New release 4.6.5.2

Author: nuxwin

ChangeLog

@@ -1,6 +1,181 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.6.5.2 (2016-12-05)
+- issue #12765 Fixed SQL export with newlines
+
+4.6.5.1 (2016-11-25)
+- issue #12735 Incorrect parameters to escapeString in Node.php
+- issue #12734 Fix PHP error when mbstring is not installed
+- issue #12736 Don't force partition count to be specified when creating a new table
+
+4.6.5 (2016-11-24)
+- issue        Remove potentionally license problematic sRGB profile
+- issue #12459 Display read only fields as read only when editing
+- issue #12384 Fix expanding of navigation pane when clicking on database
+- issue #12430 Impove partitioning support
+- issue #12374 Reintroduced simplified PmaAbsoluteUri configuration directive
+- issue        Always use UTC time in HTTP headers
+- issue #12479 Simplified validation of external links
+- issue #12483 Fix browsing tables with built in transformations
+- issue #12485 Do not show warning about short blowfish_secret if none is set
+- issue #12251 Fixed random logouts due to wrong cookie path
+- issue #12480 Fixed editing of ENUM/SET/DECIMAL fields structure
+- issue #12497 Missing escaping of configuration used in SQL (hide_db and only_db)
+- issue #12476 Add error checking in reading advisory rules file
+- issue #12477 Add checking missing elements and confirming element types from json_decode
+- issue #12251 Automatically save SQL query in browser local storage rather than in cookie
+- issue #12292 Unable to edit transformations
+- issue #12502 Remove unused paramenter when connecting to MySQLi
+- issue #12303 Fix number formatting with different settings of precision in PHP
+- issue #12405 Use single quotes in PHP code
+- issue #12534 Option for the dropped column is not removed from 'after_field' select, after the column is dropped
+- issue #12531 Properly detect DROP DATABASE queries
+- issue #12470 Fix possible race condition in setting URL hash
+- issue #11924 Remove caching of server information
+- issue #11628 Proper parsing of INSERT ... ON DUPLICATE KEY queries
+- issue #12545 Proper parsing of CREATE TABLE ... PARTITION queries
+- issue #12473 Code can throw unhandled exception
+- issue #12550 Do not try to keep alive session even after expiry
+- issue #12512 Fixed rendering BBCode links in setup
+- issue #12518 Fixed copy of table with generated columns
+- issue #12221 Fixed export of table with generated columns
+- issue #12320 Copying a user does not copy usergroup
+- issue #12272 Adding a new row with default enum goes to no selection when you want to add more then 2 rows
+- issue #12487 Drag and drop import prevents file dropping to blob column file selector on the insert tab
+- issue #12554 Absence of scrolling makes it impossible to read longer text values in grid editing
+- issue #12530 "Edit routine" crashes when the current user is not the definer, even if privileges are adequate
+- issue #12300 Export selective tables by-default dumps Events also
+- issue #12298 Fixed export of view definitions
+- issue #12242 Edit routine detail dialog does not fill "Return length" field in mysql functions
+- issue #12575 New index Confirm adds whitespace around the field name
+- issue #12382 Bug in zoom search
+- issue #12321 Assign LIMIT clause only to syntactically correct queries
+- issue #12461 Can't Execute SQL With Sub-Query Due To "LIMIT 0,25" Inserted At Wrong Place
+- issue #12511 Clarify documentation on ArbitraryServerRegexp
+- issue #12508 Remove duplicate code in SQL escaping
+- issue #12475 Cleanup code for getting table information
+- issue #12579 phpMyAdmin's export of a Select statment without a FROM clause generates Wrong SQL
+- issue #12316 Correct export of complex SELECT statements
+- issue #12080 Fixed parsing of subselect queries
+- issue #11740 Fixed handling DELETE ... USING queries
+- issue #12100 Fixed handling of CASE operator
+- issue #12455 Query history stores separate entry for every letter typed
+- issue #12327 Create PHP code no longer works
+- issue #12179 Fixed bookmarking of query with multiple statements
+- issue #12419 Wrong description on GRANT OPTION
