Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Config/Settings/ExportTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Config/Settings/ExportTest.php@@ -147,7 +147,7 @@ $settings = new Export($actualValues); foreach (array_keys($expectedValues) as $key) {- $this->assertSame($expected[$key], $settings->$key);+ self::assertSame($expected[$key], $settings->$key); } }@@ -157,7 +157,7 @@ * @return mixed[][][][] * @psalm-return (array{0: string, 1: mixed, 2: mixed})[][][] */- public function providerForTestConstructor(): array+ public static function providerForTestConstructor(): array { return [ 'null values' => [
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability [File] test/classes/Config/Settings/ExportTest.php [Lines 147-157] [Old Code] $this->assertSame($expected[$key], $settings->$key); public function providerForTestConstructor(): array [Fixed Code] self::assertSame($expected[$key], $settings->$key); public static function providerForTestConstructor(): array Additional Details: The changes appear to be test-related improvements rather than security fixes. The modifications include: 1. Changing test assertions from instance method ($this->assertSame) to static method (self::assertSame) 2. Making a test data provider method static (adding static keyword) These changes are related to test code quality and PHPUnit best practices, not security vulnerabilities.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Partitioning/TablePartitionDefinitionTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Partitioning/TablePartitionDefinitionTest.php@@ -6,8 +6,6 @@ use PhpMyAdmin\Partitioning\TablePartitionDefinition; use PHPUnit\Framework\TestCase;--use function count; /** * @covers \PhpMyAdmin\Partitioning\TablePartitionDefinition@@ -141,7 +139,7 @@ $_POST['ignored_key'] = 'ignored_value'; $actual = TablePartitionDefinition::getDetails();- $this->assertEquals($expected, $actual);+ self::assertEquals($expected, $actual); } /**@@ -149,7 +147,7 @@ * 0: string, 1: bool, 2: bool, 3: int, 4: int, 5: array<string, string|array<string, string>[]>[]|null * }> */- public function providerGetDetails(): array+ public static function providerGetDetails(): array { return [ 'partition by RANGE' => ['RANGE', true, true, 2, 2, [['name' => 'part0']]],@@ -235,10 +233,10 @@ ]; $actual = TablePartitionDefinition::getDetails($expected);- $this->assertEquals($expected, $actual);+ self::assertSame($expected, $actual); $actual = TablePartitionDefinition::getDetails();- $this->assertEquals($expected, $actual);+ self::assertSame($expected, $actual); } /**@@ -248,17 +246,17 @@ { $_POST = ['partition_count' => $partitionCountFromPost]; $actual = TablePartitionDefinition::getDetails();- $this->assertArrayHasKey('partition_count', $actual);- $this->assertArrayHasKey('partitions', $actual);- $this->assertSame($partitionCount, $actual['partition_count']);- $this->assertIsArray($actual['partitions']);- $this->assertEquals($partitionCount, count($actual['partitions']));+ self::assertArrayHasKey('partition_count', $actual);+ self::assertArrayHasKey('partitions', $actual);+ self::assertSame($partitionCount, $actual['partition_count']);+ self::assertIsArray($actual['partitions']);+ self::assertCount($partitionCount, $actual['partitions']); } /** * @psalm-return array{0: int, 1: string}[] */- public function providerGetDetailsWithMaxPartitions(): array+ public static function providerGetDetailsWithMaxPartitions(): array { return ['count within the limit' => [8192, '8192'], 'count above the limit' => [8192, '8193']]; }
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be primarily test code improvements and style changes. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found File: test/classes/Partitioning/TablePartitionDefinitionTest.php Changes: - Removal of unused import (`use function count`) - Changing test assertions from `$this->` to `self::` style - Changing `assertEquals` to `assertSame` in some test cases - Changing instance methods to static where appropriate - Using `assertCount` instead of `assertEquals` with `count()` These changes are all related to test code quality and style rather than security fixes. The modifications improve the test suite's robustness and maintainability but don't address any security vulnerabilities. The diff shows no changes to production code, only test files, and none of the test changes indicate they were fixing security issues in the tests themselves.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Controllers/Export/ExportController.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Controllers/Export/ExportController.php@@ -379,7 +379,8 @@ // Do we need to convert charset? $output_charset_conversion = $asfile && Encoding::isSupported()- && isset($charset) && $charset !== 'utf-8';+ && isset($charset) && $charset !== 'utf-8'+ && in_array($charset, Encoding::listEncodings(), true); // Use on the fly compression? $GLOBALS['onfly_compression'] = $GLOBALS['cfg']['CompressOnFly']@@ -478,7 +479,17 @@ // Include dates in export? $do_dates = isset($GLOBALS[$what . '_dates']);- $whatStrucOrData = $GLOBALS[$what . '_structure_or_data'];+ $whatStrucOrData = $GLOBALS[$what . '_structure_or_data'] ?? null;+ if (! in_array($whatStrucOrData, ['structure', 'data', 'structure_and_data'], true)) {+ $whatStrucOrData = 'data';+ /** @var mixed $whatStrucOrDataDefaultValue */+ $whatStrucOrDataDefaultValue = $cfg['Export'][$what . '_structure_or_data'] ?? null;+ if (in_array($whatStrucOrDataDefaultValue, ['structure', 'data', 'structure_and_data'], true)) {+ $whatStrucOrData = $whatStrucOrDataDefaultValue;+ }++ $GLOBALS[$what . '_structure_or_data'] = $whatStrucOrData;+ } if ($export_type === 'raw') { $whatStrucOrData = 'raw';
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Input Validation Vulnerability [File] [Lines 379-381]
[Old Code]
&& isset($charset) && $charset !== 'utf-8';
[Fixed Code]
&& isset($charset) && $charset !== 'utf-8'
&& in_array($charset, Encoding::listEncodings(), true);
The fix adds validation to ensure the charset is from a list of supported encodings, preventing potential encoding-related security issues.
2. Vulnerability Existed: yes
Improper Input Validation Vulnerability [File] [Lines 478-490]
[Old Code]
$whatStrucOrData = $GLOBALS[$what . '_structure_or_data'];
[Fixed Code]
$whatStrucOrData = $GLOBALS[$what . '_structure_or_data'] ?? null;
if (! in_array($whatStrucOrData, ['structure', 'data', 'structure_and_data'], true)) {
$whatStrucOrData = 'data';
/** @var mixed $whatStrucOrDataDefaultValue */
$whatStrucOrDataDefaultValue = $cfg['Export'][$what . '_structure_or_data'] ?? null;
if (in_array($whatStrucOrDataDefaultValue, ['structure', 'data', 'structure_and_data'], true)) {
$whatStrucOrData = $whatStrucOrDataDefaultValue;
}
$GLOBALS[$what . '_structure_or_data'] = $whatStrucOrData;
}
The fix adds proper input validation for the export type parameter, ensuring it only accepts specific valid values ('structure', 'data', or 'structure_and_data'). This prevents potential injection or unexpected behavior from invalid input.
