[Phpmyadmin-devel] Proposed changes to demo server and GSOC guidelines

Piotr Przybylski piotr.prz at gmail.com
Thu Aug 4 14:46:17 CEST 2011


Hi,

I would like to propose some changes to demo server configuration
which would testing of edge cases a bit easier. Lately I've seen a few
bugs related to data escaping which would manifest only in some edge
cases and two issues with AJAX that could be discovered earlier if
demo server's configuration would be changed a bit. Some of them were
really old, some relatively new.

1. Data escaping.
Everyone seems to remember about  PMA_backquote() and escaping
database data, but htmlspecialchars() for database and column names is
sometimes missing, as well as PMA_escapeJsString(). With database
`evil*/>` and table `evil'"*/>`(`so_<a'm>*/_i`, `quo"te`, `comm<!--
ent`, `plain`) I immediately broke some functionality (currently I
can't recall what it was exactly), and I suppose we can have a few
more such cases.

2. `server` variable.
Demo server and possibly all student's servers run MySQL database as
server 0, so that all cases of missing variable go unnoticed. For me
fun started with server 1, when phpMyAdmin randomly warned about me
missing variables due to changed security token. After some digging I
discovered that this happened due to missing/broken 'server' argument
in AJAX query, which caused PMA to regenerate this token and rendered
some links with the old one unusable.

So, I propose to:
1. Exchange MariaDB and MySQL databases in config file.
2. Change automatic login to select MySQL database which now has index 1.
3. Create some sample database with tables and columns which are
potentially dangerous.

Also, create a guidelines for future GSOC with a sample configuration
consisting of two servers (the first one can be a broken fake, student
should work with the second one) and a SQL script which creates tables
from point 3. above, with some explanation on escaping and that MySQL
identifiers can also contain dangerous data (not a security issue, but
it do can break page layout).

-- 
Regards,
Piotr Przybylski




More information about the Developers mailing list