+- issue #12615 Fixed regexp for matching browser versions
+- issue #12569 Avoid showing import errors twice
+- issue #12362 prefs_manage.php can leave an orphaned temporary file
+- issue #12619 Unable to export csv when using union select
+- issue #12625 Broken Edit links in query results of JOIN query
+- issue #12634 Drop DB error in import if DB doesn't exist
+- issue #12338 Designer reverts to first saved ER after EACH relation create or delete
+- issue #12639 'Show trace' in Console generates JS error for functions in query's trace called without any arguments
+- issue #12366 Fix user creation with certain MariaDB setups
+- issue #12616 Refuse to work with mbstring.func_overload enabled
+- issue #12472 Properly report connection without password in setup
+- issue #12365 Fix records count for large tables
+- issue #12533 Fix records count for complex queries
+- issue #12454 Query history not updated in console until page refresh
+- issue #12344 Fixed parsing of labels in loop
+- issue #12228 Fixed parsing of BEGIN labels
+- issue #12637 Fixed editing some timestamp values
+- issue #12622 Fixed javascript error in designer
+- issue #12334 Missing page indicator or VIEWs
+- issue #12610 Export of tables with Timestamp/Datetime/Time columns defined with ON UPDATE clause with precision fails
+- issue #12661 Error inserting into pma__history after timeout
+- issue #12195 Row_format = fixed not visible
+- issue #12665 Cannot add a foreign key - non-indexed fields not listed in InnoDB tables
+- issue #12674 Allow for proper MySQL-allowed strings as identifiers
+- issue #12651 Allow for partial dates on table insert page
+- issue #12681 Fixed designer with tables using special chars
+- issue #12652 Fixed visual query builder for foreign keys with more fields
+- issue #12257 Improved search page performance
+- issue #12322 Avoid selecting default function for foreign keys
+- issue #12453 Fixed escaping of SQL parts in some corner cases
+- issue #12542 Missing table name in account privileges editor
+- issue #12691 Remove ksort call on empty array in PMA_getPlugins function
+- issue #12443 Check parameter type before processing
+- issue #12299 Avoid generating too long URLs in search
+- issue #12361 Fix self SQL injection in table-specific privileges
+- issue #12698 Add link to release notes and download on new version notification
+- issue #12712 Error when trying to setup replication (fatal error in call to an old PMA_DBI_connect function)
+- issue        [security] Unsafe generation of $cfg['blowfish_secret'], see PMASA-2016-58
+- issue        [security] phpMyAdmin's phpinfo functionality is removed, see PMASA-2016-59
+- issue        [security] AllowRoot and allow/deny rule bypass with specially-crafted username, see PMASA-2016-60
+- issue        [security] Username matching weaknesses with allow/deny rules, see PMASA-2016-61
+- issue        [security] Possible to bypass logout timeout, see PMASA-2016-62
+- issue        [security] Full path disclosure (FPD) weaknesses, see PMASA-2016-63
+- issue        [security] Multiple XSS weaknesses, see PMASA-2016-64
+- issue        [security] Multiple denial-of-service (DOS) vulnerabilities, see PMASA-2016-65
+- issue        [security] Possible to bypass white-list protection for URL redirection, see PMASA-2016-66
+- issue        [security] BBCode injection to login page, see PMASA-2016-67
+- issue        [security] Denial-of-service (DOS) vulnerability in table partitioning, see PMASA-2016-68
+- issue        [security] Multiple SQL injection vulnerabilities, see PMASA-2016-69
+- issue        [security] Incorrect serialized string parsing, see PMASA-2016-70
+- issue        [security] CSRF token not stripped from the URL, see PMASA-2016-71
+
+4.6.4 (2016-08-16)
+- issue        [security] Weaknesses with cookie encryption, see PMASA-2016-29
+- issue        [security] Improve session cookie code for openid.php and signon.php example files
+- issue        [security] Full path disclosure in openid.php and signon.php example files
+- issue        [security] Multiple XSS vulnerabilities, see PMASA-2016-30
+- issue        [security] Multiple XSS vulnerabilities, see PMASA-2016-31
