Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/MimeTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/MimeTest.php@@ -23,10 +23,7 @@ */ public function testDetect(string $test, string $output): void {- $this->assertEquals(- Mime::detect($test),- $output- );+ self::assertSame(Mime::detect($test), $output); } /**@@ -34,7 +31,7 @@ * * @return array data for testDetect */- public function providerForTestDetect(): array+ public static function providerForTestDetect(): array { return [ [
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: no
Assertion Method Change [test/classes/MimeTest.php] [Lines 23-27]
Old Code:
$this->assertEquals(
Mime::detect($test),
$output
);
Fixed Code:
self::assertSame(Mime::detect($test), $output);
Details: This is a test improvement changing assertEquals to assertSame for stricter type checking, not a security fix.
2. Vulnerability Existed: no
Method Visibility Change [test/classes/MimeTest.php] [Lines 34-37]
Old Code:
public function providerForTestDetect(): array
Fixed Code:
public static function providerForTestDetect(): array
Details: This changes a test data provider method from instance to static, which is a test optimization rather than a security fix.
No security vulnerabilities were identified in this diff. The changes appear to be test code improvements rather than security fixes.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Controllers/NormalizationControllerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Controllers/NormalizationControllerTest.php@@ -151,15 +151,12 @@ $this->assertResponseWasSuccessfull();- $this->assertSame(- [- 'legendText' => 'End of step',- 'headText' => '<h3>The second step of normalization is complete for table \'test_tbl\'.</h3>',- 'queryError' => false,- 'extra' => '',- ],- $this->getResponseJsonResult()- );+ self::assertSame([+ 'legendText' => 'End of step',+ 'headText' => '<h3>The second step of normalization is complete for table \'test_tbl\'.</h3>',+ 'queryError' => false,+ 'extra' => '',+ ], $this->getResponseJsonResult()); } public function testCreateNewTables3NF(): void@@ -191,14 +188,11 @@ $this->assertResponseWasSuccessfull();- $this->assertSame(- [- 'legendText' => 'End of step',- 'headText' => '<h3>The third step of normalization is complete.</h3>',- 'queryError' => false,- 'extra' => '',- ],- $this->getResponseJsonResult()- );+ self::assertSame([+ 'legendText' => 'End of step',+ 'headText' => '<h3>The third step of normalization is complete.</h3>',+ 'queryError' => false,+ 'extra' => '',+ ], $this->getResponseJsonResult()); } }
After analyzing the provided code diff, I don't see any security-related changes. The changes appear to be purely cosmetic/refactoring changes in test assertions. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability [test/classes/Controllers/NormalizationControllerTest.php] [Lines 151-158, 191-198] Old Code: $this->assertSame([...], $this->getResponseJsonResult()); Fixed Code: self::assertSame([...], $this->getResponseJsonResult()); 2. Vulnerability Existed: no No security vulnerability [test/classes/Controllers/NormalizationControllerTest.php] [Lines 191-198] Old Code: $this->assertSame([...], $this->getResponseJsonResult()); Fixed Code: self::assertSame([...], $this->getResponseJsonResult()); The changes only involve: 1. Changing assertion method calls from $this->assertSame() to self::assertSame() 2. Reformatted array declarations to be more compact 3. No changes to actual functionality or security-related code These are test code improvements with no security implications.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Gis/GisPolygonTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Gis/GisPolygonTest.php@@ -43,7 +43,7 @@ * * @return array common data for data providers */- private function getData(): array+ private static function getData(): array { return [ 'POLYGON' => [@@ -99,10 +99,10 @@ * * @return array data for testGenerateWkt */- public function providerForTestGenerateWkt(): array+ public static function providerForTestGenerateWkt(): array { $temp = [- 0 => $this->getData(),+ 0 => self::getData(), ]; $temp1 = $temp;@@ -164,9 +164,9 @@ * * @return array data for testGenerateParams */- public function providerForTestGenerateParams(): array- {- $temp = $this->getData();+ public static function providerForTestGenerateParams(): array+ {+ $temp = self::getData(); $temp1 = $temp; $temp1['gis_type'] = 'POLYGON';@@ -198,7 +198,7 @@ */ public function testArea(array $ring, float $area): void {- $this->assertEquals($this->object->area($ring), $area);+ self::assertSame($this->object->area($ring), $area); } /**@@ -206,7 +206,7 @@ * * @return array data for testArea */- public function providerForTestArea(): array+ public static function providerForTestArea(): array { return [ [@@ -280,10 +280,7 @@ */ public function testIsPointInsidePolygon(array $point, array $polygon, bool $isInside): void {- $this->assertEquals(- $this->object->isPointInsidePolygon($point, $polygon),- $isInside- );+ self::assertSame($this->object->isPointInsidePolygon($point, $polygon), $isInside); } /**@@ -291,7 +288,7 @@ * * @return array data for testIsPointInsidePolygon */- public function providerForTestIsPointInsidePolygon(): array+ public static function providerForTestIsPointInsidePolygon(): array { $ring = [ 0 => [@@ -362,8 +359,8 @@ public function testGetPointOnSurface(array $ring): void { $point = $this->object->getPointOnSurface($ring);- $this->assertIsArray($point);- $this->assertTrue($this->object->isPointInsidePolygon($point, $ring));+ self::assertIsArray($point);+ self::assertTrue($this->object->isPointInsidePolygon($point, $ring)); } /**@@ -371,9 +368,9 @@ * * @return array data for testGetPointOnSurface */- public function providerForTestGetPointOnSurface(): array- {- $temp = $this->getData();+ public static function providerForTestGetPointOnSurface(): array+ {+ $temp = self::getData(); unset($temp['POLYGON'][0]['no_of_points']); unset($temp['POLYGON'][1]['no_of_points']);@@ -392,7 +389,7 @@ * * @return array data for testScaleRow */- public function providerForTestScaleRow(): array+ public static function providerForTestScaleRow(): array { return [ [@@ -422,7 +419,7 @@ public function testPrepareRowAsPng(): void { $image = ImageWrapper::create(120, 150);- $this->assertNotNull($image);+ self::assertNotNull($image); $return = $this->object->prepareRowAsPng( 'POLYGON((123 0,23 30,17 63,123 0))', 'image',@@ -430,8 +427,8 @@ ['x' => 12, 'y' => 69, 'scale' => 2, 'height' => 150], $image );- $this->assertEquals(120, $return->width());- $this->assertEquals(150, $return->height());+ self::assertSame(120, $return->width());+ self::assertSame(150, $return->height()); } /**@@ -453,7 +450,7 @@ TCPDF $pdf ): void { $return = $this->object->prepareRowAsPdf($spatial, $label, $fill_color, $scale_data, $pdf);- $this->assertInstanceOf(TCPDF::class, $return);+ self::assertInstanceOf(TCPDF::class, $return); } /**@@ -461,7 +458,7 @@ * * @return array test data for testPrepareRowAsPdf() test case */- public function providerForPrepareRowAsPdf(): array+ public static function providerForPrepareRowAsPdf(): array { return [ [@@ -498,7 +495,7 @@ string $output ): void { $string = $this->object->prepareRowAsSvg($spatial, $label, $fillColor, $scaleData);- $this->assertEquals(1, preg_match($output, $string));+ self::assertSame(1, preg_match($output, $string)); } /**@@ -506,7 +503,7 @@ * * @return array test data for testPrepareRowAsSvg() test case */- public function providerForPrepareRowAsSvg(): array+ public static function providerForPrepareRowAsSvg(): array { return [ [@@ -519,7 +516,7 @@ 'scale' => 2, 'height' => 150, ],- '/^(<path d=" M 222, 288 L 22, 228 L 10, 162 Z " name="svg" '+ '/^(<path d=" M 222, 288 L 22, 228 L 10, 162 Z " data-label="svg" ' . 'id="svg)(\d+)(" class="polygon vector" stroke="black" ' . 'stroke-width="0.5" fill="#B02EE0" fill-rule="evenodd" ' . 'fill-opacity="0.8"\/>)$/',@@ -547,16 +544,13 @@ array $scale_data, string $output ): void {- $this->assertEquals(- $output,- $this->object->prepareRowAsOl(- $spatial,- $srid,- $label,- $fill_color,- $scale_data- )- );+ self::assertSame($output, $this->object->prepareRowAsOl(+ $spatial,+ $srid,+ $label,+ $fill_color,+ $scale_data+ )); } /**@@ -564,7 +558,7 @@ * * @return array test data for testPrepareRowAsOl() test case */- public function providerForPrepareRowAsOl(): array+ public static function providerForPrepareRowAsOl(): array { return [ [@@ -606,7 +600,7 @@ */ public function testIsOuterRing(array $ring): void {- $this->assertTrue($this->object->isOuterRing($ring));+ self::assertTrue($this->object->isOuterRing($ring)); } /**@@ -614,7 +608,7 @@ * * @return array test data for testIsOuterRing() test case */- public function providerForIsOuterRing(): array+ public static function providerForIsOuterRing(): array { return [ [
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be primarily refactoring test methods to be static and updating assertion methods. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found The changes are test-related improvements: - Changed instance methods to static methods in test providers - Updated assertion methods from assertEquals to assertSame - Updated test data provider references from $this-> to self:: 2. Vulnerability Existed: no No security vulnerability found The SVG output change appears to be a test improvement: - Changed 'name="svg"' to 'data-label="svg"' in SVG output test - This is likely for better HTML5 compliance or test clarity 3. Vulnerability Existed: no No security vulnerability found The changes to assertion methods (assertEquals to assertSame) are test quality improvements: - assertSame performs stricter type checking - This helps catch potential type-related bugs in tests The diff shows typical test suite improvements rather than security fixes. The changes focus on: 1. Making test data providers static (better practice for PHPUnit) 2. Using more precise assertions (assertSame instead of assertEquals) 3. Updating test data references to use static calls 4. Minor output format improvements in test cases These changes improve test reliability and maintainability but don't address any security vulnerabilities.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Plugins/Auth/AuthenticationCookie.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Plugins/Auth/AuthenticationCookie.php@@ -147,10 +147,6 @@ } $_form_params = [];- if (isset($route)) {- $_form_params['route'] = $route;- }- if (strlen($GLOBALS['db'])) { $_form_params['db'] = $GLOBALS['db']; }@@ -256,7 +252,7 @@ $captchaSiteVerifyURL = $GLOBALS['cfg']['CaptchaSiteVerifyURL'] ?? ''; $captchaSiteVerifyURL = empty($captchaSiteVerifyURL) ? null : $captchaSiteVerifyURL;- if (function_exists('curl_init')) {+ if (function_exists('curl_init') && function_exists('curl_exec')) { $reCaptcha = new ReCaptcha\ReCaptcha( $GLOBALS['cfg']['CaptchaLoginPrivateKey'], new ReCaptcha\RequestMethod\CurlPost(null, $captchaSiteVerifyURL)@@ -297,9 +293,9 @@ $this->user = Core::sanitizeMySQLUser($_POST['pma_username']); $password = $_POST['pma_password'] ?? '';- if (strlen($password) >= 1000) {+ if (strlen($password) >= 2000) { $conn_error = __('Your password is too long. To prevent denial-of-service attacks, ' .- 'phpMyAdmin restricts passwords to less than 1000 characters.');+ 'phpMyAdmin restricts passwords to less than 2000 characters.'); return false; }@@ -455,8 +451,6 @@ */ public function rememberCredentials(): void {- global $route;- // Name and password cookies need to be refreshed each time // Duration = one month for username $this->storeUsernameCookie($this->user);@@ -470,10 +464,6 @@ // any parameters to pass? $url_params = [];- if (isset($route)) {- $url_params['route'] = $route;- }- if (strlen($GLOBALS['db']) > 0) { $url_params['db'] = $GLOBALS['db']; }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Cross-Site Request Forgery (CSRF) via route parameter [File] [libraries/classes/Plugins/Auth/AuthenticationCookie.php] [Lines 147-149, 464-466]
[Old Code]
```
if (isset($route)) {
$_form_params['route'] = $route;
}
```
[Fixed Code]
(Removed entirely)
Additional Details: The removal of route parameter handling in form params and URL params suggests it was a potential CSRF vector.
2. Vulnerability Existed: yes
Incomplete cURL check [File] [libraries/classes/Plugins/Auth/AuthenticationCookie.php] [Lines 256]
[Old Code]
```
if (function_exists('curl_init')) {
```
[Fixed Code]
```
if (function_exists('curl_init') && function_exists('curl_exec')) {
```
Additional Details: The original check was incomplete as it didn't verify curl_exec existence, which could lead to runtime errors.
3. Vulnerability Existed: yes
Password length restriction bypass [File] [libraries/classes/Plugins/Auth/AuthenticationCookie.php] [Lines 297-300]
[Old Code]
```
if (strlen($password) >= 1000) {
$conn_error = __('Your password is too long. To prevent denial-of-service attacks, ' .
'phpMyAdmin restricts passwords to less than 1000 characters.');
```
[Fixed Code]
```
if (strlen($password) >= 2000) {
$conn_error = __('Your password is too long. To prevent denial-of-service attacks, ' .
'phpMyAdmin restricts passwords to less than 2000 characters.');
```
Additional Details: The password length restriction was increased, suggesting the previous limit might have been too restrictive or bypassable.
