Thursday, November 27, 2014

phpMyAdmin work during the seventh week

This week was quite busy with a lot security fixes. At the beginning of the week 5 security vulnerabilities were reported and I spent most of Monday and Tuesday doing fixes, porting them to other branches, preparing security advisories and communicating with reporter, security team and CVE team.

Following are the list of security vulnerabilities fixed.

Security fixes
#4594 Path Traversal in File Inclusion of GIS Factory
#4595 Path Traversal can lead to leakage of line count
#4596 XSS through exception stack
#4597 XSS through pma_fontsize cookie
#4598 XSS in multi submit

During the week I was also engaged in usual bug fixing and following bug fixes are now ready to be released with the next release.

Bug fixes
#4057 db/table query string parameters no longer work
#4444 No insert statement produced in SQL export for queries with alias
#4591 Spinner in navigation running forever
#4599 Input field is erased after keyboard language switch
#4602 Exporting selected rows export all rows of the query
#4603 Field disabled when internal relations used

Additionally, I also attended to the following bugs.

Bugs attended
#4254 Unable to log in after timeout had been exceeded (cookie)
#4008 Unable to log back in after session expired
#3773 No tables shown because of privileges of views
#4367 Import status infinite loop
#4295 Problem when session expires while importing file

Towards the end of the week, I had a look at the token mismatch issue that were reported to us several time. I will update you on the progress of this in the next post.

Tuesday, November 18, 2014

phpMyAdmin work during the sixth week

During the week I mostly attended to bugs. Please find below the list of bugs fixed and attended during the week.

Bug fixes
#4582 Debug SQL works only for the first page
#4581 Some links in query_result doesn't work
#4404 Recordset return from procedure display nothing
#4584 Edit dialog for routines is too long for smaller displays
#4585 Multi query results not shown
#4588 Moving, renaming, dropping actions in table operations page results in token mismatch
#4589 Can not add new procedures

Bugs attended
#3588 X-WebKit-CSP Header breaks Safari
#3940 Content Security Policy errors with Safari 5.1
#4061 No error message when calling an insert stored procedure with too few parameters
#4590 "Browse Foreign Values" not working

In addition to the above I was occupied with upgrading the result showing for multiple queries. Earlier it is at a very primitive level where all the rows are shown without limiting and no additional browsing features present. I refactored the result showing mechanism to reuse it for the multiple queries. However, it was decided that the changes might make the upcoming release 4.3 unstable and now it is targeted for version 4.4. Here is the pull request

https://github.com/phpmyadmin/phpmyadmin/pull/1397

Following feature requests were also implemented during the week

Feature requests
#1556 Disabling Show all
#1553 InnoDB presently supports one FULLTEXT index creation at a time

Tuesday, November 11, 2014

phpMyAdmin work during the fifth week

I am back from the holiday going to GSoC Reunion and doing some wonderful sightseeing in the USA. During the fifth week of work (first week of November) I attended to  a mix of performance improvements as well as a couple of bug fixes.

I got access to the test server prepared by Ann + J.M. and could test the performance improvements done for the environments with thousands of databases. Even though I could achieve reasonable performance for privileged user, unprivileged users were still seeing long delays. Even 'SHOW DATABASES' queries were as slow as queries on information_schema. The only fast query to access database list was 'SHOW DATABASES LIKE '<db_name>' queries. So the navigation was updated to parse the GRANTS for the user to identify the database he/she has access to and those were used with 'SHOW DATABASES LIKE' queries to get the list of databases.

In addition to the above I attended to the following fixes during the week.

Bug fixes
#4577 Multi row actions causes full page reloads
#3481 Designer relations in IE 8 - partial fix
#4582 Debug SQL works only for the first page

Bugs attended
#3046 Tracking + MySQL interactive_timeout yields error
#3554 copy paste with middle mouseclick in colored sqlbox
#3073 auth_type signon - odd behaviour at ex- and importing

Security fixes
#4578 Undisclosed vulnerability
#4579 Undisclosed vulnerability

Refactoring
Refactoring Node class of the navigation

P.S: I was on leave on Friday due to personal reasons

Tuesday, November 4, 2014

phpMyAdmin work during the third week

This blog post was due for sometime. However, I couldn't write it since I was busy attending the GSoC Reunion and doing some sight seeing in the USA afterwards.

During the third week of work I continued to focus on stabilizing the code for upcoming version 4.3 release. I was mainly attending to performance improvements related to the usage of information_schema. Following are the bugs addressed by the performance improvements

#3869 Count(*) on information_scheme.INNODB_BUFFER_PAGE with a huge bufferpool
#4243 Super slow page rendering with tens of thousands of DBs
#4513 phpmyadmin run very slow (information_schema)

Additionally hide_db, only_db directives were fixed as part of performance improvements fixing the following bug

#3820 hide_db, only_db not working in left panel

Further following bugs were also fixed

#4259 reCaptcha sound session expired problem
#4560 PHP error on master branch
#4564 Designer: spaces in table name with edit table link generates bad links
#4557 PHP fatal error
#4568 Date displayed incorrectly when charting a timeline
#4561 PHP error in transformations
#4431 Wiki page on charts is out of date

Two security issues were also identified and fixed during the third week.

#4562 XSS in debug SQL output
#4563 XSS in monitor query analyzer