Both fixes address security concerns by implementing proper input validation, which is crucial for preventing various types of injection attacks and ensuring the application behaves as expected with valid inputs.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/UrlTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/UrlTest.php@@ -5,9 +5,10 @@ namespace PhpMyAdmin\Tests; use PhpMyAdmin\Url;-+use ReflectionProperty;++use function ini_get; use function is_string;-use function method_exists; use function parse_str; use function str_repeat; use function urldecode;@@ -17,6 +18,9 @@ */ class UrlTest extends AbstractTestCase {+ /** @var string|false|null */+ private static $inputArgSeparator = null;+ /** * Sets up the fixture, for example, opens a network connection. * This method is called before a test is executed.@@ -43,7 +47,7 @@ $expected = '?db=db' . $separator . $expected;- $this->assertEquals($expected, Url::getCommon(['db' => 'db']));+ self::assertSame($expected, Url::getCommon(['db' => 'db'])); } /**@@ -64,7 +68,7 @@ 'db' => 'db', 'table' => 'table', ];- $this->assertEquals($expected, Url::getCommon($params));+ self::assertSame($expected, Url::getCommon($params)); } /**@@ -80,16 +84,13 @@ $expected = '#ABC#db=db' . $separator . 'table=table' . $separator . $expected;- $this->assertEquals(- $expected,- Url::getCommonRaw(- [- 'db' => 'db',- 'table' => 'table',- ],- '#ABC#'- )- );+ self::assertSame($expected, Url::getCommonRaw(+ [+ 'db' => 'db',+ 'table' => 'table',+ ],+ '#ABC#'+ )); } /**@@ -102,7 +103,7 @@ $separator = Url::getArgSeparator(); $expected = '?server=x' . $separator . 'lang=en';- $this->assertEquals($expected, Url::getCommon());+ self::assertSame($expected, Url::getCommon()); } /**@@ -117,7 +118,7 @@ 'field' => '%1\$s', 'change_column' => 1, ]);- $this->assertEquals(+ self::assertSame( 'index.php?route=/test&db=%253%5C%24s&table=%252%5C%24s&field=%251%5C%24s&change_column=1&lang=en', $generatedUrl );@@ -137,15 +138,12 @@ ]); $expectedUrl = 'index.php?route=/test&db=%26test%3D_database%3D' . '&table=%26test%3D_database%3D&field=%26test%3D_database%3D&change_column=1&lang=en';- $this->assertEquals($expectedUrl, $generatedUrl);-- $this->assertEquals(- 'index.php?route=/test&db=&test=_database=&table=&'- . 'test=_database=&field=&test=_database=&change_column=1&lang=en',- urldecode(- $expectedUrl- )- );+ self::assertSame($expectedUrl, $generatedUrl);++ self::assertSame('index.php?route=/test&db=&test=_database=&table=&'+ . 'test=_database=&field=&test=_database=&change_column=1&lang=en', urldecode(+ $expectedUrl+ )); } /**@@ -162,22 +160,19 @@ 'book' => false, 'worm' => false, ]);- $this->assertEquals(- 'index.php?route=/test&db=%3Cscript+src%3D%22https%3A%2F%2Fdomain.tld%2Fsvn'- . '%2Ftrunk%2Fhtml5.js%22%3E%3C%2Fscript%3E&table=%3Cscript+src%3D%22'- . 'https%3A%2F%2Fdomain.tld%2Fmaybeweshouldusegit%2Ftrunk%2Fhtml5.js%22%3E%3C%2F'- . 'script%3E&field=1&trees=1&book=0&worm=0&lang=en',- $generatedUrl- );+ self::assertSame('index.php?route=/test&db=%3Cscript+src%3D%22https%3A%2F%2Fdomain.tld%2Fsvn'+ . '%2Ftrunk%2Fhtml5.js%22%3E%3C%2Fscript%3E&table=%3Cscript+src%3D%22'+ . 'https%3A%2F%2Fdomain.tld%2Fmaybeweshouldusegit%2Ftrunk%2Fhtml5.js%22%3E%3C%2F'+ . 'script%3E&field=1&trees=1&book=0&worm=0&lang=en', $generatedUrl); } public function testGetHiddenFields(): void { $_SESSION = [];- $this->assertSame('', Url::getHiddenFields([]));+ self::assertSame('', Url::getHiddenFields([])); $_SESSION = [' PMA_token ' => '<b>token</b>'];- $this->assertSame(+ self::assertSame( '<input type="hidden" name="token" value="<b>token</b>">', Url::getHiddenFields([]) );@@ -192,7 +187,7 @@ $config->set('URLQueryEncryption', false); $params = ['db' => 'test_db', 'table' => 'test_table', 'pos' => 0];- $this->assertEquals('db=test_db&table=test_table&pos=0', Url::buildHttpQuery($params));+ self::assertSame('db=test_db&table=test_table&pos=0', Url::buildHttpQuery($params)); } /**@@ -208,23 +203,18 @@ $params = ['db' => 'test_db', 'table' => 'test_table', 'pos' => 0]; $query = Url::buildHttpQuery($params);- $this->assertStringStartsWith('pos=0&eq=', $query);+ self::assertStringStartsWith('pos=0&eq=', $query); parse_str($query, $queryParams);- $this->assertCount(2, $queryParams);- $this->assertSame('0', $queryParams['pos']);- $this->assertTrue(is_string($queryParams['eq']));- $this->assertNotSame('', $queryParams['eq']);- if (method_exists($this, 'assertMatchesRegularExpression')) {- $this->assertMatchesRegularExpression('/^[a-zA-Z0-9-_=]+$/', $queryParams['eq']);- } else {- /** @psalm-suppress DeprecatedMethod */- $this->assertRegExp('/^[a-zA-Z0-9-_=]+$/', $queryParams['eq']);- }+ self::assertCount(2, $queryParams);+ self::assertSame('0', $queryParams['pos']);+ self::assertTrue(is_string($queryParams['eq']));+ self::assertNotSame('', $queryParams['eq']);+ self::assertMatchesRegularExpressionCompat('/^[a-zA-Z0-9-_=]+$/', $queryParams['eq']); $decrypted = Url::decryptQuery($queryParams['eq']);- $this->assertNotNull($decrypted);- $this->assertJson($decrypted);- $this->assertSame('{"db":"test_db","table":"test_table"}', $decrypted);+ self::assertNotNull($decrypted);+ self::assertJson($decrypted);+ self::assertSame('{"db":"test_db","table":"test_table"}', $decrypted); } /**@@ -240,16 +230,56 @@ $query = '{"db":"test_db","table":"test_table"}'; $encrypted = Url::encryptQuery($query);- $this->assertNotSame($query, $encrypted);- $this->assertNotSame('', $encrypted);- if (method_exists($this, 'assertMatchesRegularExpression')) {- $this->assertMatchesRegularExpression('/^[a-zA-Z0-9-_=]+$/', $encrypted);- } else {- /** @psalm-suppress DeprecatedMethod */- $this->assertRegExp('/^[a-zA-Z0-9-_=]+$/', $encrypted);- }+ self::assertNotSame($query, $encrypted);+ self::assertNotSame('', $encrypted);+ self::assertMatchesRegularExpressionCompat('/^[a-zA-Z0-9-_=]+$/', $encrypted); $decrypted = Url::decryptQuery($encrypted);- $this->assertSame($query, $decrypted);+ self::assertSame($query, $decrypted);+ }++ /**+ * @param string|false $iniValue+ *+ * @dataProvider getArgSeparatorProvider+ */+ public function testGetArgSeparator(string $expected, $iniValue, ?string $cacheValue): void+ {+ $property = new ReflectionProperty(Url::class, 'inputArgSeparator');+ $property->setAccessible(true);+ $property->setValue(null, $cacheValue);++ self::$inputArgSeparator = $iniValue;+ self::assertSame($expected, Url::getArgSeparator());++ self::$inputArgSeparator = null;+ $property->setValue(null, null);+ }++ /** @psalm-return array<string, array{string, string|false, string|null}> */+ public static function getArgSeparatorProvider(): array+ {+ return [+ 'ampersand' => ['&', '&', null],+ 'semicolon' => [';', ';', null],+ 'prefer ampersand' => ['&', '+;&$', null],+ 'prefer semicolon' => [';', '+;$', null],+ 'first char' => ['+', '+$', null],+ 'cache' => ['$', '&', '$'],+ 'empty value' => ['&', '', null],+ 'false' => ['&', false, null],+ ];+ }++ /**+ * Test double for ini_get('arg_separator.input') as it can't be changed using ini_set()+ *+ * @see Url::getArgSeparatorValueFromIni+ *+ * @return string|false+ */+ public static function getInputArgSeparator()+ {+ return self::$inputArgSeparator ?? ini_get('arg_separator.input'); } }
After analyzing the provided code diff, I don't find any direct security vulnerabilities being fixed. The changes appear to be primarily focused on test improvements and code quality enhancements. Here's my analysis: 1. Vulnerability Existed: no No security vulnerability found in the diff. The changes are mainly test improvements including: - Changing assertEquals to assertSame for stricter comparisons - Adding new test cases for URL argument separator handling - Improving test coverage for URL parameter handling - Adding helper methods for testing 2. Vulnerability Existed: no No security vulnerability found in the diff. The changes include: - Adding new test cases for encrypted query parameters - Improving test assertions for URL generation - Better handling of URL parameter separators - No actual security fixes to the core functionality The diff shows improvements to the test suite but doesn't indicate any security vulnerabilities being addressed. The changes are focused on: - Making tests more strict (assertSame vs assertEquals) - Adding new test cases - Improving test coverage - Better handling of edge cases in tests - No changes to the actual security-related functionality If there were any security concerns being addressed, they would likely be more visible in the main code files rather than just the test files.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Engines/MrgMyisamTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Engines/MrgMyisamTest.php@@ -41,9 +41,6 @@ */ public function testGetMysqlHelpPage(): void {- $this->assertEquals(- $this->object->getMysqlHelpPage(),- 'merge-storage-engine'- );+ self::assertSame($this->object->getMysqlHelpPage(), 'merge-storage-engine'); } }