4. Vulnerability Existed: not sure
Potential information leak via route parameter [File] [libraries/classes/Plugins/Auth/AuthenticationCookie.php] [Lines 455, 470-472]
[Old Code]
```
global $route;
...
if (isset($route)) {
$url_params['route'] = $route;
}
```
[Fixed Code]
(Removed entirely)
Additional Details: The removal of route parameter handling might indicate it was leaking sensitive information, though this isn't certain.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/js/src/table/gis_visualization.js+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/js/src/table/gis_visualization.js@@ -338,7 +338,7 @@ * Detect the mousemove event and show tooltips. */ $('.vector').on('mousemove', function (event) {- var contents = Functions.escapeHtml($(this).attr('name')).trim();+ var contents = Functions.escapeHtml($(this).attr('data-label')).trim(); $('#tooltip').remove(); if (contents !== '') { $('<div id="tooltip">' + contents + '</div>').css({
Let me analyze the code diff for security fixes:
Vulnerability Existed: yes
Cross-Site Scripting (XSS) Vulnerability [js/src/table/gis_visualization.js] [Lines 338]
[Old Code]
var contents = Functions.escapeHtml($(this).attr('name')).trim();
[Fixed Code]
var contents = Functions.escapeHtml($(this).attr('data-label')).trim();
Additional Details:
1. The vulnerability existed because the code was using the 'name' attribute which could potentially contain user-controlled input that might not be properly sanitized before being used in HTML context.
2. The fix changes to use 'data-label' attribute instead, which is a safer approach as it's typically used for storing UI-related data rather than arbitrary user input.
3. While the code was already using escapeHtml() for sanitization, switching to a more controlled attribute (data-label) provides additional security by reducing the attack surface.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Engines/PbxtTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Engines/PbxtTest.php@@ -46,116 +46,113 @@ */ public function testGetVariables(): void {- $this->assertEquals(- $this->object->getVariables(),- [- 'pbxt_index_cache_size' => [- 'title' => __('Index cache size'),- 'desc' => __(- 'This is the amount of memory allocated to the'- . ' index cache. Default value is 32MB. The memory'- . ' allocated here is used only for caching index pages.'- ),- 'type' => 1,- ],- 'pbxt_record_cache_size' => [- 'title' => __('Record cache size'),- 'desc' => __(- 'This is the amount of memory allocated to the'- . ' record cache used to cache table data. The default'- . ' value is 32MB. This memory is used to cache changes to'- . ' the handle data (.xtd) and row pointer (.xtr) files.'- ),- 'type' => 1,- ],- 'pbxt_log_cache_size' => [- 'title' => __('Log cache size'),- 'desc' => __(- 'The amount of memory allocated to the'- . ' transaction log cache used to cache on transaction log'- . ' data. The default is 16MB.'- ),- 'type' => 1,- ],- 'pbxt_log_file_threshold' => [- 'title' => __('Log file threshold'),- 'desc' => __(- 'The size of a transaction log before rollover,'- . ' and a new log is created. The default value is 16MB.'- ),- 'type' => 1,- ],- 'pbxt_transaction_buffer_size' => [- 'title' => __('Transaction buffer size'),- 'desc' => __(- 'The size of the global transaction log buffer'- . ' (the engine allocates 2 buffers of this size).'- . ' The default is 1MB.'- ),- 'type' => 1,- ],- 'pbxt_checkpoint_frequency' => [- 'title' => __('Checkpoint frequency'),- 'desc' => __(- 'The amount of data written to the transaction'- . ' log before a checkpoint is performed.'- . ' The default value is 24MB.'- ),- 'type' => 1,- ],- 'pbxt_data_log_threshold' => [- 'title' => __('Data log threshold'),- 'desc' => __(- 'The maximum size of a data log file. The default'- . ' value is 64MB. PBXT can create a maximum of 32000 data'- . ' logs, which are used by all tables. So the value of'- . ' this variable can be increased to increase the total'- . ' amount of data that can be stored in the database.'- ),- 'type' => 1,- ],- 'pbxt_garbage_threshold' => [- 'title' => __('Garbage threshold'),- 'desc' => __(- 'The percentage of garbage in a data log file'- . ' before it is compacted. This is a value between 1 and'- . ' 99. The default is 50.'- ),- 'type' => 2,- ],- 'pbxt_log_buffer_size' => [- 'title' => __('Log buffer size'),- 'desc' => __(- 'The size of the buffer used when writing a data'- . ' log. The default is 256MB. The engine allocates one'- . ' buffer per thread, but only if the thread is required'- . ' to write a data log.'- ),- 'type' => 1,- ],- 'pbxt_data_file_grow_size' => [- 'title' => __('Data file grow size'),- 'desc' => __('The grow size of the handle data (.xtd) files.'),- 'type' => 1,- ],- 'pbxt_row_file_grow_size' => [- 'title' => __('Row file grow size'),- 'desc' => __('The grow size of the row pointer (.xtr) files.'),- 'type' => 1,- ],- 'pbxt_log_file_count' => [- 'title' => __('Log file count'),- 'desc' => __(- 'This is the number of transaction log files'- . ' (pbxt/system/xlog*.xt) the system will maintain. If the'- . ' number of logs exceeds this value then old logs will be'- . ' deleted, otherwise they are renamed and given the next'- . ' highest number.'- ),- 'type' => 2,- ],- ]- );+ self::assertSame($this->object->getVariables(), [+ 'pbxt_index_cache_size' => [+ 'title' => __('Index cache size'),+ 'desc' => __(+ 'This is the amount of memory allocated to the'+ . ' index cache. Default value is 32MB. The memory'+ . ' allocated here is used only for caching index pages.'+ ),+ 'type' => 1,+ ],+ 'pbxt_record_cache_size' => [+ 'title' => __('Record cache size'),+ 'desc' => __(+ 'This is the amount of memory allocated to the'+ . ' record cache used to cache table data. The default'+ . ' value is 32MB. This memory is used to cache changes to'+ . ' the handle data (.xtd) and row pointer (.xtr) files.'+ ),+ 'type' => 1,+ ],+ 'pbxt_log_cache_size' => [+ 'title' => __('Log cache size'),+ 'desc' => __(+ 'The amount of memory allocated to the'+ . ' transaction log cache used to cache on transaction log'+ . ' data. The default is 16MB.'+ ),+ 'type' => 1,+ ],+ 'pbxt_log_file_threshold' => [+ 'title' => __('Log file threshold'),+ 'desc' => __(+ 'The size of a transaction log before rollover,'+ . ' and a new log is created. The default value is 16MB.'+ ),+ 'type' => 1,+ ],+ 'pbxt_transaction_buffer_size' => [+ 'title' => __('Transaction buffer size'),+ 'desc' => __(+ 'The size of the global transaction log buffer'+ . ' (the engine allocates 2 buffers of this size).'+ . ' The default is 1MB.'+ ),+ 'type' => 1,+ ],+ 'pbxt_checkpoint_frequency' => [+ 'title' => __('Checkpoint frequency'),+ 'desc' => __(+ 'The amount of data written to the transaction'+ . ' log before a checkpoint is performed.'+ . ' The default value is 24MB.'+ ),+ 'type' => 1,+ ],+ 'pbxt_data_log_threshold' => [+ 'title' => __('Data log threshold'),+ 'desc' => __(+ 'The maximum size of a data log file. The default'+ . ' value is 64MB. PBXT can create a maximum of 32000 data'+ . ' logs, which are used by all tables. So the value of'+ . ' this variable can be increased to increase the total'+ . ' amount of data that can be stored in the database.'+ ),+ 'type' => 1,+ ],+ 'pbxt_garbage_threshold' => [+ 'title' => __('Garbage threshold'),+ 'desc' => __(+ 'The percentage of garbage in a data log file'+ . ' before it is compacted. This is a value between 1 and'+ . ' 99. The default is 50.'+ ),+ 'type' => 2,+ ],+ 'pbxt_log_buffer_size' => [+ 'title' => __('Log buffer size'),+ 'desc' => __(+ 'The size of the buffer used when writing a data'+ . ' log. The default is 256MB. The engine allocates one'+ . ' buffer per thread, but only if the thread is required'+ . ' to write a data log.'+ ),+ 'type' => 1,+ ],+ 'pbxt_data_file_grow_size' => [+ 'title' => __('Data file grow size'),+ 'desc' => __('The grow size of the handle data (.xtd) files.'),+ 'type' => 1,+ ],+ 'pbxt_row_file_grow_size' => [+ 'title' => __('Row file grow size'),+ 'desc' => __('The grow size of the row pointer (.xtr) files.'),+ 'type' => 1,+ ],+ 'pbxt_log_file_count' => [+ 'title' => __('Log file count'),+ 'desc' => __(+ 'This is the number of transaction log files'+ . ' (pbxt/system/xlog*.xt) the system will maintain. If the'+ . ' number of logs exceeds this value then old logs will be'+ . ' deleted, otherwise they are renamed and given the next'+ . ' highest number.'+ ),+ 'type' => 2,+ ],+ ]); } /**@@ -168,10 +165,7 @@ */ public function testResolveTypeSize(string $formatted_size, array $output): void {- $this->assertEquals(- $this->object->resolveTypeSize($formatted_size),- $output- );+ self::assertSame($this->object->resolveTypeSize($formatted_size), $output); } /**@@ -179,7 +173,7 @@ * * @return array */- public function providerFortTestResolveTypeSize(): array+ public static function providerFortTestResolveTypeSize(): array { return [ [@@ -211,10 +205,7 @@ */ public function testGetInfoPages(): void {- $this->assertEquals(- $this->object->getInfoPages(),- ['Documentation' => 'Documentation']- );+ self::assertSame($this->object->getInfoPages(), ['Documentation' => 'Documentation']); } /**@@ -222,23 +213,17 @@ */ public function testGetPage(): void {- $this->assertEquals(- $this->object->getPage('Documentation'),- '<p>'- . sprintf(- __(- 'Documentation and further information about PBXT can be found on the %sPrimeBase XT Home Page%s.'- ),- '<a href="' . Core::linkURL('https://mariadb.com/kb/en/mariadb/about-pbxt/')- . '" rel="noopener noreferrer" target="_blank">',- '</a>'- )- . '</p>' . "\n"- );-- $this->assertEquals(- $this->object->getPage('NonExistMethod'),- false- );+ self::assertSame($this->object->getPage('Documentation'), '<p>'+ . sprintf(+ __(+ 'Documentation and further information about PBXT can be found on the %sPrimeBase XT Home Page%s.'+ ),+ '<a href="' . Core::linkURL('https://mariadb.com/kb/en/about-pbxt/')+ . '" rel="noopener noreferrer" target="_blank">',+ '</a>'+ )+ . '</p>' . "\n");++ self::assertEquals($this->object->getPage('NonExistMethod'), false); } }
After analyzing the provided code diff, I don't find any security vulnerabilities being fixed. The changes appear to be primarily test code improvements and minor refactoring. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found [File] test/classes/Engines/PbxtTest.php [Lines] Various [Old Code] Various assertEquals() calls [Fixed Code] Changed to assertSame() and minor formatting changes 2. Vulnerability Existed: no No security vulnerability found [File] test/classes/Engines/PbxtTest.php [Lines] Various [Old Code] assertEquals() for getPage() test [Fixed Code] assertSame() for getPage() test 3. Vulnerability Existed: no No security vulnerability found [File] test/classes/Engines/PbxtTest.php [Lines] URL change [Old Code] https://mariadb.com/kb/en/mariadb/about-pbxt/ [Fixed Code] https://mariadb.com/kb/en/about-pbxt/ (Note: This is just a URL update, not a security fix) The changes mainly involve: 1. Replacing assertEquals() with assertSame() in test cases for more strict comparison 2. Minor code formatting improvements 3. URL update in documentation link 4. Making a test data provider method static None of these changes appear to address security vulnerabilities. They are test code improvements and minor refactoring.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Footer.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Footer.php@@ -11,7 +11,6 @@ use Traversable; use function basename;-use function file_exists; use function in_array; use function is_array; use function is_object;@@ -36,7 +35,7 @@ * * @var bool */- private $isAjax;+ private $isAjax = false; /** * Whether to only close the BODY and HTML tags * or also include scripts, errors and links@@ -69,22 +68,6 @@ $this->scripts = new Scripts(); $this->isMinimal = false; $this->relation = new Relation($dbi);- }-- /**- * @return array<string, string>- * @psalm-return array{revision: string, revisionUrl: string, branch: string, branchUrl: string}|[]- */- private function getGitRevisionInfo(): array- {- $info = [];-- if (@file_exists(ROOT_PATH . 'revision-info.php')) {- /** @psalm-suppress MissingFile,UnresolvableInclude */- $info = include ROOT_PATH . 'revision-info.php';- }-- return is_array($info) ? $info : []; } /**@@ -288,7 +271,8 @@ $scripts = $this->scripts->getDisplay(); if ($GLOBALS['cfg']['DBG']['demo']) {- $gitRevisionInfo = $this->getGitRevisionInfo();+ $git = new Git(true, ROOT_PATH);+ $gitRevisionInfo = $git->getGitRevisionInfo(); } $footer = Config::renderFooter();
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: yes
Improper Access Control/Information Disclosure [File] [Lines 69-82 (removed)]
[Old Code]
private function getGitRevisionInfo(): array
{
$info = [];
if (@file_exists(ROOT_PATH . 'revision-info.php')) {
/** @psalm-suppress MissingFile,UnresolvableInclude */
$info = include ROOT_PATH . 'revision-info.php';
}
return is_array($info) ? $info : [];
}
[Fixed Code]
(Function removed and replaced with Git class usage)
The old code had a potential security issue where it directly included a PHP file (revision-info.php) without proper validation or sanitization. This could lead to local file inclusion vulnerabilities if an attacker could control the contents of this file. The fix replaces this with a dedicated Git class that likely implements proper security controls.
2. Vulnerability Existed: yes
Uninitialized Property Vulnerability [File] [Lines 36 (modified)]
[Old Code]
private $isAjax;
[Fixed Code]
private $isAjax = false;
The old code had an uninitialized property which could lead to undefined behavior and potential security issues if the property was accessed before being set. The fix ensures the property is always initialized with a default value.
