpected UI of action links (text only mode)
+- issue #15674 Replace twig/extensions with phpmyadmin/twig-i18n-extension
+- issue #15799 Change location of profiling state documentation to fix column ordering
+- issue #15720 Fix designer adding all available tables to a designer page after adding a new relationship
+- issue #15791 Replace facebook/webdriver by php-webdriver/webdriver
+- issue #15802 Removed SET AUTOCOMMIT=0 from SQL export
+- issue #15818 Fix table borders missing on theme original since 5.0.0
+- issue #13864 Fix ENUM's radiobuttons reset on "Continue insertion with" changes
+- issue #15811 Fixed browse foreign values doesn't show a modal with grid edit
+- issue #15817 Fix "new table" layout issue on original theme
+- issue #15798 Fixed not needed prompt before abandoning changes on SQL tab after only changing a checkbox
+- issue #15833 Fix php TypeError when submitting unchanged data
+- issue        Fix php notice "Trying to access array offset on value of type bool" on Designer
+- issue #13326 Added integer validations on search page
+- issue #15200 Fixed server-side HTTPS detection misses support for Forwarded HTTP Extension (RFC 7239)
+- issue #15831 Fixed DB names starting with "b" being cut off in <option>, User account page
+- issue #15850 Fixed display content from "information_schema.PROCESSLIST"
+- issue #15836 Fixed "has no type" error on export and import pages for "Chinese traditional" users
+- issue #15863 Fixed designer move menu icon not changing directions and tables menu list resize button
+- issue #15854 Fixed black borders for full screen mode on Designer
+- issue #15899 Fix "Uncaught TypeError: mb_strtoupper()" on the relational view of a view
+- issue        Fixed some php uncaught errors and notices on user missing extension
+- issue #15926 Fixed PhpMyAdmin\Core::getRealSize('8000M') returns a float instead of an int
+- issue #15410 Fixed auto increment reset issue where the last value of AI was saved an could destroy the "good" value
+- issue #15187 Fixed editing a row and using 'insert as new row' uses primary key 0 instead of NULL
+- issue #15877 Fixed php error "preg_match() expects parameter 2 to be string, null given" on some specific tables
+- issue #15795 Fix broken link on "MySQL said" error message
+- issue #15781 Fix illegal string offset error on structure page of 'information_schema' database
+- issue #15745 Fix version 5.0.1 suggests 4.9.4 as latest stable version
+- issue #15958 Fix uncaught TypeError when sorting database tables by size or by rows
+- issue #15830 Fix strftime issue on windows for Japanese users on "Structure" tab
+- issue        Windows testsuite fixes
+- issue #15879 Added missing CSS class on "simulate query" button
+- issue #15401 Fixed php notice "Undefined index HMAC_secret" for users upgrading phpMyAdmin without a log-out
+- issue #15810 Fixed unexpected heading on add a new procedure, trigger, function, routine modals
+- issue #15970 Removed wrong html a tag on "Replication status" header
+- issue        Add missing css classes on some buttons
+- issue #15937 Make modals draggability/expand (down) work after a screen zoom change
+- issue        Fix php notice "Undefined index: on_delete" while creating a foreign key
+- issue #15876 Fixed select "IN (...)" is a simple select instead of a multiple select
+- issue        Fix maxlength for User and Host on replication add user form
+- issue #15282 Fixed MySQL 8.0 password syntax error when creating a replication user
+- issue #15986 Fixed php fatal error "Uncaught TypeError: array_flip() expects parameter 1 to be array, null given"
+- issue        Fixed php fatal error "Uncaught TypeError: htmlspecialchars() expects parameter 1 to be string, int given"
+- issue        Support phpunit 9.0
+- issue        Fix error in NavigationTree where $key might be sent as an int instead of a str to urlencode
+- issue #16022 Fix uncaught TypeError on browse foreigners
+- issue        Fix failure if relational display field value is NULL - "Display column for relationships"
+- issue #16033 Remove vendor bin files from non source version of phpMyAdmin
+- issue #15898 [security] Fix escape tbl_storage_engine argument used on tbl_create.php
+- issue #15224 Don't fire keyboard shortcuts while SQL query area is focused (on a mobile for example)
+- issue        [security] Fix SQL injection with certain usernames (PMASA-2020-2)
+- issue        [security] Fix SQL injection in particular search situations (PMASA-2020-3)
+- issue        [security] Fix SQL injection and XSS flaw (PMASA-2020-4)
+- issue        Deprecate "options" for the external transformation; options must now be hard-coded along with the program name directly in the file.
+
 5.0.1 (2020-01-07)
 - issue #15719 Fixed error 500 when browsing a table when $cfg['LimitChars'] used a string and not an int value
 - issue #14936 Fixed display NULL on numeric fields has showing empty string since 5.0.0
@@ -65,6 +132,12 @@ phpMyAdmin - ChangeLog
 - issue #15677 Fix show process-list triggers a php exception
 - issue #15697 Fix uncaught php error: "Call to a member function get() on null" in db_export.php when exporting a table from the list
 
+4.9.5 (2020-03-20)
+- issue        [security] Fix SQL injection with certain usernames (PMASA-2020-2)
+- issue        [security] Fix SQL injection in particular search situations (PMASA-2020-3)
+- issue        [security] Fix SQL injection and XSS flaw (PMASA-2020-4)
+- issue        Deprecate "options" for the external transformation; options must now be hard-coded along with the program name directly in the file.
+
 4.9.4 (2020-01-07)
 - issue #15724 Fix 2FA was disabled by a bug
 - issue        [security] Fix SQL injection vulnerability on the user accounts page (PMASA-2020-1)

