[Phpmyadmin-devel] Bug with properties system

Alex Marin alex.ukf at gmail.com
Thu Aug 16 15:57:31 CEST 2012


Ok, this is one of the weirdest bugs I've seen.

If you insert an alert(1), indeed it works, but if you put a
  $(function() {
    alert(1);
  }
it doesn't pop up, which means the page isn't fully loaded.
So, if you try an
  alert(document.readyState);
it will show you "loading", which means something prevents the page
from being fully loaded. The errors shown in the chrome console are:

4Unrecognized Content-Security-Policy directive 'allow'
4Unrecognized Content-Security-Policy directive 'options'
2Uncaught SyntaxError: Unexpected token ILLEGAL (get_image.js.php:239)
Uncaught ReferenceError: PMA_getImage is not defined (functions.js:3033)

The first 2 types of errors are related to my chrome version I think (20.0),
the illegal characters are some weird � after the last line of code and
PMA_getImage() was used before in functions.js, but the first error
occurs only at line 3033. The most accessible error seemed to be the
one with illegal characters, so I put a comment on the last line, hoping
to ignore that unknown string, but with no success.

Taking a look in the get_image.js.php file, I saw that there is a mix
of js and php, and, at the end, the js function PMA_getImage() is
declared outside of <?php ?> tags. This file is included in the
PMA_Header class with:
        $this->_scripts->addFile(
            'get_image.js.php?theme='
            . urlencode($_SESSION['PMA_Theme']->getId())
        );
Then I noticed that $_SESSION['PMA_Theme']->getPath() was used in
get_image.js.php and I remembered that Michal said something earlier
about an error with getPath(), so I removed that, but with no success.
At this point I was already delusional, so I figured if I remove the
theme=PMAHomme variable from the url, maybe I'll avoid something
evil. Most shockingly, this worked. But when I wanted to commit, I
deleted the comment at the end of get_image.js.php, and the js
functions did not trigger again.

This doesn't make much sense to me anymore, but turns out a solution
is a combo of commenting the last empty line in get_image.js.php and
removing the "theme" GET variable, which I did here [0]. I think there
are more rational ways of getting rid of those unknown chars, but I did
not manage to find any.

PS: I wouldn't have mistakenly reached this without the already famous
rubber duck debugging technique [1].

[0] https://github.com/alexukf/phpmyadmin/commit/6867d605aeb63ddd55e31f18b665d7d88a142b17
[1] http://en.wikipedia.org/wiki/Rubber_duck_debugging

--
Alex




More information about the Developers mailing list