3. Vulnerability Existed: not sure
Potential Information Disclosure [File] [Lines 288-291 (modified)]
[Old Code]
$gitRevisionInfo = $this->getGitRevisionInfo();
[Fixed Code]
$git = new Git(true, ROOT_PATH);
$gitRevisionInfo = $git->getGitRevisionInfo();
While this change appears to be moving to a more secure implementation, without seeing the implementation of the Git class, we can't be certain if all potential information disclosure issues are addressed. The change suggests a move toward better encapsulation of git revision information handling.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/ErrorHandlerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/ErrorHandlerTest.php@@ -7,12 +7,21 @@ use Exception; use PhpMyAdmin\Error; use PhpMyAdmin\ErrorHandler;+use PhpMyAdmin\ResponseRenderer;+use PhpMyAdmin\Tests\Stubs\ResponseRenderer as ResponseRendererStub;+use ReflectionProperty; use function array_keys; use function array_pop;-use function count;-++use const E_COMPILE_WARNING;+use const E_CORE_WARNING;+use const E_ERROR;+use const E_NOTICE; use const E_RECOVERABLE_ERROR;+use const E_STRICT;+use const E_USER_DEPRECATED;+use const E_USER_ERROR; use const E_USER_NOTICE; use const E_USER_WARNING; use const E_WARNING;@@ -54,7 +63,7 @@ * * @return array data for testHandleError */- public function providerForTestHandleError(): array+ public static function providerForTestHandleError(): array { return [ [@@ -106,10 +115,10 @@ $output = $this->object->getDispErrors(); if ($output_hide === '') {- $this->assertEquals('', $output);+ self::assertSame('', $output); } else {- $this->assertNotEmpty($output_show);// Useless check- $this->assertStringContainsString($output_hide, $output);+ self::assertNotEmpty($output_show);// Useless check+ self::assertStringContainsString($output_hide, $output); } }@@ -126,6 +135,7 @@ * disabled * * @dataProvider providerForTestHandleError+ * @requires PHPUnit < 10 */ public function testGetDispErrorsForDisplayTrue( int $errno,@@ -137,11 +147,8 @@ ): void { $this->object->handleError($errno, $errstr, $errfile, $errline);- $this->assertIsString($output_hide);// Useless check- $this->assertStringContainsString(- $output_show,- $this->object->getDispErrors()- );+ self::assertIsString($output_hide);// Useless check+ self::assertStringContainsString($output_show, $this->object->getDispErrors()); } /**@@ -155,7 +162,7 @@ 'checkSavedErrors', [] );- $this->assertArrayNotHasKey('errors', $_SESSION);+ self::assertArrayNotHasKey('errors', $_SESSION); } /**@@ -166,10 +173,34 @@ public function testCountErrors(): void { $this->object->addError('Compile Error', E_WARNING, 'error.txt', 15);- $this->assertEquals(- 1,- $this->object->countErrors()- );+ self::assertSame(1, $this->object->countErrors());+ }++ /** @dataProvider addErrorProvider */+ public function testAddError(int $errorNumber, string $expected): void+ {+ $errorHandler = new ErrorHandler();+ $errorHandler->addError('[em]Error[/em]', $errorNumber, 'error.txt', 15);+ $errors = $errorHandler->getCurrentErrors();+ self::assertCount(1, $errors);+ $error = array_pop($errors);+ self::assertSame($errorNumber, $error->getNumber());+ self::assertSame($expected, $error->getMessage());+ }++ /** @return iterable<string, array{int, string}> */+ public static function addErrorProvider(): iterable+ {+ yield 'E_STRICT' => [@E_STRICT, '[em]Error[/em]'];+ yield 'E_NOTICE' => [E_NOTICE, '[em]Error[/em]'];+ yield 'E_WARNING' => [E_WARNING, '[em]Error[/em]'];+ yield 'E_CORE_WARNING' => [E_CORE_WARNING, '[em]Error[/em]'];+ yield 'E_COMPILE_WARNING' => [E_COMPILE_WARNING, '[em]Error[/em]'];+ yield 'E_RECOVERABLE_ERROR' => [E_RECOVERABLE_ERROR, '[em]Error[/em]'];+ yield 'E_USER_NOTICE' => [E_USER_NOTICE, '<em>Error</em>'];+ yield 'E_USER_WARNING' => [E_USER_WARNING, '<em>Error</em>'];+ yield 'E_USER_ERROR' => [E_USER_ERROR, '<em>Error</em>'];+ yield 'E_USER_DEPRECATED' => [E_USER_DEPRECATED, '<em>Error</em>']; } /**@@ -181,26 +212,11 @@ { $this->object->addError('Compile Error', E_WARNING, 'error.txt', 15); $this->object->addError('Compile Error', E_WARNING, 'error.txt', 16);- $this->assertEquals(- 2,- $this->object->countErrors()- );- $this->assertEquals(- [],- $this->object->sliceErrors(2)- );- $this->assertEquals(- 2,- $this->object->countErrors()- );- $this->assertCount(- 1,- $this->object->sliceErrors(1)- );- $this->assertEquals(- 1,- $this->object->countErrors()- );+ self::assertSame(2, $this->object->countErrors());+ self::assertSame([], $this->object->sliceErrors(2));+ self::assertSame(2, $this->object->countErrors());+ self::assertCount(1, $this->object->sliceErrors(1));+ self::assertSame(1, $this->object->countErrors()); } /**@@ -215,34 +231,31 @@ } // 10 initial items- $this->assertEquals(10, $this->object->countErrors());- $this->assertEquals(10, count($this->object->getCurrentErrors()));+ self::assertSame(10, $this->object->countErrors());+ self::assertCount(10, $this->object->getCurrentErrors()); // slice 9 elements, returns one 10 - 9 $elements = $this->object->sliceErrors(9); $firstKey = array_keys($elements)[0]; // Gives the last element- $this->assertEquals(- [- $firstKey => $elements[$firstKey],- ],- $elements- );- $this->assertEquals(9, count($this->object->getCurrentErrors()));- $this->assertEquals(9, $this->object->countErrors());+ self::assertSame([+ $firstKey => $elements[$firstKey],+ ], $elements);+ self::assertCount(9, $this->object->getCurrentErrors());+ self::assertSame(9, $this->object->countErrors()); // Slice as much as there is (9), does nothing $elements = $this->object->sliceErrors(9);- $this->assertEquals([], $elements);- $this->assertEquals(9, count($this->object->getCurrentErrors()));- $this->assertEquals(9, $this->object->countErrors());+ self::assertSame([], $elements);+ self::assertCount(9, $this->object->getCurrentErrors());+ self::assertSame(9, $this->object->countErrors()); // Slice 0, removes everything $elements = $this->object->sliceErrors(0);- $this->assertEquals(9, count($elements));- $this->assertEquals(0, count($this->object->getCurrentErrors()));- $this->assertEquals(0, $this->object->countErrors());+ self::assertCount(9, $elements);+ self::assertCount(0, $this->object->getCurrentErrors());+ self::assertSame(0, $this->object->countErrors()); } /**@@ -251,15 +264,9 @@ public function testCountUserErrors(): void { $this->object->addError('Compile Error', E_WARNING, 'error.txt', 15);- $this->assertEquals(- 0,- $this->object->countUserErrors()- );+ self::assertSame(0, $this->object->countUserErrors()); $this->object->addError('Compile Error', E_USER_WARNING, 'error.txt', 15);- $this->assertEquals(- 1,- $this->object->countUserErrors()- );+ self::assertSame(1, $this->object->countUserErrors()); } /**@@ -267,7 +274,7 @@ */ public function testHasUserErrors(): void {- $this->assertFalse($this->object->hasUserErrors());+ self::assertFalse($this->object->hasUserErrors()); } /**@@ -275,7 +282,7 @@ */ public function testHasErrors(): void {- $this->assertFalse($this->object->hasErrors());+ self::assertFalse($this->object->hasErrors()); } /**@@ -283,10 +290,7 @@ */ public function testCountDisplayErrorsForDisplayTrue(): void {- $this->assertEquals(- 0,- $this->object->countDisplayErrors()- );+ self::assertSame(0, $this->object->countDisplayErrors()); } /**@@ -294,10 +298,7 @@ */ public function testCountDisplayErrorsForDisplayFalse(): void {- $this->assertEquals(- 0,- $this->object->countDisplayErrors()- );+ self::assertSame(0, $this->object->countDisplayErrors()); } /**@@ -305,42 +306,111 @@ */ public function testHasDisplayErrors(): void {- $this->assertFalse($this->object->hasDisplayErrors());+ self::assertFalse($this->object->hasDisplayErrors()); } public function testHandleExceptionForDevEnv(): void {+ $GLOBALS['lang'] = 'en';+ $GLOBALS['text_dir'] = 'ltr';+ $GLOBALS['PMA_PHP_SELF'] = 'index.php'; $GLOBALS['config']->set('environment', 'development');+ $responseStub = new ResponseRendererStub();+ $property = new ReflectionProperty(ResponseRenderer::class, 'instance');+ $property->setAccessible(true);+ $property->setValue(null, $responseStub);+ $responseStub->setHeadersSent(true); $errorHandler = new ErrorHandler();- $this->assertSame([], $errorHandler->getCurrentErrors());+ self::assertSame([], $errorHandler->getCurrentErrors()); $errorHandler->handleException(new Exception('Exception message.'));- $output = $this->getActualOutputForAssertion();+ $output = $responseStub->getHTMLResult(); $errors = $errorHandler->getCurrentErrors();- $this->assertCount(1, $errors);+ self::assertCount(1, $errors); $error = array_pop($errors);- $this->assertInstanceOf(Error::class, $error);- $this->assertSame('Exception: Exception message.', $error->getOnlyMessage());- $this->assertStringContainsString($error->getDisplay(), $output);- $this->assertStringContainsString('Internal error', $output);- $this->assertStringContainsString('ErrorHandlerTest.php#' . $error->getLine(), $output);- $this->assertStringContainsString('Exception: Exception message.', $output);+ self::assertInstanceOf(Error::class, $error);+ self::assertSame('Exception: Exception message.', $error->getOnlyMessage());+ self::assertStringContainsString($error->getDisplay(), $output);+ self::assertStringContainsString('Internal error', $output);+ self::assertStringContainsString('ErrorHandlerTest.php#' . $error->getLine(), $output);+ self::assertStringContainsString('Exception: Exception message.', $output); } public function testHandleExceptionForProdEnv(): void {+ $GLOBALS['lang'] = 'en';+ $GLOBALS['text_dir'] = 'ltr';+ $GLOBALS['PMA_PHP_SELF'] = 'index.php'; $GLOBALS['config']->set('environment', 'production');+ $responseStub = new ResponseRendererStub();+ $property = new ReflectionProperty(ResponseRenderer::class, 'instance');+ $property->setAccessible(true);+ $property->setValue(null, $responseStub);+ $responseStub->setHeadersSent(true); $errorHandler = new ErrorHandler();- $this->assertSame([], $errorHandler->getCurrentErrors());+ self::assertSame([], $errorHandler->getCurrentErrors()); $errorHandler->handleException(new Exception('Exception message.'));- $output = $this->getActualOutputForAssertion();+ $output = $responseStub->getHTMLResult(); $errors = $errorHandler->getCurrentErrors();- $this->assertCount(1, $errors);+ self::assertCount(1, $errors); $error = array_pop($errors);- $this->assertInstanceOf(Error::class, $error);- $this->assertSame('Exception: Exception message.', $error->getOnlyMessage());- $this->assertStringContainsString($error->getDisplay(), $output);- $this->assertStringContainsString('Exception: Exception message.', $output);- $this->assertStringNotContainsString('Internal error', $output);- $this->assertStringNotContainsString('ErrorHandlerTest.php#' . $error->getLine(), $output);+ self::assertInstanceOf(Error::class, $error);+ self::assertSame('Exception: Exception message.', $error->getOnlyMessage());+ self::assertStringContainsString($error->getDisplay(), $output);+ self::assertStringContainsString('Exception: Exception message.', $output);+ self::assertStringNotContainsString('Internal error', $output);+ self::assertStringNotContainsString('ErrorHandlerTest.php#' . $error->getLine(), $output);+ }++ public function testAddErrorWithFatalErrorAndHeadersSent(): void+ {+ $GLOBALS['lang'] = 'en';+ $GLOBALS['text_dir'] = 'ltr';+ $GLOBALS['PMA_PHP_SELF'] = 'index.php';+ $GLOBALS['config']->set('environment', 'production');+ $responseStub = new ResponseRendererStub();+ $property = new ReflectionProperty(ResponseRenderer::class, 'instance');+ $property->setAccessible(true);+ $property->setValue(null, $responseStub);+ $responseStub->setHeadersSent(true);+ $errorHandler = new ErrorHandler();+ $errorHandler->addError('Fatal error message!', E_ERROR, './file/name', 1);+ $expectedStart = <<<'HTML'+<div class="alert alert-danger" role="alert"><strong>Error</strong> in name#1<br>+<img src="themes/dot.gif" title="" alt="" class="icon ic_s_error"> Fatal error message!<br>+<br>+<strong>Backtrace</strong><br>+<br>+HTML;++ $output = $responseStub->getHTMLResult();+ self::assertStringStartsWith($expectedStart, $output);+ self::assertStringEndsWith('</div></body></html>', $output);+ }++ public function testAddErrorWithFatalErrorAndHeadersNotSent(): void+ {+ $GLOBALS['lang'] = 'en';+ $GLOBALS['text_dir'] = 'ltr';+ $GLOBALS['PMA_PHP_SELF'] = 'index.php';+ $GLOBALS['config']->set('environment', 'production');+ $responseStub = new ResponseRendererStub();+ $property = new ReflectionProperty(ResponseRenderer::class, 'instance');+ $property->setAccessible(true);+ $property->setValue(null, $responseStub);+ $responseStub->setHeadersSent(false);+ $errorHandler = new ErrorHandler();+ $errorHandler->addError('Fatal error message!', E_ERROR, './file/name', 1);+ $expectedStart = <<<'HTML'+<html><head><title>Error: Fatal error message!</title></head>+<div class="alert alert-danger" role="alert"><strong>Error</strong> in name#1<br>+<img src="themes/dot.gif" title="" alt="" class="icon ic_s_error"> Fatal error message!<br>+<br>+<strong>Backtrace</strong><br>+<br>+HTML;++ $output = $responseStub->getHTMLResult();+ self::assertStringStartsWith($expectedStart, $output);+ self::assertStringEndsWith('</div></body></html>', $output); } }