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: no
[Test Assertion Improvement] [test/classes/Engines/MrgMyisamTest.php] [Lines 41-46]
[Old Code]
$this->assertEquals(
$this->object->getMysqlHelpPage(),
'merge-storage-engine'
);
[Fixed Code]
self::assertSame($this->object->getMysqlHelpPage(), 'merge-storage-engine');
Additional Details:
1. This change appears to be a test improvement rather than a security fix
2. The modification replaces assertEquals with assertSame, which is a stricter comparison (checks type equality)
3. The change is in a test file and doesn't affect production code
4. No actual security vulnerability is being addressed here, just test quality improvement
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Charsets/CollationTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Charsets/CollationTest.php@@ -26,15 +26,15 @@ $collation = Collation::fromServer($serverCollation);- $this->assertInstanceOf(Collation::class, $collation);- $this->assertSame('utf8_general_ci', $collation->getName());- $this->assertSame('Unicode, case-insensitive', $collation->getDescription());- $this->assertSame('utf8', $collation->getCharset());- $this->assertSame(33, $collation->getId());- $this->assertTrue($collation->isDefault());- $this->assertTrue($collation->isCompiled());- $this->assertSame(1, $collation->getSortLength());- $this->assertSame('PAD SPACE', $collation->getPadAttribute());+ self::assertInstanceOf(Collation::class, $collation);+ self::assertSame('utf8_general_ci', $collation->getName());+ self::assertSame('Unicode, case-insensitive', $collation->getDescription());+ self::assertSame('utf8', $collation->getCharset());+ self::assertSame(33, $collation->getId());+ self::assertTrue($collation->isDefault());+ self::assertTrue($collation->isCompiled());+ self::assertSame(1, $collation->getSortLength());+ self::assertSame('PAD SPACE', $collation->getPadAttribute()); } /**@@ -48,13 +48,13 @@ public function testBuildDescription(string $collation, string $description): void { $actual = Collation::fromServer(['Collation' => $collation]);- $this->assertEquals($description, $actual->getDescription());+ self::assertSame($description, $actual->getDescription()); } /** * @return array */- public function providerTestBuildDescription(): array+ public static function providerTestBuildDescription(): array { return [ [
After analyzing the provided code diff, I don't find any security-related fixes. The changes appear to be test code improvements and style updates rather than security patches. Here's the analysis: 1. Vulnerability Existed: no Test Code Style Update [test/classes/Charsets/CollationTest.php] [Lines 26-34] Old Code: $this->assertInstanceOf(Collation::class, $collation); Fixed Code: self::assertInstanceOf(Collation::class, $collation); 2. Vulnerability Existed: no Test Code Style Update [test/classes/Charsets/CollationTest.php] [Line 48] Old Code: $this->assertEquals($description, $actual->getDescription()); Fixed Code: self::assertSame($description, $actual->getDescription()); 3. Vulnerability Existed: no Test Method Visibility Change [test/classes/Charsets/CollationTest.php] [Line 54] Old Code: public function providerTestBuildDescription(): array Fixed Code: public static function providerTestBuildDescription(): array The changes are: 1. Changing test assertions from $this-> to self:: (better practice for static calls) 2. Changing assertEquals to assertSame (more strict comparison) 3. Making a test data provider method static (better practice) None of these changes address security vulnerabilities - they're all test code quality improvements.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/PluginsTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/PluginsTest.php@@ -17,10 +17,10 @@ $GLOBALS['server'] = 1; $plugins = Plugins::getExport('database', false);- $this->assertEquals(['export_type' => 'database', 'single_table' => false], $plugin_param);- $this->assertIsArray($plugins);- $this->assertCount(14, $plugins);- $this->assertContainsOnlyInstancesOf(Plugins\ExportPlugin::class, $plugins);+ self::assertSame(['export_type' => 'database', 'single_table' => false], $plugin_param);+ self::assertIsArray($plugins);+ self::assertCount(14, $plugins);+ self::assertContainsOnlyInstancesOf(Plugins\ExportPlugin::class, $plugins); } public function testGetImport(): void@@ -28,18 +28,18 @@ global $plugin_param; $plugins = Plugins::getImport('database');- $this->assertEquals('database', $plugin_param);- $this->assertIsArray($plugins);- $this->assertCount(6, $plugins);- $this->assertContainsOnlyInstancesOf(Plugins\ImportPlugin::class, $plugins);+ self::assertSame('database', $plugin_param);+ self::assertIsArray($plugins);+ self::assertCount(6, $plugins);+ self::assertContainsOnlyInstancesOf(Plugins\ImportPlugin::class, $plugins); } public function testGetSchema(): void { $plugins = Plugins::getSchema();- $this->assertIsArray($plugins);- $this->assertCount(4, $plugins);- $this->assertContainsOnlyInstancesOf(Plugins\SchemaPlugin::class, $plugins);+ self::assertIsArray($plugins);+ self::assertCount(4, $plugins);+ self::assertContainsOnlyInstancesOf(Plugins\SchemaPlugin::class, $plugins); } /**@@ -72,14 +72,14 @@ /** @psalm-suppress InvalidArrayOffset, PossiblyInvalidArrayAssignment */ $cfg[$section][$option] = $actualConfig; $default = Plugins::getDefault($section, $option);- $this->assertSame($expected, $default);+ self::assertSame($expected, $default); } /** * @return array[] * @psalm-return array{array{string, string|int|null, string|null, 'Export'|'Import'|'Schema', string, bool|null}} */- public function providerForTestGetDefault(): array+ public static function providerForTestGetDefault(): array { return [ ['xml', 'xml', null, 'Export', 'format', null],@@ -119,6 +119,6 @@ ['name' => 'sql', 'text' => 'SQL', 'is_selected' => false, 'force_file' => false], ['name' => 'xml', 'text' => 'XML', 'is_selected' => true, 'force_file' => false], ];- $this->assertEquals($expected, $actual);+ self::assertSame($expected, $actual); } }
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be primarily about test code improvements, specifically: 1. Changing test assertions from `assertEquals()` to `assertSame()` for stricter type checking 2. Changing instance method calls (`$this->`) to static method calls (`self::`) for consistency 3. Making a test data provider method static Here's the analysis following your requested format: Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are test code improvements and don't affect production code security. Additional observations: - The changes are in test files only (PluginsTest.php) - The modifications are about test assertion methods and their calling style - No changes to actual plugin functionality or security-related code - No changes to input validation, output encoding, or other security-sensitive areas The diff shows quality improvements in test code but doesn't indicate any security fixes.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Plugins/Schema/EpsRelationSchemaTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Plugins/Schema/EpsRelationSchemaTest.php@@ -59,12 +59,12 @@ */ public function testConstructor(): void {- $this->assertEquals(33, $this->object->getPageNumber());- $this->assertTrue($this->object->isShowColor());- $this->assertTrue($this->object->isShowKeys());- $this->assertTrue($this->object->isTableDimension());- $this->assertTrue($this->object->isAllTableSameWidth());- $this->assertEquals('L', $this->object->getOrientation());+ self::assertSame(33, $this->object->getPageNumber());+ self::assertTrue($this->object->isShowColor());+ self::assertTrue($this->object->isShowKeys());+ self::assertTrue($this->object->isTableDimension());+ self::assertTrue($this->object->isAllTableSameWidth());+ self::assertSame('L', $this->object->getOrientation()); } /**@@ -75,6 +75,6 @@ public function testSetPageNumber(): void { $this->object->setPageNumber(33);- $this->assertEquals(33, $this->object->getPageNumber());+ self::assertSame(33, $this->object->getPageNumber()); } }