+- issue        [security] Unsafe generation of BlowfishSecret (when not supplied by the user)
+- issue        [security] Referrer leak when phpinfo is enabled
+- issue        [security] PHP code injection, see PMASA-2016-32
+- issue        [security] Full path disclosure, see PMASA-2016-33
+- issue        [security] SQL injection attack, see PMASA-2016-34
+- issue        [security] Local file exposure through LOAD DATA LOCAL INFILE, see PMASA-2016-35
+- issue        [security] Local file exposure through symlinks with UploadDir, see PMASA-2016-36
+- issue        [security] Path traversal with SaveDir and UploadDir, see PMASA-2016-37
+- issue        [security] Multiple XSS vulnerabilities, see PMASA-2016-38
+- issue        [security] SQL injection vulnerability as control user, see PMASA-2016-39
+- issue        [security] SQL injection vulnerability, see PMASA-2016-40
+- issue        [security] Denial-of-service attack through transformation feature, see PMASA-2016-41
+- issue        [security] SQL injection vulnerability as control user, see PMASA-2016-42
+- issue        [security] Verify data before unserializing, see PMASA-2016-43
+- issue        [security] Use HTTPS for wiki links
+- issue        Remove Swekey support
+- issue        [security] SSRF in setup script, see PMASA-2016-44
+- issue        [security] Denial-of-service attack with $cfg['AllowArbitraryServer'] = true and persistent connections, see PMASA-2016-45
+- issue        [security] Improve SSL certificate handling
+- issue        [security] Fix full path disclosure in debugging code
+- issue        [security] Possible circumvention of IP-based allow/deny rules with IPv6 and proxy server, see PMASA-2016-47
+- issue        [security] Detect if user is logged in, see PMASA-2016-48
+- issue        [security] Bypass URL redirection protection, see PMASA-2016-49
+- issue        [security] Referrer leak, see PMASA-2016-50
+- issue        [security] Reflected File Download, see PMASA-2016-51
+- issue        [security] ArbitraryServerRegexp bypass, see PMASA-2016-52
+- issue        [security] Denial-of-service attack by entering long password, see PMASA-2016-53
+- issue        [security] Remote code execution vulnerability when running as CGI, see PMASA-2016-054
+- issue        [security] Administrators could trigger SQL injection attack against users
+- issue        [security] Denial-of-service attack when PHP uses dbase extension, see PMASA-2016-55
+- issue        [security] Remove tode execution vulnerability when PHP uses dbase extension, see PMASA-2016-56
+- issue        [security] Denial-of-service attack by using for loops, see PMASA-2016-46
+- issue        Include X-Robots-Tag header in responses
+- issue        Enforce numeric field length when creating table
+- issue        Fixed invalid Content-Length in some HTTP responses
+- issue #12394 Create view should require a view name
+- issue #12391 Message with 'Change password successfully' displayed, but does not take effect
+- issue        Tighten control on PHP sessions and session cookies
+- issue #12409 Re-enable overhead on server databases view
+- issue #12414 Fixed rendering of Original theme
+- issue #12413 Fixed deleting users in non English locales
+- issue #12416 Fixed replication status output in Databases listing
+- issue #12303 Avoid typecasting to float when not needed
+- issue #12425 Duplicate message variable names in messages.inc.php
+- issue #12399 Adding index to table shows wrong top navigation
+- issue #12424 Fixed password change on MariaDB without auth plugin
+- issue #12339 Do not error on unset server port
+- issue #12422 Improvements to the original theme
+- issue #12395 Do not try to load old transformation plugins
+- issue #12423 Fixed replication status in database listing
+- issue #12433 Copy table with prefix does not copy the indexes
+- issue #12375 Search in database: Window content is not scrolling down when clicking first time on Browse link
+- issue #12346 SQL Editor textareas can have their size increased from the top, distorting the page view
+
 4.6.3 (2016-06-23)
 - issue #12249 Fixed cookie path on Windows
 - issue #12279 Fixed error reporting on connect problems