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be primarily test improvements and code quality enhancements. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found [test/classes/ErrorHandlerTest.php] [Various lines] The changes mainly involve: - Adding new test cases - Improving test assertions (changing assertEquals to assertSame) - Adding new error level constants for testing - Refactoring test methods to be static where appropriate - Adding better error handling test coverage 2. Vulnerability Existed: no No security vulnerability found [test/classes/ErrorHandlerTest.php] [Various lines] The changes include: - Improved exception handling tests - Better testing of error display in different environments - More comprehensive error type testing - Better header handling in tests The diff shows significant test improvements but no clear security fixes. The changes are focused on: - Making tests more robust and precise - Adding coverage for more error types - Improving test isolation - Better handling of test output No security vulnerabilities were identified in these changes. The modifications appear to be part of normal test suite maintenance and improvement.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/TemplateTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/TemplateTest.php@@ -37,12 +37,12 @@ $cfg['environment'] = 'production'; $twig = Template::getTwigEnvironment(null);- $this->assertFalse($twig->isDebug());- $this->assertFalse(TransNode::$enableAddDebugInfo);+ self::assertFalse($twig->isDebug());+ self::assertFalse(TransNode::$enableAddDebugInfo); $cfg['environment'] = 'development'; $twig = Template::getTwigEnvironment(null);- $this->assertTrue($twig->isDebug());- $this->assertTrue(TransNode::$enableAddDebugInfo);+ self::assertTrue($twig->isDebug());+ self::assertTrue(TransNode::$enableAddDebugInfo); } /**@@ -58,8 +58,8 @@ 'variable1' => 'value1', 'variable2' => 'value2', ]);- $this->assertStringContainsString('value1', $result);- $this->assertStringContainsString('value2', $result);+ self::assertStringContainsString('value1', $result);+ self::assertStringContainsString('value2', $result); } /**@@ -67,7 +67,7 @@ * * @return array */- public function providerTestSet(): array+ public static function providerTestSet(): array { return [ ['test/add_data'],@@ -85,10 +85,7 @@ */ public function testDynamicRender(string $templateFile, string $key, string $value): void {- $this->assertEquals(- $value,- $this->template->render($templateFile, [$key => $value])- );+ self::assertSame($value, $this->template->render($templateFile, [$key => $value])); } /**@@ -96,7 +93,7 @@ * * @return array */- public function providerTestDynamicRender(): array+ public static function providerTestDynamicRender(): array { return [ [@@ -126,10 +123,7 @@ */ public function testRender(string $templateFile, string $expectedResult): void {- $this->assertEquals(- $expectedResult,- $this->template->render($templateFile)- );+ self::assertSame($expectedResult, $this->template->render($templateFile)); } /**@@ -137,7 +131,7 @@ * * @return array */- public function providerTestRender(): array+ public static function providerTestRender(): array { return [ [@@ -158,10 +152,7 @@ */ public function testRenderGettext(string $templateFile, array $renderParams, string $expectedResult): void {- $this->assertEquals(- $expectedResult,- $this->template->render($templateFile, $renderParams)- );+ self::assertSame($expectedResult, $this->template->render($templateFile, $renderParams)); } /**@@ -169,7 +160,7 @@ * * @return array */- public function providerTestRenderGettext(): array+ public static function providerTestRenderGettext(): array { return [ [
After analyzing the provided code diff, I don't find any security-related vulnerabilities being fixed. The changes appear to be primarily test improvements and code style updates. Here's my analysis: 1. Vulnerability Existed: no Test Assertion Improvements [File] [Lines 37-42, 58-59, 85, 123, 152] [Old Code] - Various $this->assert*() calls [Fixed Code] - Changed to self::assert*() calls and assertSame() instead of assertEquals() 2. Vulnerability Existed: no Test Data Provider Method Modifications [File] [Lines 67, 93, 131, 160] [Old Code] - public function providerTest*() [Fixed Code] - Changed to public static function providerTest*() The changes are focused on: 1. Updating test assertion methods to use static calls (self::assert* instead of $this->assert*) 2. Changing assertEquals to assertSame for more strict comparisons 3. Making test data provider methods static 4. Some code formatting improvements None of these changes appear to address security vulnerabilities, but rather improve test reliability and follow best practices.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/RoutingTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/RoutingTest.php@@ -4,13 +4,18 @@ namespace PhpMyAdmin\Tests;+use FastRoute\DataGenerator\GroupCountBased as DataGeneratorGroupCountBased; use FastRoute\Dispatcher;+use FastRoute\RouteCollector;+use FastRoute\RouteParser\Std as RouteParserStd; use PhpMyAdmin\Controllers\HomeController; use PhpMyAdmin\Routing;-use function copy;-use function method_exists;+use function file_exists;+use function file_put_contents;+use function sprintf; use function unlink;+use function var_export; use const CACHE_DIR; use const TEST_PATH;@@ -20,53 +25,62 @@ */ class RoutingTest extends AbstractTestCase {- /**- * Test for Routing::getDispatcher- */- public function testGetDispatcher(): void+ public function testGetDispatcherWithDevEnv(): void {+ $GLOBALS['cfg']['environment'] = 'development'; $expected = [Dispatcher::FOUND, HomeController::class, []];- $cacheFilename = CACHE_DIR . 'routes.cache.php';- $validCacheFilename = TEST_PATH . 'test/test_data/routes/routes-valid.cache.txt';- $invalidCacheFilename = TEST_PATH . 'test/test_data/routes/routes-invalid.cache.txt';- $GLOBALS['cfg']['environment'] = null;+ self::assertSame($expected, Routing::getDispatcher()->dispatch('GET', '/'));+ }- $this->assertDirectoryIsWritable(CACHE_DIR);+ public function testGetDispatcherWithValidCacheFile(): void+ {+ $GLOBALS['cfg']['environment'] = 'production';+ $_SESSION['isRoutesCacheFileValid'] = true;- // Valid cache file.- $this->assertTrue(copy($validCacheFilename, $cacheFilename));- $dispatcher = Routing::getDispatcher();- $this->assertInstanceOf(Dispatcher::class, $dispatcher);- $this->assertSame($expected, $dispatcher->dispatch('GET', '/'));- $this->assertFileEquals($validCacheFilename, $cacheFilename);+ self::assertDirectoryIsWritable(CACHE_DIR);- // Invalid cache file.- $this->assertTrue(copy($invalidCacheFilename, $cacheFilename));- $dispatcher = Routing::getDispatcher();- $this->assertInstanceOf(Dispatcher::class, $dispatcher);- $this->assertSame($expected, $dispatcher->dispatch('GET', '/'));- $this->assertFileNotEquals($invalidCacheFilename, $cacheFilename);+ $routeCollector = new RouteCollector(new RouteParserStd(), new DataGeneratorGroupCountBased());+ $routeDefinitionCallback = require TEST_PATH . 'libraries/routes.php';+ $routeDefinitionCallback($routeCollector);+ $routesData = sprintf('<?php return %s;', var_export($routeCollector->getData(), true));+ self::assertNotFalse(file_put_contents(Routing::ROUTES_CACHE_FILE, $routesData));- // Create new cache file.- $this->assertTrue(unlink($cacheFilename));+ $expected = [Dispatcher::FOUND, HomeController::class, []];+ self::assertSame($expected, Routing::getDispatcher()->dispatch('GET', '/'));+ }- if (method_exists($this, 'assertFileDoesNotExist')) {- $this->assertFileDoesNotExist($cacheFilename);- } else {- /** @psalm-suppress DeprecatedMethod */- $this->assertFileNotExists($cacheFilename);+ public function testGetDispatcherWithInvalidCacheFile(): void+ {+ $GLOBALS['cfg']['environment'] = 'production';+ $_SESSION['isRoutesCacheFileValid'] = null;++ self::assertDirectoryIsWritable(CACHE_DIR);++ $routeCollector = new RouteCollector(new RouteParserStd(), new DataGeneratorGroupCountBased());+ $routeDefinitionCallback = require TEST_PATH . 'libraries/routes.php';+ $routeDefinitionCallback($routeCollector);+ $dispatchData = $routeCollector->getData();+ /** @psalm-suppress MixedArrayAccess */+ unset($dispatchData[0]['GET']['/']);+ $routesData = sprintf('<?php return %s;', var_export($dispatchData, true));+ self::assertNotFalse(file_put_contents(Routing::ROUTES_CACHE_FILE, $routesData));++ $expected = [Dispatcher::FOUND, HomeController::class, []];+ self::assertSame($expected, Routing::getDispatcher()->dispatch('GET', '/'));+ }++ public function testGetDispatcherWithNoCacheFile(): void+ {+ $GLOBALS['cfg']['environment'] = 'production';+ $_SESSION['isRoutesCacheFileValid'] = null;++ self::assertDirectoryIsWritable(CACHE_DIR);+ if (file_exists(Routing::ROUTES_CACHE_FILE)) {+ self::assertTrue(unlink(Routing::ROUTES_CACHE_FILE)); }- $dispatcher = Routing::getDispatcher();- $this->assertInstanceOf(Dispatcher::class, $dispatcher);- $this->assertSame($expected, $dispatcher->dispatch('GET', '/'));- $this->assertFileExists($cacheFilename);-- // Without a cache file.- $GLOBALS['cfg']['environment'] = 'development';- $dispatcher = Routing::getDispatcher();- $this->assertInstanceOf(Dispatcher::class, $dispatcher);- $this->assertSame($expected, $dispatcher->dispatch('GET', '/'));+ $expected = [Dispatcher::FOUND, HomeController::class, []];+ self::assertSame($expected, Routing::getDispatcher()->dispatch('GET', '/')); } /**@@ -74,7 +88,7 @@ */ public function testGetCurrentRouteNoParams(): void {- $this->assertSame('/', Routing::getCurrentRoute());+ self::assertSame('/', Routing::getCurrentRoute()); } /**@@ -83,7 +97,7 @@ public function testGetCurrentRouteGet(): void { $_GET['route'] = '/test';- $this->assertSame('/test', Routing::getCurrentRoute());+ self::assertSame('/test', Routing::getCurrentRoute()); } /**@@ -93,7 +107,7 @@ { unset($_GET['route']); $_POST['route'] = '/testpost';- $this->assertSame('/testpost', Routing::getCurrentRoute());+ self::assertSame('/testpost', Routing::getCurrentRoute()); } /**@@ -103,7 +117,7 @@ { $_GET['route'] = '/testget'; $_POST['route'] = '/testpost';- $this->assertSame('/testget', Routing::getCurrentRoute());+ self::assertSame('/testget', Routing::getCurrentRoute()); } /**@@ -114,7 +128,7 @@ unset($_POST['route']); unset($_GET['route']); $_GET['db'] = 'testDB';- $this->assertSame('/database/structure', Routing::getCurrentRoute());+ self::assertSame('/database/structure', Routing::getCurrentRoute()); } /**@@ -124,6 +138,6 @@ { $_GET['db'] = 'testDB'; $_GET['table'] = 'tableTest';- $this->assertSame('/sql', Routing::getCurrentRoute());+ self::assertSame('/sql', Routing::getCurrentRoute()); } }
After analyzing the provided code diff, I don't identify any clear security vulnerabilities that were fixed. The changes appear to be primarily test improvements and refactoring rather than security fixes. Here's my analysis: Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are test improvements including: - Better test organization with separate methods for different scenarios - More robust test assertions - Better handling of route caching scenarios - Use of proper constants and imports The changes focus on improving test coverage and reliability rather than fixing security issues. The routing functionality being tested doesn't show any security-relevant changes in this diff. If I had to identify potential security-related improvements, they would be: Vulnerability Existed: not sure Potential Session Validation [File] test/classes/RoutingTest.php [Lines] 35,52 The tests now check $_SESSION['isRoutesCacheFileValid'] which might indicate added session validation, but this appears to be test-specific rather than a security fix. However, this is speculative and likely just part of the test improvements rather than an actual security fix. The main changes are clearly test improvements and refactoring.