After analyzing the provided code diff, I don't see any security-related changes. The modifications are purely related to test assertions being updated from `assertEquals` to `assertSame` for better type checking in unit tests. This is a test quality improvement rather than a security fix.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found [test/classes/Plugins/Schema/EpsRelationSchemaTest.php] [Lines 59-75]
[Old Code]
$this->assertEquals(33, $this->object->getPageNumber());
$this->assertTrue($this->object->isShowColor());
$this->assertTrue($this->object->isShowKeys());
$this->assertTrue($this->object->isTableDimension());
$this->assertTrue($this->object->isAllTableSameWidth());
$this->assertEquals('L', $this->object->getOrientation());
[Fixed Code]
self::assertSame(33, $this->object->getPageNumber());
self::assertTrue($this->object->isShowColor());
self::assertTrue($this->object->isShowKeys());
self::assertTrue($this->object->isTableDimension());
self::assertTrue($this->object->isAllTableSameWidth());
self::assertSame('L', $this->object->getOrientation());
The changes are test improvements rather than security fixes, switching from `assertEquals` to `assertSame` for more strict type checking in PHPUnit tests.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Controllers/View/CreateController.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Controllers/View/CreateController.php@@ -157,7 +157,7 @@ // If different column names defined for VIEW $view_columns = [];- if (isset($_POST['view']['column_names'])) {+ if (isset($_POST['view']['column_names']) && $_POST['view']['column_names'] !== '') { $view_columns = explode(',', $_POST['view']['column_names']); }
Here's the analysis of the provided code diff:
Vulnerability Existed: yes
Cross-Site Scripting (XSS) or Input Validation Vulnerability [File] [libraries/classes/Controllers/View/CreateController.php] [Lines 157-159]
[Old Code]
```php
if (isset($_POST['view']['column_names'])) {
$view_columns = explode(',', $_POST['view']['column_names']);
}
```
[Fixed Code]
```php
if (isset($_POST['view']['column_names']) && $_POST['view']['column_names'] !== '') {
$view_columns = explode(',', $_POST['view']['column_names']);
}
```
The vulnerability appears to be related to insufficient input validation. The original code would process the column_names parameter if it was set, without checking if it was empty. This could potentially lead to issues when:
1. An empty string is passed, which might cause unexpected behavior in the explode() function
2. Malicious input could be processed without proper validation (though the actual XSS risk would depend on how $view_columns is used later)
The fix adds a check for non-empty string, which improves input validation and prevents processing of empty input that could cause problems downstream. While this isn't a classic vulnerability like SQL injection, it's a security-relevant fix that prevents potential edge cases that could be exploited.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Controllers/Table/SearchController.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Controllers/Table/SearchController.php@@ -157,7 +157,7 @@ } $this->columnTypes[] = $type;- $this->columnNullFlags[] = $row['Null'];+ $this->columnNullFlags[] = $row['Null'] === 'YES'; $this->columnCollations[] = ! empty($row['Collation']) && $row['Collation'] !== 'NULL' ? $row['Collation'] : '';
Here's the analysis of the provided code diff: Vulnerability Existed: not sure [Potential Type Confusion/Injection] [libraries/classes/Controllers/Table/SearchController.php] [Lines 157] [Old Code] `$this->columnNullFlags[] = $row['Null'];` [Fixed Code] `$this->columnNullFlags[] = $row['Null'] === 'YES';` Additional Details: The change appears to be a type safety improvement rather than a direct security fix. The old code directly used the string value from $row['Null'] (which could be 'YES' or 'NO' in MySQL) without type conversion, while the new code explicitly converts it to a boolean by comparing with 'YES'. This prevents potential type confusion issues but doesn't appear to address a specific known vulnerability. The fix improves code robustness and could prevent subtle bugs, but I'm not certain if it was specifically addressing a security vulnerability.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Plugins/Export/ExportYamlTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Plugins/Export/ExportYamlTest.php@@ -65,134 +65,104 @@ $attrProperties->setAccessible(true); $properties = $attrProperties->getValue($this->object);- $this->assertInstanceOf(ExportPluginProperties::class, $properties);+ self::assertInstanceOf(ExportPluginProperties::class, $properties);- $this->assertEquals(- 'YAML',- $properties->getText()- );+ self::assertSame('YAML', $properties->getText());- $this->assertEquals(- 'yml',- $properties->getExtension()- );+ self::assertSame('yml', $properties->getExtension());- $this->assertEquals(- 'text/yaml',- $properties->getMimeType()- );+ self::assertSame('text/yaml', $properties->getMimeType()); $options = $properties->getOptions();- $this->assertInstanceOf(OptionsPropertyRootGroup::class, $options);+ self::assertInstanceOf(OptionsPropertyRootGroup::class, $options);- $this->assertEquals(- 'Format Specific Options',- $options->getName()- );+ self::assertSame('Format Specific Options', $options->getName()); $generalOptionsArray = $options->getProperties(); $generalOptions = array_shift($generalOptionsArray);- $this->assertInstanceOf(OptionsPropertyMainGroup::class, $generalOptions);+ self::assertInstanceOf(OptionsPropertyMainGroup::class, $generalOptions);- $this->assertEquals(- 'general_opts',- $generalOptions->getName()- );+ self::assertSame('general_opts', $generalOptions->getName()); $generalProperties = $generalOptions->getProperties(); $property = array_shift($generalProperties);- $this->assertInstanceOf(HiddenPropertyItem::class, $property);+ self::assertInstanceOf(HiddenPropertyItem::class, $property); } public function testExportHeader(): void { ob_start();- $this->assertTrue(- $this->object->exportHeader()- );+ self::assertTrue($this->object->exportHeader()); $result = ob_get_clean();- $this->assertIsString($result);+ self::assertIsString($result);- $this->assertStringContainsString("%YAML 1.1\n---\n", $result);+ self::assertStringContainsString("%YAML 1.1\n---\n", $result); } public function testExportFooter(): void { $this->expectOutputString("...\n");- $this->assertTrue(- $this->object->exportFooter()- );+ self::assertTrue($this->object->exportFooter()); } public function testExportDBHeader(): void {- $this->assertTrue(- $this->object->exportDBHeader('&db')- );+ self::assertTrue($this->object->exportDBHeader('&db')); } public function testExportDBFooter(): void {- $this->assertTrue(- $this->object->exportDBFooter('&db')- );+ self::assertTrue($this->object->exportDBFooter('&db')); } public function testExportDBCreate(): void {- $this->assertTrue(- $this->object->exportDBCreate('testDB', 'database')- );+ self::assertTrue($this->object->exportDBCreate('testDB', 'database')); } public function testExportData(): void { ob_start();- $this->assertTrue(- $this->object->exportData(- 'test_db',- 'test_table',- "\n",- 'localhost',- 'SELECT * FROM `test_db`.`test_table_yaml`;'- )- );+ self::assertTrue($this->object->exportData(+ 'test_db',+ 'test_table',+ "\n",+ 'localhost',+ 'SELECT * FROM `test_db`.`test_table_yaml`;'+ )); $result = ob_get_clean();- $this->assertEquals(- '# test_db.test_table' . "\n" .- '-' . "\n" .- ' id: 1' . "\n" .- ' name: "abcd"' . "\n" .- ' datetimefield: "2011-01-20 02:00:02"' . "\n" .- ' textfield: null' . "\n" .- '-' . "\n" .- ' id: 2' . "\n" .- ' name: "foo"' . "\n" .- ' datetimefield: "2010-01-20 02:00:02"' . "\n" .- ' textfield: null' . "\n" .- '-' . "\n" .- ' id: 3' . "\n" .- ' name: "Abcd"' . "\n" .- ' datetimefield: "2012-01-20 02:00:02"' . "\n" .- ' textfield: null' . "\n" .- '-' . "\n" .- ' id: 4' . "\n" .- ' name: "Abcd"' . "\n" .- ' datetimefield: "2012-01-20 02:00:02"' . "\n" .- ' textfield: "123"' . "\n" .- '-' . "\n" .- ' id: 5' . "\n" .- ' name: "Abcd"' . "\n" .- ' datetimefield: "2012-01-20 02:00:02"' . "\n" .- ' textfield: "+30.2103210000"' . "\n",- $result- );+ self::assertSame('# test_db.test_table' . "\n" .+ '-' . "\n" .+ ' id: 1' . "\n" .+ ' name: "abcd"' . "\n" .+ ' datetimefield: "2011-01-20 02:00:02"' . "\n" .+ ' textfield: null' . "\n" .+ '-' . "\n" .+ ' id: 2' . "\n" .+ ' name: "foo"' . "\n" .+ ' datetimefield: "2010-01-20 02:00:02"' . "\n" .+ ' textfield: null' . "\n" .+ '-' . "\n" .+ ' id: 3' . "\n" .+ ' name: "Abcd"' . "\n" .+ ' datetimefield: "2012-01-20 02:00:02"' . "\n" .+ ' textfield: null' . "\n" .+ '-' . "\n" .+ ' id: 4' . "\n" .+ ' name: "Abcd"' . "\n" .+ ' datetimefield: "2012-01-20 02:00:02"' . "\n" .+ ' textfield: "123"' . "\n" .+ '-' . "\n" .+ ' id: 5' . "\n" .+ ' name: "Abcd"' . "\n" .+ ' datetimefield: "2012-01-20 02:00:02"' . "\n" .+ ' textfield: "+30.2103210000"' . "\n", $result); } }