README

@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 5.0.1
+Version 5.0.2
 
 A web interface for MySQL and MariaDB.
 

composer.json

@@ -49,14 +49,14 @@
         "phpmyadmin/motranslator": "^4.0",
         "phpmyadmin/shapefile": "^2.0",
         "phpmyadmin/sql-parser": "^5.0",
+        "phpmyadmin/twig-i18n-extension": "^2.0",
         "phpseclib/phpseclib": "^2.0",
         "symfony/config": "^4.2.8",
         "symfony/dependency-injection": "^4.2.8",
         "symfony/expression-language": "^4.2",
         "symfony/polyfill-ctype": "^1.8",
         "symfony/polyfill-mbstring": "^1.3",
         "symfony/yaml": "^4.2.8",
-        "twig/extensions": "~1.5.1",
         "twig/twig": "^2.4",
         "williamdes/mariadb-mysql-kbs": "^1.2"
     },
@@ -82,10 +82,10 @@
     },
     "require-dev": {
         "codacy/coverage": "^1.3.0",
-        "facebook/webdriver": "^1.7.1",
+        "php-webdriver/webdriver": "^1.7.1",
         "phpmyadmin/coding-standard": "^1.0",
         "phpstan/phpstan": "^0.11.5",
-        "phpunit/phpunit": "^7.5 || ^8.0",
+        "phpunit/phpunit": "^7.5 || ^8.0 || ^9.0",
         "pragmarx/google2fa-qrcode": "^1.0.1",
         "samyoul/u2f-php-server": "^1.1",
         "squizlabs/php_codesniffer": "^3.0",

db_central_columns.php

@@ -65,7 +65,7 @@
     exit;
 }
 if (isset($_POST['getColumnList'])) {
-    $response->addJSON($controller->getColumnList([
+    $response->addJSON('message', $controller->getColumnList([
         'cur_table' => $_POST['cur_table'] ?? null,
     ]));
     exit;

db_designer.php

@@ -76,8 +76,23 @@
         if ($_POST['save_page'] == 'same') {
             $page = $_POST['selected_page'];
         } else { // new
-            $page = $designerCommon->createNewPage($_POST['selected_value'], $_POST['db']);
-            $response->addJSON('id', $page);
+            if ($designerCommon->getPageExists($_POST['selected_value'])) {
+                $response->addJSON(
+                    'message',
+                    /* l10n: The user tries to save a page with an existing name in Designer */
+                    __(
+                        sprintf(
+                            "There already exists a page named \"%s\" please rename it to something else.",
+                            htmlspecialchars($_POST['selected_value'])
+                        )
+                    )
+                );
+                $response->setRequestStatus(false);
+                return;
+            } else {
+                $page = $designerCommon->createNewPage($_POST['selected_value'], $_POST['db']);
+                $response->addJSON('id', $page);
+            }
         }
         $success = $designerCommon->saveTablePositions($page);
         $response->setRequestStatus($success);

doc/conf.py

@@ -51,7 +51,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = '5.0.1'
+version = '5.0.2'
 # The full version, including alpha/beta/rc tags.
 release = version
 

doc/config.rst

@@ -9,7 +9,7 @@ All configurable data is placed in :file:`config.inc.php` in phpMyAdmin's
 toplevel directory.  If this file does not exist, please refer to the
 :ref:`setup` section to create one. This file only needs to contain the
 parameters you want to change from their corresponding default value in
-:file:`libraries/config.default.php` (this file is not inteded for changes).
+:file:`libraries/config.default.php` (this file is not intended for changes).
 
 .. seealso::
 

doc/setup.rst

@@ -96,7 +96,7 @@ In order to install from Git, you'll need a few supporting applications:
 * `Git <https://git-scm.com/downloads>`_ to download the source, or you can download the most recent source directly from `Github <https://codeload.github.com/phpmyadmin/phpmyadmin/zip/master>`_
 * `Composer <https://getcomposer.org/download/>`__
 * `Node.js <https://nodejs.org/en/download/>`_ (version 8 or higher)
-* `Yarn <https://yarnpkg.com/lang/en/docs/install>`_
+* `Yarn <https://legacy.yarnpkg.com/en/docs/install>`_
 
 You can clone current phpMyAdmin source from
 ``https://github.com/phpmyadmin/phpmyadmin.git``:

export.php

@@ -285,7 +285,11 @@
     $response->disable();
     //Disable all active buffers (see: ob_get_status(true) at this point)
     do {
-        $hasBuffer = @ob_end_clean();
+        if (ob_get_length() > 0) {
+            $hasBuffer = ob_end_clean();
+        } else {
+            $hasBuffer = false;
+        }
     } while ($hasBuffer);
 }
 

js/ajax.js

@@ -152,6 +152,13 @@ var AJAX = {
      * @return void
      */
     lockPageHandler: function (event) {
+        // don't consider checkbox event
+        if (typeof event.target !== 'undefined') {
+            if (event.target.type === 'checkbox') {
+                return;
+            }
+        }
+
         var newHash = null;
         var oldHash = null;
         var lockId;