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/TrackerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/TrackerTest.php@@ -53,13 +53,9 @@ */ public function testEnabled(): void {- $this->assertFalse(- Cache::has(Tracker::TRACKER_ENABLED_CACHE_KEY)- );+ self::assertFalse(Cache::has(Tracker::TRACKER_ENABLED_CACHE_KEY)); Tracker::enable();- $this->assertTrue(- Cache::get(Tracker::TRACKER_ENABLED_CACHE_KEY)- );+ self::assertTrue(Cache::get(Tracker::TRACKER_ENABLED_CACHE_KEY)); } /**@@ -67,22 +63,16 @@ */ public function testIsActive(): void {- $this->assertFalse(- Cache::has(Tracker::TRACKER_ENABLED_CACHE_KEY)- );-- $this->assertFalse(- Tracker::isActive()- );+ self::assertFalse(Cache::has(Tracker::TRACKER_ENABLED_CACHE_KEY));++ self::assertFalse(Tracker::isActive()); Tracker::enable(); $_SESSION['relation'] = []; $_SESSION['relation'][$GLOBALS['server']] = RelationParameters::fromArray([])->toArray();- $this->assertFalse(- Tracker::isActive()- );+ self::assertFalse(Tracker::isActive()); $_SESSION['relation'] = []; $_SESSION['relation'][$GLOBALS['server']] = RelationParameters::fromArray([@@ -91,9 +81,7 @@ 'tracking' => 'tracking', ])->toArray();- $this->assertTrue(- Tracker::isActive()- );+ self::assertTrue(Tracker::isActive()); } /**@@ -106,10 +94,7 @@ */ public function testGetTableName(string $string, string $expected): void {- $this->assertEquals(- $expected,- $this->callFunction(null, Tracker::class, 'getTableName', [$string])- );+ self::assertSame($expected, $this->callFunction(null, Tracker::class, 'getTableName', [$string])); } /**@@ -117,7 +102,7 @@ * * @return array Test data */- public function getTableNameData(): array+ public static function getTableNameData(): array { return [ [@@ -140,22 +125,16 @@ */ public function testIsTracked(): void {- $this->assertFalse(- Cache::has(Tracker::TRACKER_ENABLED_CACHE_KEY)- );-- $this->assertFalse(- Tracker::isTracked('', '')- );+ self::assertFalse(Cache::has(Tracker::TRACKER_ENABLED_CACHE_KEY));++ self::assertFalse(Tracker::isTracked('', '')); Tracker::enable(); $_SESSION['relation'] = []; $_SESSION['relation'][$GLOBALS['server']] = RelationParameters::fromArray([])->toArray();- $this->assertFalse(- Tracker::isTracked('', '')- );+ self::assertFalse(Tracker::isTracked('', '')); $_SESSION['relation'] = []; $_SESSION['relation'][$GLOBALS['server']] = RelationParameters::fromArray([@@ -164,13 +143,9 @@ 'tracking' => 'tracking', ])->toArray();- $this->assertTrue(- Tracker::isTracked('pma_test_db', 'pma_test_table')- );-- $this->assertFalse(- Tracker::isTracked('pma_test_db', 'pma_test_table2')- );+ self::assertTrue(Tracker::isTracked('pma_test_db', 'pma_test_table'));++ self::assertFalse(Tracker::isTracked('pma_test_db', 'pma_test_table2')); } /**@@ -181,14 +156,13 @@ $date = Util::date('Y-m-d H:i:s'); $GLOBALS['cfg']['Server']['user'] = 'pma_test_user';- $this->assertEquals(- '# log ' . $date . " pma_test_user\n",- Tracker::getLogComment()- );+ self::assertSame('# log ' . $date . " pma_test_user\n", Tracker::getLogComment()); } /** * Test for Tracker::createVersion()+ *+ * @requires PHPUnit < 10 */ public function testCreateVersion(): void {@@ -253,7 +227,7 @@ ->will($this->returnValue([])); $GLOBALS['dbi'] = $dbi;- $this->assertTrue(Tracker::createVersion('pma_test', 'pma_tbl', '1', '11', true));+ self::assertTrue(Tracker::createVersion('pma_test', 'pma_tbl', '1', '11', true)); } /**@@ -280,7 +254,7 @@ ->will($this->returnArgument(0)); $GLOBALS['dbi'] = $dbi;- $this->assertTrue(Tracker::deleteTracking('testdb', 'testtable'));+ self::assertTrue(Tracker::deleteTracking('testdb', 'testtable')); } /**@@ -313,7 +287,7 @@ ->will($this->returnArgument(0)); $GLOBALS['dbi'] = $dbi;- $this->assertTrue(Tracker::createDatabaseVersion('pma_test', '1', 'SHOW DATABASES'));+ self::assertTrue(Tracker::createDatabaseVersion('pma_test', '1', 'SHOW DATABASES')); } /**@@ -373,9 +347,7 @@ */ public function testChangeTrackingData(): void {- $this->assertFalse(- Tracker::changeTrackingData('', '', '', '', '')- );+ self::assertFalse(Tracker::changeTrackingData('', '', '', '', '')); $dbi = $this->getMockBuilder(DatabaseInterface::class) ->disableOriginalConstructor()@@ -431,25 +403,21 @@ $GLOBALS['dbi'] = $dbi;- $this->assertTrue(- Tracker::changeTrackingData(- 'pma_db',- 'pma_table',- '1.0',- 'DDL',- '# new_data_processed'- )- );-- $this->assertTrue(- Tracker::changeTrackingData(- 'pma_db',- 'pma_table',- '1.0',- 'DML',- $new_data- )- );+ self::assertTrue(Tracker::changeTrackingData(+ 'pma_db',+ 'pma_table',+ '1.0',+ 'DDL',+ '# new_data_processed'+ ));++ self::assertTrue(Tracker::changeTrackingData(+ 'pma_db',+ 'pma_table',+ '1.0',+ 'DML',+ $new_data+ )); } /**@@ -516,7 +484,7 @@ $GLOBALS['dbi'] = $dbi; $result = Tracker::getTrackedData("pma'db", "pma'table", '1.0');- $this->assertEquals($expectedArray, $result);+ self::assertEquals($expectedArray, $result); } /**@@ -524,7 +492,7 @@ * * @return array Test data */- public function getTrackedDataProvider(): array+ public static function getTrackedDataProvider(): array { $fetchArrayReturn = [ [@@ -632,21 +600,21 @@ ): void { $result = Tracker::parseQuery($query);- $this->assertEquals($type, $result['type']);-- $this->assertEquals($identifier, $result['identifier']);-- $this->assertEquals($tablename, $result['tablename']);+ self::assertSame($type, $result['type']);++ self::assertSame($identifier, $result['identifier']);++ self::assertSame($tablename, $result['tablename']); if ($db) {- $this->assertEquals($db, $GLOBALS['db']);+ self::assertSame($db, $GLOBALS['db']); } if (! $tablename_after_rename) { return; }- $this->assertEquals($result['tablename_after_rename'], $tablename_after_rename);+ self::assertSame($result['tablename_after_rename'], $tablename_after_rename); } /**@@ -654,7 +622,7 @@ * * @return array Test data */- public function parseQueryData(): array+ public static function parseQueryData(): array { // query // type
After analyzing the provided code diff, I don't find any security-related vulnerabilities being fixed. The changes appear to be primarily test code improvements and refactoring. Here's the analysis: 1. Vulnerability Existed: no The changes are test code improvements including: - Changing `$this->assert*` to `self::assert*` for consistency - Simplifying assertion statements - Adding `@requires` annotation for a test method - Changing instance methods to static where appropriate - General code cleanup and formatting improvements 2. Vulnerability Existed: no The changes in the test methods (testEnabled, testIsActive, testIsTracked, etc.) are all test code improvements without security implications. The assertions are being simplified but the test logic remains the same. 3. Vulnerability Existed: no The changes to data provider methods (getTableNameData, getTrackedDataProvider, parseQueryData) making them static doesn't affect security - it's a test code optimization. The diff shows quality improvements to the test suite but no security vulnerability fixes. The changes are focused on: - Test code consistency - Modernizing assertions - Making test methods static where possible - Code style improvements - Adding PHPUnit version requirements No security-related patterns (like input validation, output encoding, authentication checks, etc.) were modified in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/FontTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/FontTest.php@@ -29,118 +29,61 @@ public function testGetStringWidth(): void { // empty string- $this->assertEquals(- 0,- $this->font->getStringWidth('', 'arial', 10)- );+ self::assertSame(0, $this->font->getStringWidth('', 'arial', 10)); // empty string- $this->assertEquals(- 3,- $this->font->getStringWidth(' ', 'arial', 10)- );+ self::assertSame(3, $this->font->getStringWidth(' ', 'arial', 10)); // string "a"- $this->assertEquals(- 6,- $this->font->getStringWidth('a', 'arial', 10)- );+ self::assertSame(6, $this->font->getStringWidth('a', 'arial', 10)); // string "aa"- $this->assertEquals(- 12,- $this->font->getStringWidth('aa', 'arial', 10)- );+ self::assertSame(12, $this->font->getStringWidth('aa', 'arial', 10)); // string "i"- $this->assertEquals(- 3,- $this->font->getStringWidth('i', 'arial', 10)- );+ self::assertSame(3, $this->font->getStringWidth('i', 'arial', 10)); // string "f"- $this->assertEquals(- 3,- $this->font->getStringWidth('f', 'arial', 10)- );+ self::assertSame(3, $this->font->getStringWidth('f', 'arial', 10)); // string "t"- $this->assertEquals(- 3,- $this->font->getStringWidth('t', 'arial', 10)- );+ self::assertSame(3, $this->font->getStringWidth('t', 'arial', 10)); // string "if"- $this->assertEquals(- 5,- $this->font->getStringWidth('if', 'arial', 10)- );+ self::assertSame(5, $this->font->getStringWidth('if', 'arial', 10)); // string "it"- $this->assertEquals(- 6,- $this->font->getStringWidth('it', 'arial', 10)- );+ self::assertSame(6, $this->font->getStringWidth('it', 'arial', 10)); // string "r"- $this->assertEquals(- 4,- $this->font->getStringWidth('r', 'arial', 10)- );+ self::assertSame(4, $this->font->getStringWidth('r', 'arial', 10)); // string "1"- $this->assertEquals(- 5,- $this->font->getStringWidth('1', 'arial', 10)- );+ self::assertSame(5, $this->font->getStringWidth('1', 'arial', 10)); // string "c"- $this->assertEquals(- 5,- $this->font->getStringWidth('c', 'arial', 10)- );+ self::assertSame(5, $this->font->getStringWidth('c', 'arial', 10)); // string "F"- $this->assertEquals(- 7,- $this->font->getStringWidth('F', 'arial', 10)- );+ self::assertSame(7, $this->font->getStringWidth('F', 'arial', 10)); // string "A"- $this->assertEquals(- 7,- $this->font->getStringWidth('A', 'arial', 10)- );+ self::assertSame(7, $this->font->getStringWidth('A', 'arial', 10)); // string "w"- $this->assertEquals(- 8,- $this->font->getStringWidth('w', 'arial', 10)- );+ self::assertSame(8, $this->font->getStringWidth('w', 'arial', 10)); // string "G"- $this->assertEquals(- 8,- $this->font->getStringWidth('G', 'arial', 10)- );+ self::assertSame(8, $this->font->getStringWidth('G', 'arial', 10)); // string "m"- $this->assertEquals(- 9,- $this->font->getStringWidth('m', 'arial', 10)- );+ self::assertSame(9, $this->font->getStringWidth('m', 'arial', 10)); // string "W"- $this->assertEquals(- 10,- $this->font->getStringWidth('W', 'arial', 10)- );+ self::assertSame(10, $this->font->getStringWidth('W', 'arial', 10)); // string "$"- $this->assertEquals(- 3,- $this->font->getStringWidth('$', 'arial', 10)- );+ self::assertSame(3, $this->font->getStringWidth('$', 'arial', 10)); } /**@@ -149,28 +92,16 @@ public function testGetStringWidthFont(): void { // string "phpMyAdmin", with Arial 10- $this->assertEquals(- 59,- $this->font->getStringWidth('phpMyAdmin', 'arial', 10)- );+ self::assertSame(59, $this->font->getStringWidth('phpMyAdmin', 'arial', 10)); // string "phpMyAdmin", with No font- $this->assertEquals(- 59,- $this->font->getStringWidth('phpMyAdmin', '', 10)- );+ self::assertSame(59, $this->font->getStringWidth('phpMyAdmin', '', 10)); // string "phpMyAdmin", with Times 10- $this->assertEquals(- 55,- $this->font->getStringWidth('phpMyAdmin', 'times', 10)- );+ self::assertSame(55, $this->font->getStringWidth('phpMyAdmin', 'times', 10)); // string "phpMyAdmin", with Broadway 10- $this->assertEquals(- 73,- $this->font->getStringWidth('phpMyAdmin', 'broadway', 10)- );+ self::assertSame(73, $this->font->getStringWidth('phpMyAdmin', 'broadway', 10)); } /**@@ -179,28 +110,16 @@ public function testGetStringWidthSize(): void { // string "phpMyAdmin", with font size 0- $this->assertEquals(- 0,- $this->font->getStringWidth('phpMyAdmin', 'arial', 0)- );+ self::assertSame(0, $this->font->getStringWidth('phpMyAdmin', 'arial', 0)); // string "phpMyAdmin", with Arial 10- $this->assertEquals(- 59,- $this->font->getStringWidth('phpMyAdmin', 'arial', 10)- );+ self::assertSame(59, $this->font->getStringWidth('phpMyAdmin', 'arial', 10)); // string "phpMyAdmin", with Arial 11- $this->assertEquals(- 65,- $this->font->getStringWidth('phpMyAdmin', 'arial', 11)- );+ self::assertSame(65, $this->font->getStringWidth('phpMyAdmin', 'arial', 11)); // string "phpMyAdmin", with Arial 20- $this->assertEquals(- 118,- $this->font->getStringWidth('phpMyAdmin', 'arial', 20)- );+ self::assertSame(118, $this->font->getStringWidth('phpMyAdmin', 'arial', 20)); } /**@@ -209,66 +128,51 @@ public function testGetStringWidthCharLists(): void { // string "a", with invalid charlist (= array without proper structure)- $this->assertEquals(- 6,- $this->font->getStringWidth('a', 'arial', 10, ['list'])- );+ self::assertSame(6, $this->font->getStringWidth('a', 'arial', 10, ['list'])); // string "a", with invalid charlist (= array without proper structure : // modifier is missing- $this->assertEquals(- 6,- $this->font->getStringWidth(- 'a',- 'arial',- 10,- [['chars' => 'a']]- )- );+ self::assertSame(6, $this->font->getStringWidth(+ 'a',+ 'arial',+ 10,+ [['chars' => 'a']]+ )); // string "a", with invalid charlist (= array without proper structure : // chars is missing- $this->assertEquals(- 6,- $this->font->getStringWidth(- 'a',- 'arial',- 10,- [['modifier' => 0.61]]- )- );+ self::assertSame(6, $this->font->getStringWidth(+ 'a',+ 'arial',+ 10,+ [['modifier' => 0.61]]+ )); // string "a", with invalid charlist (= array without proper structure : // chars is not an array- $this->assertEquals(- 6,- $this->font->getStringWidth(- 'a',- 'arial',- 10,+ self::assertSame(6, $this->font->getStringWidth(+ 'a',+ 'arial',+ 10,+ [ [- [- 'chars' => 'a',- 'modifier' => 0.61,- ],- ]- )- );+ 'chars' => 'a',+ 'modifier' => 0.61,+ ],+ ]+ )); // string "a", with valid charlist- $this->assertEquals(- 7,- $this->font->getStringWidth(- 'a',- 'arial',- 10,+ self::assertSame(7, $this->font->getStringWidth(+ 'a',+ 'arial',+ 10,+ [ [- [- 'chars' => ['a'],- 'modifier' => 0.61,- ],- ]- )- );+ 'chars' => ['a'],+ 'modifier' => 0.61,+ ],+ ]+ )); } }
After analyzing the provided code diff, I can confirm that this is purely a test file modification where the test assertions were changed from `assertEquals` to `assertSame`. There are no security vulnerabilities being fixed in this diff.
Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [File] test/classes/FontTest.php [Lines] 29-228
[Old Code] Various assertEquals() calls
[Fixed Code] Various assertSame() calls
The changes are purely about improving test accuracy by using strict comparison (assertSame) instead of loose comparison (assertEquals). This is a testing best practice change, not a security fix. No vulnerabilities were addressed in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/ConfigTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/ConfigTest.php@@ -89,13 +89,13 @@ $this->markTestSkipped('Creating a temporary file does not work'); }- $this->assertFileExists($tmpConfig);+ self::assertFileExists($tmpConfig); // end of setup // Test loading an empty file does not change the default config $config = new Config($tmpConfig);- $this->assertSame($defaultConfig->settings, $config->settings);+ self::assertSame($defaultConfig->settings, $config->settings); $contents = '<?php' . PHP_EOL . '$cfg[\'ProtectBinary\'] = true;';@@ -104,12 +104,12 @@ // Test loading a config changes the setup $config = new Config($tmpConfig); $defaultConfig->settings['ProtectBinary'] = true;- $this->assertSame($defaultConfig->settings, $config->settings);+ self::assertSame($defaultConfig->settings, $config->settings); $defaultConfig->settings['ProtectBinary'] = 'blob'; // Teardown unlink($tmpConfig);- $this->assertFalse(file_exists($tmpConfig));+ self::assertFalse(file_exists($tmpConfig)); } /**@@ -123,13 +123,13 @@ $this->markTestSkipped('Creating a temporary file does not work'); }- $this->assertFileExists($tmpConfig);+ self::assertFileExists($tmpConfig); // end of setup // Test loading an empty file does not change the default config $config = new Config($tmpConfig);- $this->assertSame($defaultConfig->settings, $config->settings);+ self::assertSame($defaultConfig->settings, $config->settings); $contents = '<?php' . PHP_EOL . '$cfg[\'fooBar\'] = true;';@@ -139,7 +139,7 @@ $config = new Config($tmpConfig); $defaultConfig->settings['fooBar'] = true; // Equals because of the key sorting- $this->assertEquals($defaultConfig->settings, $config->settings);+ self::assertEquals($defaultConfig->settings, $config->settings); unset($defaultConfig->settings['fooBar']); $contents = '<?php' . PHP_EOL@@ -154,12 +154,12 @@ $config = new Config($tmpConfig); $defaultConfig->settings['ValidKey'] = true; // Equals because of the key sorting- $this->assertEquals($defaultConfig->settings, $config->settings);+ self::assertEquals($defaultConfig->settings, $config->settings); unset($defaultConfig->settings['ValidKey']); // Teardown unlink($tmpConfig);- $this->assertFalse(file_exists($tmpConfig));+ self::assertFalse(file_exists($tmpConfig)); } /**@@ -171,7 +171,7 @@ { $this->object->checkSystem();- $this->assertIsBool($this->object->get('PMA_IS_WINDOWS'));+ self::assertIsBool($this->object->get('PMA_IS_WINDOWS')); } /**@@ -184,13 +184,13 @@ $this->object->set('PMA_USR_BROWSER_AGENT', 'IE'); $this->object->set('PMA_USR_BROWSER_VER', 6); $this->object->checkOutputCompression();- $this->assertTrue($this->object->get('OBGzip'));+ self::assertTrue($this->object->get('OBGzip')); $this->object->set('OBGzip', 'auto'); $this->object->set('PMA_USR_BROWSER_AGENT', 'MOZILLA'); $this->object->set('PMA_USR_BROWSER_VER', 5); $this->object->checkOutputCompression();- $this->assertTrue($this->object->get('OBGzip'));+ self::assertTrue($this->object->get('OBGzip')); } /**@@ -207,22 +207,16 @@ { $_SERVER['HTTP_USER_AGENT'] = $agent; $this->object->checkClient();- $this->assertEquals($os, $this->object->get('PMA_USR_OS'));+ self::assertSame($os, $this->object->get('PMA_USR_OS')); if ($os != null) {- $this->assertEquals(- $browser,- $this->object->get('PMA_USR_BROWSER_AGENT')- );+ self::assertSame($browser, $this->object->get('PMA_USR_BROWSER_AGENT')); } if ($version == null) { return; }- $this->assertEquals(- $version,- $this->object->get('PMA_USR_BROWSER_VER')- );+ self::assertEquals($version, $this->object->get('PMA_USR_BROWSER_VER')); } /**@@ -230,7 +224,7 @@ * * @return array */- public function userAgentProvider(): array+ public static function userAgentProvider(): array { return [ [@@ -334,17 +328,17 @@ { $this->object->set('GD2Available', 'yes'); $this->object->checkGd2();- $this->assertEquals(1, $this->object->get('PMA_IS_GD2'));+ self::assertSame(1, $this->object->get('PMA_IS_GD2')); $this->object->set('GD2Available', 'no'); $this->object->checkGd2();- $this->assertEquals(0, $this->object->get('PMA_IS_GD2'));+ self::assertSame(0, $this->object->get('PMA_IS_GD2')); $this->object->set('GD2Available', 'auto'); if (! function_exists('imagecreatetruecolor')) { $this->object->checkGd2();- $this->assertEquals(+ self::assertSame( 0, $this->object->get('PMA_IS_GD2'), 'imagecreatetruecolor does not exist, PMA_IS_GD2 should be 0'@@ -355,17 +349,9 @@ $this->object->checkGd2(); $gd_nfo = gd_info(); if (mb_strstr($gd_nfo['GD Version'], '2.')) {- $this->assertEquals(- 1,- $this->object->get('PMA_IS_GD2'),- 'GD Version >= 2, PMA_IS_GD2 should be 1'- );+ self::assertSame(1, $this->object->get('PMA_IS_GD2'), 'GD Version >= 2, PMA_IS_GD2 should be 1'); } else {- $this->assertEquals(- 0,- $this->object->get('PMA_IS_GD2'),- 'GD Version < 2, PMA_IS_GD2 should be 0'- );+ self::assertSame(0, $this->object->get('PMA_IS_GD2'), 'GD Version < 2, PMA_IS_GD2 should be 0'); } }@@ -380,17 +366,9 @@ } if (mb_strstr($v, '2.')) {- $this->assertEquals(- 1,- $this->object->get('PMA_IS_GD2'),- 'PMA_IS_GD2 should be 1'- );+ self::assertSame(1, $this->object->get('PMA_IS_GD2'), 'PMA_IS_GD2 should be 1'); } else {- $this->assertEquals(- 0,- $this->object->get('PMA_IS_GD2'),- 'PMA_IS_GD2 should be 0'- );+ self::assertSame(0, $this->object->get('PMA_IS_GD2'), 'PMA_IS_GD2 should be 0'); } }@@ -406,7 +384,7 @@ { $_SERVER['SERVER_SOFTWARE'] = $server; $this->object->checkWebServer();- $this->assertEquals($iis, $this->object->get('PMA_IS_IIS'));+ self::assertSame($iis, $this->object->get('PMA_IS_IIS')); unset($_SERVER['SERVER_SOFTWARE']); }@@ -415,7 +393,7 @@ * * @return array */- public function serverNames(): array+ public static function serverNames(): array { return [ [@@ -438,21 +416,21 @@ if (defined('PHP_OS')) { if (stristr(PHP_OS, 'darwin')) {- $this->assertFalse($this->object->get('PMA_IS_WINDOWS'));+ self::assertFalse($this->object->get('PMA_IS_WINDOWS')); } elseif (stristr(PHP_OS, 'win')) {- $this->assertTrue($this->object->get('PMA_IS_WINDOWS'));+ self::assertTrue($this->object->get('PMA_IS_WINDOWS')); } elseif (stristr(PHP_OS, 'OS/2')) {- $this->assertTrue($this->object->get('PMA_IS_WINDOWS'));+ self::assertTrue($this->object->get('PMA_IS_WINDOWS')); } elseif (stristr(PHP_OS, 'Linux')) {- $this->assertFalse($this->object->get('PMA_IS_WINDOWS'));+ self::assertFalse($this->object->get('PMA_IS_WINDOWS')); } else { $this->markTestIncomplete('Not known PHP_OS: ' . PHP_OS); } } else {- $this->assertEquals(0, $this->object->get('PMA_IS_WINDOWS'));+ self::assertSame(0, $this->object->get('PMA_IS_WINDOWS')); define('PHP_OS', 'Windows');- $this->assertTrue($this->object->get('PMA_IS_WINDOWS'));+ self::assertTrue($this->object->get('PMA_IS_WINDOWS')); } }@@ -472,11 +450,11 @@ $settings = new Settings([]); $config = $settings->toArray();- $this->assertIsArray($config['Servers']);- $this->assertEquals($config['Servers'][1], $this->object->defaultServer);+ self::assertIsArray($config['Servers']);+ self::assertSame($config['Servers'][1], $this->object->defaultServer); unset($config['Servers']);- $this->assertEquals($config, $this->object->default);- $this->assertEquals(+ self::assertSame($config, $this->object->default);+ self::assertSame( array_replace_recursive(['is_setup' => false, 'AvailableCharsets' => ['test']], $config), $this->object->settings );@@ -488,13 +466,13 @@ public function testCheckConfigSource(): void { $this->object->setSource('unexisted.config.php');- $this->assertFalse($this->object->checkConfigSource());- $this->assertEquals(0, $this->object->sourceMtime);+ self::assertFalse($this->object->checkConfigSource());+ self::assertSame(0, $this->object->sourceMtime); $this->object->setSource(TEST_PATH . 'test/test_data/config.inc.php');- $this->assertNotEmpty($this->object->getSource());- $this->assertTrue($this->object->checkConfigSource());+ self::assertNotEmpty($this->object->getSource());+ self::assertTrue($this->object->checkConfigSource()); } /**@@ -502,11 +480,11 @@ */ public function testGetAndSet(): void {- $this->assertNull($this->object->get('unresisting_setting'));+ self::assertNull($this->object->get('unresisting_setting')); $this->object->set('test_setting', 'test_value');- $this->assertEquals('test_value', $this->object->get('test_setting'));+ self::assertSame('test_value', $this->object->get('test_setting')); } /**@@ -516,15 +494,11 @@ { echo $this->object->getSource();- $this->assertEmpty($this->object->getSource(), 'Source is null by default');+ self::assertEmpty($this->object->getSource(), 'Source is null by default'); $this->object->setSource(ROOT_PATH . 'config.sample.inc.php');- $this->assertEquals(- ROOT_PATH . 'config.sample.inc.php',- $this->object->getSource(),- 'Cant set new source'- );+ self::assertSame(ROOT_PATH . 'config.sample.inc.php', $this->object->getSource(), 'Cant set new source'); } /**@@ -569,7 +543,7 @@ $this->object->set('is_https', null); $this->object->set('PmaAbsoluteUri', $pmaAbsoluteUri);- $this->assertEquals($expected, $this->object->isHttps());+ self::assertSame($expected, $this->object->isHttps()); } /**@@ -577,7 +551,7 @@ * * @return array */- public function httpsParams(): array+ public static function httpsParams(): array { return [ [@@ -804,7 +778,7 @@ { $GLOBALS['PMA_PHP_SELF'] = $request; $this->object->set('PmaAbsoluteUri', $absolute);- $this->assertEquals($expected, $this->object->getRootPath());+ self::assertSame($expected, $this->object->getRootPath()); } /**@@ -812,7 +786,7 @@ * * @return array data for testGetRootPath */- public function rootUris(): array+ public static function rootUris(): array { return [ [@@ -909,9 +883,9 @@ public function testLoad(string $source, bool $result): void { if ($result) {- $this->assertTrue($this->object->load($source));+ self::assertTrue($this->object->load($source)); } else {- $this->assertFalse($this->object->load($source));+ self::assertFalse($this->object->load($source)); } }@@ -920,7 +894,7 @@ * * @return array */- public function configPaths(): array+ public static function configPaths(): array { return [ [@@ -952,10 +926,7 @@ { $this->object->setUserValue(null, 'lang', 'cs', 'en'); $this->object->setUserValue('TEST_COOKIE_USER_VAL', '', 'cfg_val_1');- $this->assertEquals(- $this->object->getUserValue('TEST_COOKIE_USER_VAL', 'fail'),- 'cfg_val_1'- );+ self::assertSame($this->object->getUserValue('TEST_COOKIE_USER_VAL', 'fail'), 'cfg_val_1'); } /**@@ -963,7 +934,7 @@ */ public function testGetUserValue(): void {- $this->assertEquals($this->object->getUserValue('test_val', 'val'), 'val');+ self::assertSame($this->object->getUserValue('test_val', 'val'), 'val'); } /**@@ -974,15 +945,15 @@ //load file permissions for the current permissions file $perms = @fileperms($this->object->getSource()); //testing for permissions for no configuration file- $this->assertFalse(! ($perms === false) && ($perms & 2));+ self::assertFalse(! ($perms === false) && ($perms & 2)); //load file permissions for the current permissions file $perms = @fileperms($this->permTestObj->getSource()); if (! ($perms === false) && ($perms & 2)) {- $this->assertTrue((bool) $this->permTestObj->get('PMA_IS_WINDOWS'));+ self::assertTrue((bool) $this->permTestObj->get('PMA_IS_WINDOWS')); } else {- $this->assertFalse((bool) $this->permTestObj->get('PMA_IS_WINDOWS'));+ self::assertFalse((bool) $this->permTestObj->get('PMA_IS_WINDOWS')); } }@@ -992,39 +963,31 @@ public function testSetCookie(): void { $this->object->set('is_https', false);- $this->assertFalse(- $this->object->setCookie(- 'TEST_DEF_COOKIE',- 'test_def_123',- 'test_def_123'- )- );-- $this->assertTrue(- $this->object->setCookie(- 'TEST_CONFIG_COOKIE',- 'test_val_123',- null,- 3600- )- );-- $this->assertTrue(- $this->object->setCookie(- 'TEST_CONFIG_COOKIE',- '',- 'default_val'- )- );+ self::assertFalse($this->object->setCookie(+ 'TEST_DEF_COOKIE',+ 'test_def_123',+ 'test_def_123'+ ));++ self::assertTrue($this->object->setCookie(+ 'TEST_CONFIG_COOKIE',+ 'test_val_123',+ null,+ 3600+ ));++ self::assertTrue($this->object->setCookie(+ 'TEST_CONFIG_COOKIE',+ '',+ 'default_val'+ )); $_COOKIE['TEST_MANUAL_COOKIE'] = 'some_test_val';- $this->assertTrue(- $this->object->setCookie(- 'TEST_MANUAL_COOKIE',- 'other',- 'other'- )- );+ self::assertTrue($this->object->setCookie(+ 'TEST_MANUAL_COOKIE',+ 'other',+ 'other'+ )); } /**@@ -1034,27 +997,32 @@ */ public function testGetTempDir(): void {- $this->object->set('TempDir', sys_get_temp_dir() . DIRECTORY_SEPARATOR);+ $dir = realpath(sys_get_temp_dir());+ self::assertNotFalse($dir);+ self::assertDirectoryExists($dir);+ self::assertDirectoryIsWritable($dir);++ $this->object->set('TempDir', $dir . DIRECTORY_SEPARATOR); // Check no double slash is here- $this->assertEquals(- sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'upload',- $this->object->getTempDir('upload')- );+ self::assertSame($dir . DIRECTORY_SEPARATOR . 'upload', $this->object->getTempDir('upload')); } /** * Test for getUploadTempDir * * @group file-system+ * @depends testGetTempDir */ public function testGetUploadTempDir(): void {- $this->object->set('TempDir', realpath(sys_get_temp_dir()) . DIRECTORY_SEPARATOR);-- $this->assertEquals(- $this->object->getTempDir('upload'),- $this->object->getUploadTempDir()- );+ $dir = realpath(sys_get_temp_dir());+ self::assertNotFalse($dir);+ self::assertDirectoryExists($dir);+ self::assertDirectoryIsWritable($dir);++ $this->object->set('TempDir', $dir . DIRECTORY_SEPARATOR);++ self::assertSame($this->object->getTempDir('upload'), $this->object->getUploadTempDir()); } /**@@ -1071,7 +1039,7 @@ $this->object->checkServers(); $expected = array_merge($this->object->defaultServer, $expected);- $this->assertEquals($expected, $this->object->settings['Servers'][1]);+ self::assertSame($expected, $this->object->settings['Servers'][1]); } /**@@ -1079,7 +1047,7 @@ * * @return array */- public function serverSettingsProvider(): array+ public static function serverSettingsProvider(): array { return [ 'empty' => [@@ -1102,6 +1070,7 @@ /** * @group with-trigger-error+ * @requires PHPUnit < 10 */ public function testCheckServersWithInvalidServer(): void {@@ -1112,7 +1081,7 @@ $this->object->checkServers(); $expected = array_merge($this->object->defaultServer, ['host' => '127.0.0.1']);- $this->assertEquals($expected, $this->object->settings['Servers'][1]);+ self::assertSame($expected, $this->object->settings['Servers'][1]); } /**@@ -1130,7 +1099,7 @@ $this->object->settings['Servers'] = $settings; $this->object->checkServers(); $_REQUEST['server'] = $request;- $this->assertEquals($expected, $this->object->selectServer());+ self::assertSame($expected, $this->object->selectServer()); } /**@@ -1138,7 +1107,7 @@ * * @return array */- public function selectServerProvider(): array+ public static function selectServerProvider(): array { return [ 'zero' => [@@ -1203,7 +1172,7 @@ { $GLOBALS['cfg']['Server'] = $server_cfg; $result = Config::getConnectionParams($mode, $server);- $this->assertEquals($expected, $result);+ self::assertEquals($expected, $result); } /**@@ -1211,7 +1180,7 @@ * * @return array */- public function connectionParams(): array+ public static function connectionParams(): array { $cfg_basic = [ 'user' => 'u',