After analyzing the provided code diff, I don't find any security-related fixes. The changes appear to be primarily test code improvements and refactoring, with the main changes being:
1. Changing assertion methods from `$this->assert...` to `self::assert...`
2. Changing some `assertEquals()` calls to `assertSame()`
3. Code formatting improvements
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found in test/classes/Plugins/Export/ExportYamlTest.php
The changes are test improvements and refactoring
Changes involve assertion method updates and formatting
The diff shows quality improvements to the test code but doesn't indicate any security fixes or vulnerabilities being addressed. The changes are focused on test reliability and maintainability rather than security.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/RecentFavoriteTable.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/RecentFavoriteTable.php@@ -65,6 +65,7 @@ * * @param Template $template Template object * @param string $type the table type+ * @phpstan-param 'favorite'|'recent' $type */ private function __construct(Template $template, string $type) {@@ -75,6 +76,8 @@ $this->relation = new Relation($dbi); $this->tableType = $type; $server_id = $GLOBALS['server'];+ // Code search hint: recentTables+ // Code search hint: favoriteTables if (! isset($_SESSION['tmpval'][$this->tableType . 'Tables'][$server_id])) { $_SESSION['tmpval'][$this->tableType . 'Tables'][$server_id] = $this->getPmaTable() ? $this->getFromDb()
Based on the provided code diff, here's the security analysis:
Vulnerability Existed: not sure
[Potential Session Variable Manipulation] [libraries/classes/RecentFavoriteTable.php] [Lines 75-79]
[Old Code]
$this->relation = new Relation($dbi);
$this->tableType = $type;
$server_id = $GLOBALS['server'];
if (! isset($_SESSION['tmpval'][$this->tableType . 'Tables'][$server_id])) {
$_SESSION['tmpval'][$this->tableType . 'Tables'][$server_id] = $this->getPmaTable()
? $this->getFromDb()
[Fixed Code]
$this->relation = new Relation($dbi);
$this->tableType = $type;
$server_id = $GLOBALS['server'];
// Code search hint: recentTables
// Code search hint: favoriteTables
if (! isset($_SESSION['tmpval'][$this->tableType . 'Tables'][$server_id])) {
$_SESSION['tmpval'][$this->tableType . 'Tables'][$server_id] = $this->getPmaTable()
? $this->getFromDb()
Additional Details:
The main change appears to be the addition of code search hints and a phpstan type hint. The session variable manipulation remains the same. While there's no clear vulnerability fix shown, the changes might be related to hardening session handling or improving type safety. The session variable usage could potentially be vulnerable to session fixation or manipulation if not properly secured elsewhere in the codebase, but we can't confirm this from the given diff alone.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Controllers/Server/PluginsControllerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Controllers/Server/PluginsControllerTest.php@@ -73,17 +73,17 @@ $actual = $response->getHTMLResult(); //validate 1:Items- $this->assertStringContainsString('<th scope="col">Plugin</th>', $actual);- $this->assertStringContainsString('<th scope="col">Description</th>', $actual);- $this->assertStringContainsString('<th scope="col">Version</th>', $actual);- $this->assertStringContainsString('<th scope="col">Author</th>', $actual);- $this->assertStringContainsString('<th scope="col">License</th>', $actual);+ self::assertStringContainsString('<th scope="col">Plugin</th>', $actual);+ self::assertStringContainsString('<th scope="col">Description</th>', $actual);+ self::assertStringContainsString('<th scope="col">Version</th>', $actual);+ self::assertStringContainsString('<th scope="col">Author</th>', $actual);+ self::assertStringContainsString('<th scope="col">License</th>', $actual); //validate 2: one Item HTML- $this->assertStringContainsString('plugin_name1', $actual);- $this->assertStringContainsString('<td>plugin_description1</td>', $actual);- $this->assertStringContainsString('<td>plugin_version1</td>', $actual);- $this->assertStringContainsString('<td>plugin_author1</td>', $actual);- $this->assertStringContainsString('<td>plugin_license1</td>', $actual);+ self::assertStringContainsString('plugin_name1', $actual);+ self::assertStringContainsString('<td>plugin_description1</td>', $actual);+ self::assertStringContainsString('<td>plugin_version1</td>', $actual);+ self::assertStringContainsString('<td>plugin_author1</td>', $actual);+ self::assertStringContainsString('<td>plugin_license1</td>', $actual); } }
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely stylistic, changing test assertions from `$this->assertStringContainsString()` to `self::assertStringContainsString()`. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found in test/classes/Controllers/Server/PluginsControllerTest.php
[Old Code]
$this->assertStringContainsString('<th scope="col">Plugin</th>', $actual);
[Fixed Code]
self::assertStringContainsString('<th scope="col">Plugin</th>', $actual);
The changes are consistent throughout the file and all follow the same pattern of updating the assertion style without modifying any security-related functionality. The test cases continue to verify the same HTML content, just using a different syntax for the assertions.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Properties/Options/Groups/OptionsPropertyMainGroupTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Properties/Options/Groups/OptionsPropertyMainGroupTest.php@@ -35,9 +35,6 @@ public function testGetItemType(): void {- $this->assertEquals(- 'main',- $this->object->getItemType()- );+ self::assertSame('main', $this->object->getItemType()); } }
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: no
No security vulnerability found [File] test/classes/Properties/Options/Groups/OptionsPropertyMainGroupTest.php [Lines] 35-38
[Old Code]
```php
$this->assertEquals(
'main',
$this->object->getItemType()
);
```
[Fixed Code]
```php
self::assertSame('main', $this->object->getItemType());
```
Additional Details:
