[Phpmyadmin-devel] Bug with properties system

Alex Marin alex.ukf at gmail.com
Thu Aug 16 15:57:31 CEST 2012

Ok, this is one of the weirdest bugs I've seen.

If you insert an alert(1), indeed it works, but if you put a
  $(function() {
it doesn't pop up, which means the page isn't fully loaded.
So, if you try an
it will show you "loading", which means something prevents the page
from being fully loaded. The errors shown in the chrome console are:

4Unrecognized Content-Security-Policy directive 'allow'
4Unrecognized Content-Security-Policy directive 'options'
2Uncaught SyntaxError: Unexpected token ILLEGAL (get_image.js.php:239)
Uncaught ReferenceError: PMA_getImage is not defined (functions.js:3033)

The first 2 types of errors are related to my chrome version I think (20.0),
the illegal characters are some weird � after the last line of code and
PMA_getImage() was used before in functions.js, but the first error
occurs only at line 3033. The most accessible error seemed to be the
one with illegal characters, so I put a comment on the last line, hoping
to ignore that unknown string, but with no success.

Taking a look in the get_image.js.php file, I saw that there is a mix
of js and php, and, at the end, the js function PMA_getImage() is
declared outside of <?php ?> tags. This file is included in the
PMA_Header class with:
            . urlencode($_SESSION['PMA_Theme']->getId())
Then I noticed that $_SESSION['PMA_Theme']->getPath() was used in
get_image.js.php and I remembered that Michal said something earlier
about an error with getPath(), so I removed that, but with no success.
At this point I was already delusional, so I figured if I remove the
theme=PMAHomme variable from the url, maybe I'll avoid something
evil. Most shockingly, this worked. But when I wanted to commit, I
deleted the comment at the end of get_image.js.php, and the js
functions did not trigger again.

This doesn't make much sense to me anymore, but turns out a solution
is a combo of commenting the last empty line in get_image.js.php and
removing the "theme" GET variable, which I did here [0]. I think there
are more rational ways of getting rid of those unknown chars, but I did
not manage to find any.

PS: I wouldn't have mistakenly reached this without the already famous
rubber duck debugging technique [1].

[0] https://github.com/alexukf/phpmyadmin/commit/6867d605aeb63ddd55e31f18b665d7d88a142b17
[1] http://en.wikipedia.org/wiki/Rubber_duck_debugging


More information about the Developers mailing list