Hi,
We are sorry to report that the release of 2.6.1-pl1 introduced an
instability, producing various problems. This has been fixed, and here
is 2.6.1-pl2.
See http://www.phpmyadmin.net.
Marc Delisle, for the team
Hi,
there is a problem with the new grab_globals.lib.php
as released in 2.6.1-pl1. For example, the Search
page no longer works.
I'm looking at this right now.
Marc
Hi,
Patch level 1 of phpMyAdmin 2.6.1 fixes some security problems,
along with a few other bugs.
A more formal security alert will be posted when ready.
Meanwhile, the phpMyAdmin development team strongly advises an
upgrade to phpMyAdmin 2.6.1-pl1, and to also apply the following
security measures on your PHP installation (if feasible) by modifying
your php.ini configuration file (or virtual host settings):
- set register_globals to Off
- set display_errors to Off
- set log_errors to On
- define the path to your error log with the error_log directive
Both settings are recommended in the PHP documentation on a server
running in production. For example:
http://www.php.net/manual/en/security.errors.php
However, we suggest you review the impact of those changes before
applying them.
Meanwhile, work continues on the development version 2.6.2.
Marc Delisle, for the team.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi devels,
I suggest to roll 2.6.1-pl1 because of bugs #1149381, #1149383, #1117907
and #1111855. 2.6.2 is not stable enough, imho, so a -pl1 release looks
like the best idea to me.
The first two bugs are security related and should be considered to be
serious (as discussed on the private mailing list). I'm still awaiting
an answer from the original reporter of bug #1149383, but as far as I
can tell, my hotfix should do the job for now.
Bug #1117907 affects our php 4.1.x compatibility and bug #1111855 makes
phpMyAdmin unsuable to our Japanese friends. A quick fix for those two
bugs shouldn't be a bad idea, either. :-)
Fixes against all four bugs are already merged from HEAD into QA_2_6_1.
Marc, your fix against #1149373 looks rather trivial. Should we merge it
into QA_2_6_1?
Regards,
AMT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCHLgE8c/ssWf/SMcRAik7AJ9yWvEWz/b1l5Xi62qeQea9WhgzUgCdGpm7
dKydLuE8vyaHZSKCSicCLEI=
=NeSQ
-----END PGP SIGNATURE-----
Armel FAUVEAU a écrit :
>>Ok I found this:
>>http://www.w3.org/TR/REC-html40/interact/scripts.html
>
>
> Yes mate :)
>
> Of course, phpMyAdmin works very well without all of that. But it will be a
> good idea to check (and validate) HTML (and CSS) code more systematically.
> Look at the HTML validator extension (under Moz) based on Tidy. It's really
> efficient and can help us to clean the code.
>
> And it will be possible, after, to said that PMA is valid HTML / XHTML / CSS
> and so on. It is not currently the case, AFAIK :)
>
> Armel.
>
>
Thanks, I merged the two patches. Let's hope someone finds time
to continue the cleaning.
Marc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi list,
Currently, we only open a second connection to the MySQL server, if we
have a controluser.
In order to fight the last collation conflicts on pmadb queries, I'd
like to always open a second connection for those queries. This should
be cleaner anyway, as we often have to switch between the currently
selected db and the pmadb for retreiving the necessary metadata.
Regards,
AMT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCEo2Y8c/ssWf/SMcRAhXgAJ9BcGfy2rgGqVKCBvdcAraAQgloCACggXKv
xjlchGJAgxOzUkU3oar3Zmk=
=KbyI
-----END PGP SIGNATURE-----
Armel FAUVEAU a écrit :
> Hi Marc,
>
>
>>good to have news from you again.
>
>
> Thank you :)
>
>
>>About those patches, I made a little research and found
>>http://www.pageresource.com/jscript/jprompt.htm
>>which explains why you want us to escape the forward slashes
>>with backslashes.
>
>
> Yeah, it's very simple :) For example,
>
> BAD : document.write('</h1>');
> GOOD : document.write('<\/h1>');
>
>
>>However, looking at the generated HTML source from
>>phpMyAdmin, I don't see the problem that it's supposed to fix.
>>[snip]
>>Or am I missing something? Would this problem occur on older browsers?
>
>
> It's just more W3C compliant.
>
> Regards,
>
> Armel.
>
Armel,
to which W3C standard are you referring to? DOM?
I did not know that W3C is in the business of setting JavaScript standards.
Marc
Armel FAUVEAU a écrit :
> Hi all,
>
> I try to clean HTML code (warning and errors), especially in
> queryframe.php.
> Btw, there is a good HTML validator extension (under Moz) based on Tidy.
> It's very usefull to control HTML code.
>
> So, here is a link : http://users.skynet.be/mgueury/mozilla/
>
> Dunno what is the project planning roadmap, but it will be a good idea
> to fix all HTML errors and warnings in PMA. That could increase the
> quality of this famous project :)
>
> HTH,
>
> Armel.
Hi Armel,
good to have news from you again.
About those patches, I made a little research and found
http://www.pageresource.com/jscript/jprompt.htm
which explains why you want us to escape the forward slashes
with backslashes. However, looking at the generated HTML source from
phpMyAdmin, I don't see the problem that it's supposed to fix.
For example, about your patch
67c67
< document.write('</style>');
---
> document.write('<\/style>');
the js code generated by header.inc.php, as seen in Firefox 1.0, is IMO
correct:
document.write('<style type="text/css">');
document.write('img.lightbulb { cursor: pointer; }');
document.write('</style>');
Or am I missing something? Would this problem occur on older browsers?
Marc