The change appears to be a test improvement rather than a security fix. The modification replaces `assertEquals` with `assertSame` which is a stricter comparison (checking both value and type), but this doesn't relate to any security vulnerability. The change is likely made for better test accuracy.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/scripts/create-release.sh+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/scripts/create-release.sh@@ -33,6 +33,7 @@ do_sign=1 do_pull=0 do_daily=0+do_revision=0 while [ $# -gt 0 ] ; do case "$1" in@@ -44,6 +45,9 @@ ;; --test) do_test=1+ ;;+ --revision-info)+ do_revision=1 ;; --daily) do_sign=0@@ -58,20 +62,37 @@ git branch ci branch="ci" fi- version="${VERSION_SERIES}+ci"+ ;;+ --no-sign)+ do_sign=0+ ;;+ --kits)+ KITS="$2"+ # Skip one position, the value+ shift+ ;;+ --compressions)+ COMPRESSIONS="$2"+ # Skip one position, the value+ shift ;; --help) echo "Usages:"- echo " create-release.sh <version> <from_branch> [--tag] [--stable] [--test] [--ci]"+ echo " create-release.sh <version> <from_branch> [--tag] [--stable] [--test] [--ci] [--daily] [--revision-info] [--compressions] [--kits] [--no-sign]" echo "" echo "If --tag is specified, release tag is automatically created (use this for all releases including pre-releases)" echo "If --stable is specified, the STABLE branch is updated with this release" echo "If --test is specified, the testsuite is executed before creating the release" echo "If --ci is specified, the testsuite is executed and no actual release is created"+ echo "If --no-sign is specified, the ouput files will not be signed"+ echo "If --daily is specified, the ouput files will have snapshot information"+ echo "If --revision-info is specified, the output files will contain git revision info"+ echo "If --compressions is specified, it changes the compressions available. Space separated values. Valid values: $COMPRESSIONS"+ echo "If --kits is specified, it changes the kits to be built. Space separated values. Valid values: $KITS" echo "" echo "Examples:"- echo " create-release.sh 2.9.0-rc1 QA_2_9"- echo " create-release.sh 2.9.0 MAINT_2_9_0 --tag --stable"+ echo " create-release.sh 5.2.2-dev QA_5_2"+ echo " create-release.sh 5.2.2 QA_5_2 --tag --stable" exit 65 ;; *)@@ -90,16 +111,24 @@ fi else echo "Unknown parameter: $1!"+ echo "Use --help to check the syntax." exit 1 fi esac shift done-if [ -z "$version" -o -z "$branch" ] ; then- echo "Branch and version have to be specified!"+if [ -z "$version" -a $do_ci -eq 0 ]; then+ echo "Version must be specified!" exit 1 fi++if [ -z "$branch" ]; then+ echo "Branch must be specified!"+ exit 1+fi++kit_prefix="phpMyAdmin-$version" # Checks whether remote branch has local tracking branch ensure_local_branch() {@@ -142,12 +171,6 @@ vendor/phpmyadmin/twig-i18n-extension/README.rst \ vendor/phpmyadmin/twig-i18n-extension/phpunit.xml.dist \ vendor/phpmyadmin/twig-i18n-extension/test/ \- vendor/phpseclib/phpseclib/phpseclib/File/ \- vendor/phpseclib/phpseclib/phpseclib/Math/ \- vendor/phpseclib/phpseclib/phpseclib/Net/ \- vendor/phpseclib/phpseclib/phpseclib/System/ \- vendor/phpseclib/phpseclib/appveyor.yml \- vendor/phpseclib/phpseclib/.github \ vendor/symfony/cache/Tests/ \ vendor/symfony/service-contracts/Test/ \ vendor/symfony/expression-language/Tests/ \@@ -163,6 +186,7 @@ vendor/tecnickcom/tcpdf/.github/ \ vendor/bacon/bacon-qr-code/phpunit.xml.dist \ vendor/bacon/bacon-qr-code/test/ \+ vendor/dasprid/enum/.github/ \ vendor/dasprid/enum/phpunit.xml.dist \ vendor/dasprid/enum/test/ \ vendor/williamdes/mariadb-mysql-kbs/phpunit.xml \@@ -194,6 +218,7 @@ vendor/webmozart/assert/.php_cs \ vendor/webmozart/assert/psalm.xml \ vendor/twig/twig/src/Test/ \+ vendor/psr/http-message/docs/ \ vendor/psr/log/Psr/Log/Test/ \ vendor/psr/http-factory/.pullapprove.yml \ vendor/slim/psr7/MAINTAINERS.md \@@ -223,6 +248,7 @@ vendor/paragonie/sodium_compat/composer-php52.json \ vendor/paragonie/sodium_compat/src/PHP52/SplFixedArray.php \ vendor/paragonie/sodium_compat/src/PHP52 \+ vendor/pragmarx/google2fa/.github/ \ vendor/pragmarx/google2fa/phpstan.neon \ vendor/pragmarx/google2fa-qrcode/.scrutinizer.yml \ vendor/pragmarx/google2fa-qrcode/.travis.yml \@@ -361,14 +387,21 @@ # Keep in sync with update-po script fetchReleaseFromFile() {- php -r "define('VERSION_SUFFIX', ''); require_once('libraries/classes/Version.php'); echo \PhpMyAdmin\Version::VERSION;"+ SUFFIX="${1:-}"+ php -r "define('VERSION_SUFFIX', '$SUFFIX'); require_once('$VERSION_FILE'); echo \PhpMyAdmin\Version::VERSION;" } fetchVersionSeriesFromFile() {- php -r "define('VERSION_SUFFIX', ''); require_once('libraries/classes/Version.php'); echo \PhpMyAdmin\Version::SERIES;"-}-+ php -r "define('VERSION_SUFFIX', ''); require_once('$VERSION_FILE'); echo \PhpMyAdmin\Version::SERIES;"+}++VERSION_FROM_FILE="$(fetchReleaseFromFile)" VERSION_SERIES_FROM_FILE="$(fetchVersionSeriesFromFile)"++if [ $do_ci -eq 1 ]; then+ VERSION_FROM_FILE="$(fetchReleaseFromFile '+ci')"+ version="${VERSION_FROM_FILE}"+fi if [ "${VERSION_SERIES_FROM_FILE}" != "${VERSION_SERIES}" ]; then echo "This script can not handle ${VERSION_SERIES_FROM_FILE} version series."@@ -377,9 +410,10 @@ exit 1; fi-echo "The actual configured release is: $(fetchReleaseFromFile)"--if [ $do_ci -eq 0 -a -$do_daily -eq 0 ] ; then+echo "The actual configured release is: $VERSION_FROM_FILE"+echo "The actual configured release series is: $VERSION_SERIES_FROM_FILE"++if [ $do_ci -eq 0 -a $do_daily -eq 0 ] ; then cat <<END Please ensure you have incremented rc count or version in the repository :@@ -400,16 +434,16 @@ if [ "$do_release" != 'y' ]; then exit 100 fi-fi--echo "The actual configured release is now: $(fetchReleaseFromFile)"+ echo "The actual configured release is now: $(fetchReleaseFromFile)"+fi # Create working copy mkdir -p release git worktree prune-workdir=release/phpMyAdmin-$version+workdir_name=phpMyAdmin-$version+workdir=release/$workdir_name if [ -d $workdir ] ; then- echo "Working directory '$workdir' already exists, please move it out of way"+ echo "Working directory '$workdir' already exists, please move it out of the way" exit 1 fi@@ -429,6 +463,11 @@ echo '* setting the version suffix for the snapshot' sed -i "s/'versionSuffix' => '.*'/'versionSuffix' => '+$today_date.$git_head_short'/" libraries/vendor_config.php php -l libraries/vendor_config.php++ # Fetch it back and refresh $version+ VERSION_FROM_FILE="$(fetchReleaseFromFile "+$today_date.$git_head_short")"+ version="${VERSION_FROM_FILE}"+ echo "The actual configured release is: $VERSION_FROM_FILE" fi # Check release version@@ -451,10 +490,15 @@ fi fi-# Cleanup release dir-LC_ALL=C date -u > RELEASE-DATE-${version}+# Save the build date+if [ $do_daily -eq 1 ] ; then+ LC_ALL=C date -u > RELEASE-DATE-$VERSION_SERIES_FROM_FILE+snapshot+else+ LC_ALL=C date -u > RELEASE-DATE-$version+fi # Building documentation+echo "* Running sphinx-build (version: $(sphinx-build --version))" echo "* Generating documentation" LC_ALL=C make -C doc html find doc -name '*.pyc' -print0 | xargs -0 -r rm -f@@ -493,6 +537,9 @@ composer update --no-interaction # Warm up the routing cache for 5.1+ releases ./scripts/console cache:warmup --routing+ if [ $do_revision -eq 1 ] ; then+ ./scripts/console write-revision-info+ fi fi PHP_REQ=$(sed -n '/"php"/ s/.*"\^\([0-9]\.[0-9]\.[0-9]\).*/\1/p' composer.json)@@ -597,15 +644,17 @@ cd ..+SIGN_FILES=""+ # Prepare all kits for kit in $KITS ; do echo "* Building kit: $kit" # Copy all files- name=phpMyAdmin-$version-$kit- cp -r phpMyAdmin-$version $name+ name=$kit_prefix-$kit+ cp -r $workdir_name $name # Cleanup translations- cd phpMyAdmin-$version-$kit+ cd $name ./scripts/lang-cleanup.sh $kit # Remove tests, source code,...@@ -615,7 +664,7 @@ rm -r test/ # Template test files rm -r templates/test/- rm phpunit.xml.* build.xml+ rm phpunit.xml.* rm .editorconfig .browserslistrc .eslintignore .jshintrc .eslintrc.json .stylelintrc.json psalm.xml psalm-baseline.xml phpstan.neon.dist phpstan-baseline.neon phpcs.xml.dist jest.config.js infection.json.dist # Gettext po files (if they where not removed by ./scripts/lang-cleanup.sh) rm -rf po@@ -653,15 +702,18 @@ if [ $comp = txz ] ; then echo "* Creating $name.tar.xz" xz -9k $name.tar+ SIGN_FILES="$SIGN_FILES $name.tar.xz" fi if [ $comp = tgz ] ; then echo "* Creating $name.tar.gz" gzip -9c $name.tar > $name.tar.gz+ SIGN_FILES="$SIGN_FILES $name.tar.gz" fi ;; zip-7z) echo "* Creating $name.zip" 7za a -bd -tzip $name.zip $name > /dev/null+ SIGN_FILES="$SIGN_FILES $name.zip" ;; *) echo "WARNING: ignoring compression '$comp', not known!"@@ -677,12 +729,17 @@ done # Cleanup-rm -r phpMyAdmin-${version}+rm -r $workdir_name git worktree prune # Signing of files with default GPG key-echo "* Signing files"-for file in phpMyAdmin-$version-*.gz phpMyAdmin-$version-*.zip phpMyAdmin-$version-*.xz ; do+if [ $do_sign -eq 1 ] ; then+ echo "* Signing and making .sha{1,256} files"+else+ echo "* Making .sha{1,256} files"+fi++for file in $SIGN_FILES; do if [ $do_sign -eq 1 ] ; then gpg --detach-sign --armor $file fi@@ -691,7 +748,7 @@ done if [ $do_daily -eq 1 ] ; then- cat > phpMyAdmin-${version}.json << EOT+ cat > $kit_prefix.json << EOT { "date": "`date --iso-8601=seconds`", "commit": "$git_head"@@ -707,7 +764,7 @@ echo "Files:" echo "------"-ls -la *.gz *.zip *.xz+ls -la $SIGN_FILES cd ..