After carefully analyzing the provided code diff, I can confirm that there are no security vulnerabilities being fixed in this diff. The changes are primarily focused on test improvements and code style updates, particularly changing assertion methods from `$this->assert...` to `self::assert...`. Here's the analysis following the requested format: Vulnerability Existed: no [No security vulnerabilities found] The diff shows only test improvements and assertion method changes, with no security-related fixes. The changes include: 1. Changing assertion methods from instance-based (`$this->assert...`) to static calls (`self::assert...`) 2. Some test case improvements in `testGetTempDir()` and `testGetUploadTempDir()` 3. Adding directory existence and writability checks 4. Some code style and formatting changes No CVE or security vulnerability names are applicable since no security fixes were made in this diff. The changes appear to be part of routine test maintenance and code quality improvements.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Navigation/Nodes/NodeColumnContainerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Navigation/Nodes/NodeColumnContainerTest.php@@ -24,14 +24,11 @@ public function testConstructor(): void { $parent = NodeFactory::getInstance('NodeColumnContainer');- $this->assertIsArray($parent->links);- $this->assertEquals(- [- 'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],- 'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],- ],- $parent->links- );- $this->assertEquals('columns', $parent->realName);+ self::assertIsArray($parent->links);+ self::assertSame([+ 'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],+ 'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],+ ], $parent->links);+ self::assertSame('columns', $parent->realName); } }
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be test code improvements and assertion method updates rather than security fixes. Here's the analysis:
1. Vulnerability Existed: no
Test Code Improvement [File] test/classes/Navigation/Nodes/NodeColumnContainerTest.php [Lines 24-35]
[Old Code]
$this->assertIsArray($parent->links);
$this->assertEquals(
[
'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
],
$parent->links
);
$this->assertEquals('columns', $parent->realName);
[Fixed Code]
self::assertIsArray($parent->links);
self::assertSame([
'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
], $parent->links);
self::assertSame('columns', $parent->realName);
The changes involve:
1. Switching from $this->assert* to self::assert* (a style preference)
2. Changing assertEquals to assertSame (more strict comparison)
3. Formatting the array assertion to be more compact
These are test quality improvements rather than security fixes.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Database/DesignerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Database/DesignerTest.php@@ -108,13 +108,10 @@ $method->setAccessible(true); $result = $method->invokeArgs($this->designer, [$db]);- $this->assertEquals(- [- '1' => 'page1',- '2' => 'page2',- ],- $result- );+ self::assertSame([+ '1' => 'page1',+ '2' => 'page2',+ ], $result); } /**@@ -129,13 +126,13 @@ $this->designer = new Designer($GLOBALS['dbi'], new Relation($GLOBALS['dbi']), new Template()); $result = $this->designer->getHtmlForEditOrDeletePages($db, $operation);- $this->assertStringContainsString('<input type="hidden" name="operation" value="' . $operation . '">', $result);- $this->assertStringContainsString('<select name="selected_page" id="selected_page">', $result);- $this->assertStringContainsString('<option value="0">', $result);- $this->assertStringContainsString('<option value="1">', $result);- $this->assertStringContainsString('page1', $result);- $this->assertStringContainsString('<option value="2">', $result);- $this->assertStringContainsString('page2', $result);+ self::assertStringContainsString('<input type="hidden" name="operation" value="' . $operation . '">', $result);+ self::assertStringContainsString('<select name="selected_page" id="selected_page">', $result);+ self::assertStringContainsString('<option value="0">', $result);+ self::assertStringContainsString('<option value="1">', $result);+ self::assertStringContainsString('page1', $result);+ self::assertStringContainsString('<option value="2">', $result);+ self::assertStringContainsString('page2', $result); } /**@@ -149,23 +146,23 @@ $this->designer = new Designer($GLOBALS['dbi'], new Relation($GLOBALS['dbi']), new Template()); $result = $this->designer->getHtmlForPageSaveAs($db);- $this->assertStringContainsString('<input type="hidden" name="operation" value="savePage">', $result);- $this->assertStringContainsString('<select name="selected_page" id="selected_page">', $result);- $this->assertStringContainsString('<option value="0">', $result);- $this->assertStringContainsString('<option value="1">', $result);- $this->assertStringContainsString('page1', $result);- $this->assertStringContainsString('<option value="2">', $result);- $this->assertStringContainsString('page2', $result);-- $this->assertStringContainsString(+ self::assertStringContainsString('<input type="hidden" name="operation" value="savePage">', $result);+ self::assertStringContainsString('<select name="selected_page" id="selected_page">', $result);+ self::assertStringContainsString('<option value="0">', $result);+ self::assertStringContainsString('<option value="1">', $result);+ self::assertStringContainsString('page1', $result);+ self::assertStringContainsString('<option value="2">', $result);+ self::assertStringContainsString('page2', $result);++ self::assertStringContainsString( '<input type="radio" name="save_page" id="savePageSameRadio" value="same" checked>', $result );- $this->assertStringContainsString(+ self::assertStringContainsString( '<input type="radio" name="save_page" id="savePageNewRadio" value="new">', $result );- $this->assertStringContainsString('<input type="text" name="selected_value" id="selected_value">', $result);+ self::assertStringContainsString('<input type="text" name="selected_value" id="selected_value">', $result); } /**@@ -180,25 +177,25 @@ $result = $this->designer->getHtmlForSchemaExport($db, $page); // export type- $this->assertStringContainsString('<select id="plugins" name="export_type">', $result);+ self::assertStringContainsString('<select id="plugins" name="export_type">', $result); // hidden field- $this->assertStringContainsString('<input type="hidden" name="page_number" value="' . $page . '">', $result);+ self::assertStringContainsString('<input type="hidden" name="page_number" value="' . $page . '">', $result); // orientation- $this->assertStringContainsString(+ self::assertStringContainsString( '<select class="form-select" name="pdf_orientation" id="select_pdf_orientation">', $result );- $this->assertStringContainsString('<option value="L" selected>Landscape</option>', $result);- $this->assertStringContainsString('<option value="P">Portrait</option>', $result);+ self::assertStringContainsString('<option value="L" selected>Landscape</option>', $result);+ self::assertStringContainsString('<option value="P">Portrait</option>', $result); // paper size- $this->assertStringContainsString(+ self::assertStringContainsString( '<select class="form-select" name="pdf_paper" id="select_pdf_paper">', $result );- $this->assertStringContainsString('<option value="A3">A3</option>', $result);- $this->assertStringContainsString('<option value="A4" selected>A4</option>', $result);+ self::assertStringContainsString('<option value="A3">A3</option>', $result);+ self::assertStringContainsString('<option value="A4" selected>A4</option>', $result); } }
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be test code improvements, primarily changing assertion methods from `assertEquals` to `assertSame` and updating assertion method calls from `$this->assert...` to `self::assert...`. These are testing best practice changes rather than security fixes.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found in test file
File: test/classes/Database/DesignerTest.php
Changes are related to test assertion improvements rather than security fixes
The diff shows:
1. Changing test assertions to use strict comparison (`assertSame` instead of `assertEquals`)
2. Updating assertion calls to use `self::` instead of `$this->`
3. Formatting improvements in test assertions
None of these changes address security vulnerabilities - they're purely test code quality improvements.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Table/IndexesTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Table/IndexesTest.php@@ -90,8 +90,8 @@ $_POST['preview_sql'] = true; $indexes->doSaveData($index, false, $GLOBALS['db'], $GLOBALS['table']); $jsonArray = $response->getJSONResult();- $this->assertArrayHasKey('sql_data', $jsonArray);- $this->assertStringContainsString($sql_query, $jsonArray['sql_data']);+ self::assertArrayHasKey('sql_data', $jsonArray);+ self::assertStringContainsString($sql_query, $jsonArray['sql_data']); // Alter success $response->clear();@@ -99,8 +99,8 @@ unset($_POST['preview_sql']); $indexes->doSaveData($index, false, $GLOBALS['db'], $GLOBALS['table']); $jsonArray = $response->getJSONResult();- $this->assertArrayHasKey('index_table', $jsonArray);- $this->assertArrayHasKey('message', $jsonArray);+ self::assertArrayHasKey('index_table', $jsonArray);+ self::assertArrayHasKey('message', $jsonArray); ResponseRenderer::getInstance()->setAjax(false); } }
After analyzing the provided code diff, I don't find any security-related changes. The modifications are purely related to test assertions and don't involve any security fixes. Here's the analysis:
1. Vulnerability Existed: no
Test Assertion Style Change [File] [Lines 90-91, 99-100]
$this->assertArrayHasKey('sql_data', $jsonArray);
$this->assertStringContainsString($sql_query, $jsonArray['sql_data']);
self::assertArrayHasKey('sql_data', $jsonArray);
self::assertStringContainsString($sql_query, $jsonArray['sql_data']);
2. Vulnerability Existed: no
Test Assertion Style Change [File] [Lines 99-100]
$this->assertArrayHasKey('index_table', $jsonArray);
$this->assertArrayHasKey('message', $jsonArray);
self::assertArrayHasKey('index_table', $jsonArray);
self::assertArrayHasKey('message', $jsonArray);
The changes only involve switching from instance method calls ($this->assert...) to static method calls (self::assert...) in test assertions, which is a stylistic/structural change rather than a security fix. No actual security vulnerabilities are addressed in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Controllers/HomeController.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Controllers/HomeController.php@@ -27,6 +27,7 @@ use function extension_loaded; use function file_exists; use function ini_get;+use function is_string; use function mb_strlen; use function preg_match; use function sprintf;@@ -107,9 +108,13 @@ $hasServer = $server > 0 || count($cfg['Servers']) > 1; if ($hasServer) { $hasServerSelection = $cfg['ServerDefault'] == 0- || (! $cfg['NavigationDisplayServers']- && (count($cfg['Servers']) > 1- || ($server == 0 && count($cfg['Servers']) === 1)));+ || (+ $cfg['NavigationDisplayServers']+ && (+ count($cfg['Servers']) > 1+ || ($server == 0 && count($cfg['Servers']) === 1)+ )+ ); if ($hasServerSelection) { $serverSelection = Select::render(true, true); }@@ -188,7 +193,7 @@ } $relation = new Relation($this->dbi);- if ($server > 0) {+ if ($server > 0 && $relation->arePmadbTablesAllDisabled() === false) { $relationParameters = $relation->getRelationParameters(); if (! $relationParameters->hasAllFeatures() && $cfg['PmaNoRelation_DisableWarning'] == false) { $messageText = __(@@ -311,7 +316,12 @@ * Check if user does not have defined blowfish secret and it is being used. */ if (! empty($_SESSION['encryption_key'])) {- $encryptionKeyLength = mb_strlen($cfg['blowfish_secret'], '8bit');+ $encryptionKeyLength = 0;+ // This can happen if the user did use getenv() to set blowfish_secret+ if (is_string($cfg['blowfish_secret'])) {+ $encryptionKeyLength = mb_strlen($cfg['blowfish_secret'], '8bit');+ }+ if ($encryptionKeyLength < SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { $this->errors[] = [ 'message' => __(
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Insecure Encryption Key Validation [libraries/classes/Controllers/HomeController.php] [Lines 311-316]
[Old Code]
if (! empty($_SESSION['encryption_key'])) {
$encryptionKeyLength = mb_strlen($cfg['blowfish_secret'], '8bit');
[Fixed Code]
if (! empty($_SESSION['encryption_key'])) {
$encryptionKeyLength = 0;
// This can happen if the user did use getenv() to set blowfish_secret
if (is_string($cfg['blowfish_secret'])) {
$encryptionKeyLength = mb_strlen($cfg['blowfish_secret'], '8bit');
}
Additional Details: The fix adds proper validation for the blowfish_secret configuration value, ensuring it's a string before attempting to measure its length. This prevents potential type-related errors and improves security by properly handling the encryption key validation.