DCO

@@ -27,7 +27,7 @@ By making a contribution to this project, I certify that:
 (e) I am granting this work to this project under the terms of the
     GPLv2-or-later.
 
-    http://www.gnu.org/licenses/gpl-2.0.html
+    https://www.gnu.org/licenses/gpl-2.0.html
 
 ***
 ***

README

@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 4.6.3
+Version 4.6.5.2
 
 A web interface for MySQL and MariaDB.
 
@@ -37,7 +37,7 @@ FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 details.
 
 You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 Licensing of current contributions
 ----------------------------------

RELEASE-DATE-4.6.3

@@ -0,0 +1 @@
+Mon Dec  5 22:35:53 UTC 2016

RELEASE-DATE-4.6.5.2

@@ -47,7 +47,8 @@
     isset($_REQUEST['foreign_filter'])
     ? $_REQUEST['foreign_filter']
     : '',
-    isset($foreign_limit) ? $foreign_limit : null
+    isset($foreign_limit) ? $foreign_limit : null,
+    true // for getting value in $foreignData['the_total']
 );
 
 // HTML output

browse_foreigners.php

@@ -55,7 +55,7 @@
    <arg line="${source_comma_sep}
               xml
               codesize,design,naming,unusedcode
-              --exclude test,build,tcpdf,php-gettext,bfShapeFiles,phpseclib,recaptchalib.php,swekey.php,vendor,sql-parser
+              --exclude test,build,tcpdf,php-gettext,bfShapeFiles,phpseclib,recaptchalib.php,vendor,sql-parser
               --reportfile '${basedir}/build/logs/pmd.xml'" />
   </exec>
  </target>
@@ -71,7 +71,6 @@
               --exclude libraries/bfShapeFiles
               --exclude libraries/phpseclib
               --exclude libraries/plugins/auth/recaptcha/recaptchalib.php
-              --exclude libraries/plugins/auth/swekey/swekey.php
               --exclude libraries/sql-parser
               ${source}" />
   </exec>
@@ -88,7 +87,6 @@
               --exclude libraries/bfShapeFiles
               --exclude libraries/phpseclib
               --exclude libraries/plugins/auth/recaptcha/recaptchalib.php
-              --exclude libraries/plugins/auth/swekey/swekey.php
               --exclude libraries/sql-parser
               ${source}" />
   </exec>
@@ -103,7 +101,7 @@
  <target name="phpcs" description="Generate checkstyle.xml using PHP_CodeSniffer excluding third party libraries" depends="phpcs-config">
   <exec executable="phpcs">
    <arg line="
-              --ignore=*/php-gettext/*,*/vendor/*,*/tcpdf/*,*/canvg/*,*/codemirror/*,*/openlayers/*,*/jquery/*,*/jqplot/*,*/build/*,*/bfShapeFiles/*,*/phpseclib/*,*/recaptcha/*,*/swekey/*,*/sql-parser/*
+              --ignore=*/php-gettext/*,*/vendor/*,*/tcpdf/*,*/canvg/*,*/codemirror/*,*/openlayers/*,*/jquery/*,*/jqplot/*,*/build/*,*/bfShapeFiles/*,*/phpseclib/*,*/recaptcha/*,*/sql-parser/*
               --report=checkstyle
               --extensions=php
               --report-file='${basedir}/build/logs/checkstyle.xml'

build.xml

@@ -13,6 +13,7 @@
 
 $response = PMA\libraries\Response::getInstance();
 $response->disable();
+$response->getHeader()->sendHttpHeaders();
 
 $filename = CHANGELOG_FILE;
 
@@ -154,6 +155,7 @@
 var links = document.getElementsByTagName("a");
 for(var i = 0; i < links.length; i++) {
     links[i].target = "_blank";
+    links[i].rel = "noopener noreferrer";
 }
 </script>
 </body>

changelog.php

@@ -1,7 +1,7 @@
 {
     "name": "imscp/phpmyadmin",
     "description": "iMSCP tools - PhpMyadmin - MySQL administration tool",
-    "version": "4.6.3.0",
+    "version": "4.6.5.2",
     "authors": [
         {
             "name": "The phpMyAdmin Team",

composer.json

@@ -12,7 +12,7 @@
 
 /**
  * This is needed for cookie based authentication to encrypt password in
- * cookie
+ * cookie. Needs to be 32 chars long.
  */
 $cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
 
@@ -64,8 +64,6 @@
 // $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
 // $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
 // $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
-/* Contrib / Swekey authentication */
-// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
 
 /**
  * End of servers configuration