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Command Injection] [File: scripts/create-release.sh] [Lines: 33-748] [Old Code: Various shell script commands without input validation] [Fixed Code: Added more parameter handling and error checking] 2. Vulnerability Existed: not sure [Potential Information Disclosure] [File: scripts/create-release.sh] [Lines: 142-248] [Old Code: Included various vendor test directories and files in release] [Fixed Code: Removed more sensitive files from vendor directories (phpseclib files, additional test directories)] 3. Vulnerability Existed: yes [Improper Input Validation] [File: scripts/create-release.sh] [Lines: 90-118] [Old Code: Minimal parameter validation] [Fixed Code: Added better parameter validation and error messages] 4. Vulnerability Existed: not sure [Potential Insecure Temporary Files] [File: scripts/create-release.sh] [Lines: 429-748] [Old Code: Creates temporary release directories without secure handling] [Fixed Code: No specific fix visible, but overall script structure improved] 5. Vulnerability Existed: not sure [Insecure File Permissions] [File: scripts/create-release.sh] [Lines: 644-702] [Old Code: Creates archives without explicit permission setting] [Fixed Code: No specific permission handling added] The diff shows significant improvements in parameter handling, error checking, and removal of sensitive files from the release package. While no specific CVE is identified, the changes generally improve security by: 1. Adding more input validation 2. Removing test files and sensitive information from release packages 3. Improving error handling and user feedback 4. Adding more secure build options (--no-sign, better compression handling) The script appears more robust against potential security issues, though some areas like temporary file handling and explicit permission setting could still be improved.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Html/MySQLDocumentationTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Html/MySQLDocumentationTest.php@@ -17,7 +17,7 @@ $GLOBALS['server'] = '99'; $GLOBALS['cfg']['ServerDefault'] = 1;- $this->assertEquals(+ self::assertSame( '<a href="./url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2Fen' . '%2Flatest%2Fpage.html%23anchor" target="documentation"><img src="themes/dot.gif"' . ' title="Documentation" alt="Documentation" class="icon ic_b_help"></a>',
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no [No specific vulnerability] [test/classes/Html/MySQLDocumentationTest.php] [Lines 17] [Old Code] $this->assertEquals( [Fixed Code] self::assertSame( Additional Details: 1. This change appears to be a test improvement rather than a security fix. The modification switches from assertEquals() to assertSame() in a unit test, which is a stricter comparison (checking both value and type) but doesn't relate to security. 2. The test is verifying HTML output generation for documentation links, which doesn't involve any security-sensitive operations in this context. 3. There are no visible security-related changes in the URL handling or HTML generation shown in this diff fragment. No security vulnerabilities were identified in this specific diff change. The modification is purely related to test quality improvement.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Controllers/Server/PrivilegesController.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Controllers/Server/PrivilegesController.php@@ -234,8 +234,9 @@ */ if (! empty($_POST['update_privs'])) { if (is_array($dbname)) {+ $statements = []; foreach ($dbname as $key => $db_name) {- [$sql_query[$key], $message] = $serverPrivileges->updatePrivileges(+ [$statements[$key], $message] = $serverPrivileges->updatePrivileges( ($username ?? ''), ($hostname ?? ''), ($tablename ?? ($routinename ?? '')),@@ -244,7 +245,7 @@ ); }- $sql_query = implode("\n", $sql_query);+ $sql_query = implode("\n", $statements); } else { [$sql_query, $message] = $serverPrivileges->updatePrivileges( ($username ?? ''),
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
Potential Information Leak or Variable Overwrite [File] [Lines 234-245]
[Old Code]
foreach ($dbname as $key => $db_name) {
[$sql_query[$key], $message] = $serverPrivileges->updatePrivileges(
[Fixed Code]
$statements = [];
foreach ($dbname as $key => $db_name) {
[$statements[$key], $message] = $serverPrivileges->updatePrivileges(
Additional Details:
1. The main change is moving from using $sql_query array directly to using a new $statements array for temporary storage before imploding.
2. This could potentially prevent:
- Variable overwrite issues if $sql_query was used elsewhere
- Information leaks by keeping privilege update statements separate until final output
3. However, without more context about how $sql_query is used elsewhere, it's hard to determine if this was fixing an actual security vulnerability or just improving code quality.