2. Vulnerability Existed: not sure
Logic Change in Server Selection [libraries/classes/Controllers/HomeController.php] [Lines 107-113]
[Old Code]
$hasServerSelection = $cfg['ServerDefault'] == 0
|| (! $cfg['NavigationDisplayServers']
&& (count($cfg['Servers']) > 1
|| ($server == 0 && count($cfg['Servers']) === 1)));
[Fixed Code]
$hasServerSelection = $cfg['ServerDefault'] == 0
|| (
$cfg['NavigationDisplayServers']
&& (
count($cfg['Servers']) > 1
|| ($server == 0 && count($cfg['Servers']) === 1)
)
);
Additional Details: The logic for server selection has been modified, but it's unclear if this was fixing a security vulnerability or just a logic bug. The change inverts the condition for NavigationDisplayServers and changes the grouping of conditions.
3. Vulnerability Existed: yes
Missing Relation Parameters Check [libraries/classes/Controllers/HomeController.php] [Lines 188]
[Old Code]
if ($server > 0) {
[Fixed Code]
if ($server > 0 && $relation->arePmadbTablesAllDisabled() === false) {
Additional Details: The fix adds an additional security check to verify that pmadb tables are not all disabled before proceeding with relation parameters checks. This prevents potential information disclosure or improper behavior when the pmadb tables are disabled.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Controllers/Table/Structure/ChangeControllerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Controllers/Table/Structure/ChangeControllerTest.php@@ -45,17 +45,14 @@ $method->invokeArgs($ctrl, [null]); $actual = $response->getHTMLResult();- $this->assertStringContainsString(- '<input id="field_0_1"' . "\n"- . ' type="text"' . "\n"- . ' name="field_name[0]"' . "\n"- . ' maxlength="64"' . "\n"- . ' class="textfield"' . "\n"- . ' title="Column"' . "\n"- . ' size="10"' . "\n"- . ' value="_id">' . "\n",- $actual- );- $this->assertStringContainsString('id="enumEditorModal"', $actual);+ self::assertStringContainsString('<input id="field_0_1"' . "\n"+ . ' type="text"' . "\n"+ . ' name="field_name[0]"' . "\n"+ . ' maxlength="64"' . "\n"+ . ' class="textfield"' . "\n"+ . ' title="Column"' . "\n"+ . ' size="10"' . "\n"+ . ' value="_id">' . "\n", $actual);+ self::assertStringContainsString('id="enumEditorModal"', $actual); } }
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily formatting/refactoring changes in test assertions. Here's the analysis:
Vulnerability Existed: no
No vulnerability found [test/classes/Controllers/Table/Structure/ChangeControllerTest.php] [Lines 45-58]
[Old Code - test assertions with different formatting]
[Fixed Code - test assertions with consistent formatting]
The changes made are:
1. Changed `$this->assertStringContainsString` to `self::assertStringContainsString` (consistent assertion style)
2. Reformatted the string concatenation for better readability
3. Removed the extra comma and newline in the first assertion
4. Kept all the same test functionality but with cleaner formatting
These changes appear to be test code improvements rather than security fixes. The test continues to verify the same HTML output structure, just with cleaner assertion syntax.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Controllers/Table/Structure/SaveController.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Controllers/Table/Structure/SaveController.php@@ -178,17 +178,25 @@ $changedToBlob = []; // While changing the Column Collation- // First change to BLOB+ // First change to BLOB, MEDIUMBLOB, or LONGBLOB (depending on the original field type) for ($i = 0; $i < $field_cnt; $i++) { if ( isset($_POST['field_collation'][$i], $_POST['field_collation_orig'][$i]) && $_POST['field_collation'][$i] !== $_POST['field_collation_orig'][$i] && ! in_array($_POST['field_orig'][$i], $columns_with_index) ) {+ if ($_POST['field_type_orig'][$i] === 'MEDIUMTEXT') {+ $blob_type = 'MEDIUMBLOB';+ } elseif ($_POST['field_type_orig'][$i] === 'LONGTEXT') {+ $blob_type = 'LONGBLOB';+ } else {+ $blob_type = 'BLOB';+ }+ $secondary_query = 'ALTER TABLE ' . Util::backquote($this->table) . ' CHANGE ' . Util::backquote($_POST['field_orig'][$i]) . ' ' . Util::backquote($_POST['field_orig'][$i])- . ' BLOB';+ . ' ' . $blob_type; if (isset($_POST['field_virtuality'][$i], $_POST['field_expression'][$i])) { if ($_POST['field_virtuality'][$i]) {@@ -345,6 +353,7 @@ 'field_length', 'field_null', 'field_type',+ 'field_virtuality', ]; foreach ($fields as $field) { if ($_POST[$field][$i] != $_POST[$field . '_orig'][$i]) {
Analyzing the provided code diff, here's the security analysis: 1. Vulnerability Existed: yes Cross-Site Scripting (XSS) Vulnerability [File] [libraries/classes/Controllers/Table/Structure/SaveController.php] [Lines 178-345] [Old Code] The original code didn't properly handle field types when changing column collation, potentially allowing improper type conversions that could be exploited. [Fixed Code] The fix adds proper type checking and mapping (MEDIUMTEXT->MEDIUMBLOB, LONGTEXT->LONGBLOB) to prevent potential type conversion issues that could lead to XSS or other injection attacks. 2. Vulnerability Existed: yes Missing Input Validation [File] [libraries/classes/Controllers/Table/Structure/SaveController.php] [Lines 345-353] [Old Code] The original code didn't validate the 'field_virtuality' field in the input array. [Fixed Code] The fix adds 'field_virtuality' to the list of validated fields, preventing potential injection attacks through this vector. 3. Vulnerability Existed: not sure Potential SQL Injection [File] [libraries/classes/Controllers/Table/Structure/SaveController.php] [Lines 178-195] [Old Code] The code uses $_POST values directly in SQL queries without clear parameterization. [Fixed Code] While the fix improves type handling, it's unclear if proper parameterization is implemented for all SQL queries. The use of Util::backquote() helps but may not be sufficient against all injection vectors.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/FileListingTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/FileListingTest.php@@ -28,7 +28,7 @@ public function testGetDirContent(): void {- $this->assertFalse($this->fileListing->getDirContent('nonexistent directory'));+ self::assertFalse($this->fileListing->getDirContent('nonexistent directory')); $fixturesDir = TEST_PATH . 'test/classes/_data/file_listing';@@ -37,20 +37,17 @@ $dirContent = []; }- $this->assertSame(- [- 'one.txt',- 'two.md',- ],- array_values($dirContent)- );+ self::assertSame([+ 'one.txt',+ 'two.md',+ ], array_values($dirContent)); } public function testGetFileSelectOptions(): void { $fixturesDir = TEST_PATH . 'test/classes/_data/file_listing';- $this->assertFalse($this->fileListing->getFileSelectOptions('nonexistent directory'));+ self::assertFalse($this->fileListing->getFileSelectOptions('nonexistent directory')); $expectedHtmlWithoutActive = ' <option value="one.txt">' . "\n" . ' one.txt' . "\n"@@ -59,10 +56,7 @@ . ' two.md' . "\n" . ' </option>' . "\n";- $this->assertSame(- $expectedHtmlWithoutActive,- $this->fileListing->getFileSelectOptions($fixturesDir)- );+ self::assertSame($expectedHtmlWithoutActive, $this->fileListing->getFileSelectOptions($fixturesDir)); $expectedHtmlWithActive = ' <option value="one.txt">' . "\n" . ' one.txt' . "\n"@@ -71,19 +65,13 @@ . ' two.md' . "\n" . ' </option>' . "\n";- $this->assertSame(- $expectedHtmlWithActive,- $this->fileListing->getFileSelectOptions($fixturesDir, '', 'two.md')- );+ self::assertSame($expectedHtmlWithActive, $this->fileListing->getFileSelectOptions($fixturesDir, '', 'two.md')); $expectedFilteredHtml = ' <option value="one.txt">' . "\n" . ' one.txt' . "\n" . ' </option>' . "\n";- $this->assertSame(- $expectedFilteredHtml,- $this->fileListing->getFileSelectOptions($fixturesDir, '/.*\.txt/')- );+ self::assertSame($expectedFilteredHtml, $this->fileListing->getFileSelectOptions($fixturesDir, '/.*\.txt/')); } public function testSupportedDecompressionsEmptyList(): void@@ -91,7 +79,7 @@ $GLOBALS['cfg']['ZipDump'] = false; $GLOBALS['cfg']['GZipDump'] = false; $GLOBALS['cfg']['BZipDump'] = false;- $this->assertEmpty($this->fileListing->supportedDecompressions());+ self::assertEmpty($this->fileListing->supportedDecompressions()); } /**@@ -102,7 +90,7 @@ $GLOBALS['cfg']['ZipDump'] = true; $GLOBALS['cfg']['GZipDump'] = true; $GLOBALS['cfg']['BZipDump'] = true;- $this->assertEquals('gz|bz2|zip', $this->fileListing->supportedDecompressions());+ self::assertSame('gz|bz2|zip', $this->fileListing->supportedDecompressions()); } public function testSupportedDecompressionsPartial(): void@@ -116,6 +104,6 @@ } $extensionString .= '|zip';- $this->assertEquals($extensionString, $this->fileListing->supportedDecompressions());+ self::assertSame($extensionString, $this->fileListing->supportedDecompressions()); } }
After analyzing the provided code diff, I don't find any security vulnerabilities being fixed. The changes appear to be primarily test code improvements and style changes, particularly switching from `$this->assert...` to `self::assert...` for assertions. Here's the analysis following your requested format: Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are test improvements and style updates. The main changes are: 1. Switching assertion methods from instance (`$this->assert...`) to static (`self::assert...`) calls 2. Formatting improvements in test assertions 3. No changes to actual security-related functionality The file is a test file (FileListingTest.php) and the changes don't affect production code or security mechanisms. The modifications are focused on making the test code more consistent and readable. If I had to identify any potential (though unlikely) security implications, it would be: Vulnerability Existed: no Test Code Style Improvement [File] [Lines throughout] [Old Code using $this->assert...] [Fixed Code using self::assert...] But again, these are purely stylistic test improvements with no security impact.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.