[Phpmyadmin-devel] Bug with properties system

Rouslan Placella rouslan at placella.com
Thu Aug 16 21:17:02 CEST 2012

On 16/08/2012 15:57, Alex Marin wrote:
> Ok, this is one of the weirdest bugs I've seen.
> If you insert an alert(1), indeed it works, but if you put a
>    $(function() {
>      alert(1);
>    }
> it doesn't pop up, which means the page isn't fully loaded.
> So, if you try an
>    alert(document.readyState);
> it will show you "loading", which means something prevents the page
> from being fully loaded. The errors shown in the chrome console are:
> 4Unrecognized Content-Security-Policy directive 'allow'
> 4Unrecognized Content-Security-Policy directive 'options'
> 2Uncaught SyntaxError: Unexpected token ILLEGAL (get_image.js.php:239)
> Uncaught ReferenceError: PMA_getImage is not defined (functions.js:3033)
> The first 2 types of errors are related to my chrome version I think (20.0),
> the illegal characters are some weird � after the last line of code and
> PMA_getImage() was used before in functions.js, but the first error
> occurs only at line 3033. The most accessible error seemed to be the
> one with illegal characters, so I put a comment on the last line, hoping
> to ignore that unknown string, but with no success.
> Taking a look in the get_image.js.php file, I saw that there is a mix
> of js and php, and, at the end, the js function PMA_getImage() is
> declared outside of <?php ?> tags. This file is included in the
> PMA_Header class with:
>          $this->_scripts->addFile(
>              'get_image.js.php?theme='
>              . urlencode($_SESSION['PMA_Theme']->getId())
>          );
> Then I noticed that $_SESSION['PMA_Theme']->getPath() was used in
> get_image.js.php and I remembered that Michal said something earlier
> about an error with getPath(), so I removed that, but with no success.
> At this point I was already delusional, so I figured if I remove the
> theme=PMAHomme variable from the url, maybe I'll avoid something
> evil. Most shockingly, this worked. But when I wanted to commit, I
> deleted the comment at the end of get_image.js.php, and the js
> functions did not trigger again.
> This doesn't make much sense to me anymore, but turns out a solution
> is a combo of commenting the last empty line in get_image.js.php and
> removing the "theme" GET variable, which I did here [0]. I think there
> are more rational ways of getting rid of those unknown chars, but I did
> not manage to find any.
> PS: I wouldn't have mistakenly reached this without the already famous
> rubber duck debugging technique [1].
> [0] https://github.com/alexukf/phpmyadmin/commit/6867d605aeb63ddd55e31f18b665d7d88a142b17
> [1] http://en.wikipedia.org/wiki/Rubber_duck_debugging

For me chromium 18 only throws the CSP errors...

I don't see anything weird at the end of get_image.js.php. In your 
commit, you have one addition and no deletions for that file, so your 
not commenting anything out, you're just adding a comment. Perhaps you 
could try to simply add a newline character at the end of the file?

The "theme=someid" parameter is necessary and must not be removed. The 
idea there is that different themes have different icons embedded in the 
sprite and that js file is cached on the client side. So the theme id is 
necessary to invalidate the cache when a user switches themes.


More information about the Developers mailing list