Note: The change appears to be more about code organization than fixing a specific known vulnerability, but there could be security implications in how the privilege update statements are handled.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Navigation/Nodes/NodeIndexContainerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Navigation/Nodes/NodeIndexContainerTest.php@@ -27,14 +27,11 @@ public function testConstructor(): void { $parent = NodeFactory::getInstance('NodeIndexContainer');- $this->assertIsArray($parent->links);- $this->assertEquals(- [- 'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],- 'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],- ],- $parent->links- );- $this->assertEquals('indexes', $parent->realName);+ self::assertIsArray($parent->links);+ self::assertSame([+ 'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],+ 'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],+ ], $parent->links);+ self::assertSame('indexes', $parent->realName); } }
Based on the provided code diff, this appears to be a test file modification with no security implications. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] test/classes/Navigation/Nodes/NodeIndexContainerTest.php [Lines] 27-41
[Old Code]
$this->assertIsArray($parent->links);
$this->assertEquals(
[
'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
],
$parent->links
);
$this->assertEquals('indexes', $parent->realName);
[Fixed Code]
self::assertIsArray($parent->links);
self::assertSame([
'text' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
'icon' => ['route' => '/table/structure', 'params' => ['db' => null, 'table' => null]],
], $parent->links);
self::assertSame('indexes', $parent->realName);
The changes are purely test-related improvements:
1. Changed assertion methods from instance methods ($this->) to static calls (self::)
2. Replaced assertEquals with assertSame for more strict comparison
3. Simplified the array comparison syntax
No security vulnerabilities were fixed in this change. The modifications are related to test code quality and style improvements rather than security fixes.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Plugins/Export/ExportHtmlwordTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Plugins/Export/ExportHtmlwordTest.php@@ -73,124 +73,74 @@ $attrProperties->setAccessible(true); $properties = $attrProperties->getValue($this->object);- $this->assertInstanceOf(ExportPluginProperties::class, $properties);-- $this->assertEquals(- 'Microsoft Word 2000',- $properties->getText()- );-- $this->assertEquals(- 'doc',- $properties->getExtension()- );-- $this->assertEquals(- 'application/vnd.ms-word',- $properties->getMimeType()- );-- $this->assertEquals(- 'Options',- $properties->getOptionsText()- );-- $this->assertTrue(- $properties->getForceFile()- );+ self::assertInstanceOf(ExportPluginProperties::class, $properties);++ self::assertSame('Microsoft Word 2000', $properties->getText());++ self::assertSame('doc', $properties->getExtension());++ self::assertSame('application/vnd.ms-word', $properties->getMimeType());++ self::assertSame('Options', $properties->getOptionsText());++ self::assertTrue($properties->getForceFile()); $options = $properties->getOptions();- $this->assertInstanceOf(OptionsPropertyRootGroup::class, $options);-- $this->assertEquals(- 'Format Specific Options',- $options->getName()- );+ self::assertInstanceOf(OptionsPropertyRootGroup::class, $options);++ self::assertSame('Format Specific Options', $options->getName()); $generalOptionsArray = $options->getProperties(); $generalOptions = $generalOptionsArray[0];- $this->assertInstanceOf(OptionsPropertyMainGroup::class, $generalOptions);-- $this->assertEquals(- 'dump_what',- $generalOptions->getName()- );-- $this->assertEquals(- 'Dump table',- $generalOptions->getText()- );+ self::assertInstanceOf(OptionsPropertyMainGroup::class, $generalOptions);++ self::assertSame('dump_what', $generalOptions->getName());++ self::assertSame('Dump table', $generalOptions->getText()); $generalProperties = $generalOptions->getProperties(); $property = array_shift($generalProperties);- $this->assertInstanceOf(RadioPropertyItem::class, $property);-- $this->assertEquals(- 'structure_or_data',- $property->getName()- );-- $this->assertEquals(- [- 'structure' => __('structure'),- 'data' => __('data'),- 'structure_and_data' => __('structure and data'),- ],- $property->getValues()- );+ self::assertInstanceOf(RadioPropertyItem::class, $property);++ self::assertSame('structure_or_data', $property->getName());++ self::assertSame([+ 'structure' => __('structure'),+ 'data' => __('data'),+ 'structure_and_data' => __('structure and data'),+ ], $property->getValues()); $generalOptions = $generalOptionsArray[1];- $this->assertInstanceOf(OptionsPropertyMainGroup::class, $generalOptions);-- $this->assertEquals(- 'dump_what',- $generalOptions->getName()- );-- $this->assertEquals(- 'Data dump options',- $generalOptions->getText()- );-- $this->assertEquals(- 'structure',- $generalOptions->getForce()- );+ self::assertInstanceOf(OptionsPropertyMainGroup::class, $generalOptions);++ self::assertSame('dump_what', $generalOptions->getName());++ self::assertSame('Data dump options', $generalOptions->getText());++ self::assertSame('structure', $generalOptions->getForce()); $generalProperties = $generalOptions->getProperties(); $property = array_shift($generalProperties);- $this->assertInstanceOf(TextPropertyItem::class, $property);-- $this->assertEquals(- 'null',- $property->getName()- );-- $this->assertEquals(- 'Replace NULL with:',- $property->getText()- );+ self::assertInstanceOf(TextPropertyItem::class, $property);++ self::assertSame('null', $property->getName());++ self::assertSame('Replace NULL with:', $property->getText()); $property = array_shift($generalProperties);- $this->assertInstanceOf(BoolPropertyItem::class, $property);-- $this->assertEquals(- 'columns',- $property->getName()- );-- $this->assertEquals(- 'Put columns names in the first row',- $property->getText()- );+ self::assertInstanceOf(BoolPropertyItem::class, $property);++ self::assertSame('columns', $property->getName());++ self::assertSame('Put columns names in the first row', $property->getText()); } public function testExportHeader(): void@@ -212,7 +162,7 @@ </head> <body>';- $this->assertEquals($expected, $result);+ self::assertSame($expected, $result); // case 2@@ -234,43 +184,35 @@ </head> <body>';- $this->assertEquals($expected, $result);+ self::assertSame($expected, $result); } public function testExportFooter(): void { ob_start();- $this->assertTrue(- $this->object->exportFooter()- );- $result = ob_get_clean();-- $this->assertEquals('</body></html>', $result);+ self::assertTrue($this->object->exportFooter());+ $result = ob_get_clean();++ self::assertSame('</body></html>', $result); } public function testExportDBHeader(): void { ob_start();- $this->assertTrue(- $this->object->exportDBHeader('d"b')- );- $result = ob_get_clean();-- $this->assertEquals('<h1>Database d"b</h1>', $result);+ self::assertTrue($this->object->exportDBHeader('d"b'));+ $result = ob_get_clean();++ self::assertSame('<h1>Database d"b</h1>', $result); } public function testExportDBFooter(): void {- $this->assertTrue(- $this->object->exportDBFooter('testDB')- );+ self::assertTrue($this->object->exportDBFooter('testDB')); } public function testExportDBCreate(): void {- $this->assertTrue(- $this->object->exportDBCreate('testDB', 'database')- );+ self::assertTrue($this->object->exportDBCreate('testDB', 'database')); } public function testExportData(): void@@ -286,7 +228,7 @@ $GLOBALS['save_on_server'] = false; ob_start();- $this->assertTrue($this->object->exportData(+ self::assertTrue($this->object->exportData( 'test_db', 'test_table', "\n",@@ -295,21 +237,18 @@ )); $result = ob_get_clean();- $this->assertEquals(- '<h2>Dumping data for table test_table</h2>'- . '<table width="100%" cellspacing="1"><tr class="print-category">'- . '<td class="print"><strong>id</strong></td>'- . '<td class="print"><strong>name</strong></td>'- . '<td class="print"><strong>datetimefield</strong></td>'- . '</tr><tr class="print-category">'- . '<td class="print">1</td><td class="print">abcd</td><td class="print">2011-01-20 02:00:02</td>'- . '</tr><tr class="print-category">'- . '<td class="print">2</td><td class="print">foo</td><td class="print">2010-01-20 02:00:02</td>'- . '</tr><tr class="print-category">'- . '<td class="print">3</td><td class="print">Abcd</td><td class="print">2012-01-20 02:00:02</td>'- . '</tr></table>',- $result- );+ self::assertSame('<h2>Dumping data for table test_table</h2>'+ . '<table width="100%" cellspacing="1"><tr class="print-category">'+ . '<td class="print"><strong>id</strong></td>'+ . '<td class="print"><strong>name</strong></td>'+ . '<td class="print"><strong>datetimefield</strong></td>'+ . '</tr><tr class="print-category">'+ . '<td class="print">1</td><td class="print">abcd</td><td class="print">2011-01-20 02:00:02</td>'+ . '</tr><tr class="print-category">'+ . '<td class="print">2</td><td class="print">foo</td><td class="print">2010-01-20 02:00:02</td>'+ . '</tr><tr class="print-category">'+ . '<td class="print">3</td><td class="print">Abcd</td><td class="print">2012-01-20 02:00:02</td>'+ . '</tr></table>', $result); } public function testGetTableDefStandIn(): void@@ -352,15 +291,12 @@ ->with(['Field' => 'column'], ['name1'], 'column') ->will($this->returnValue(1));- $this->assertEquals(- '<table width="100%" cellspacing="1">' .- '<tr class="print-category"><th class="print">Column</th>' .- '<td class="print"><strong>Type</strong></td>' .- '<td class="print"><strong>Null</strong></td>' .- '<td class="print"><strong>Default</strong></td></tr>' .- '1</tr></table>',- $this->object->getTableDefStandIn('database', 'view', "\n")- );+ self::assertSame('<table width="100%" cellspacing="1">' .+ '<tr class="print-category"><th class="print">Column</th>' .+ '<td class="print"><strong>Type</strong></td>' .+ '<td class="print"><strong>Null</strong></td>' .+ '<td class="print"><strong>Default</strong></td></tr>' .+ '1</tr></table>', $this->object->getTableDefStandIn('database', 'view', "\n")); } public function testGetTableDef(): void@@ -447,17 +383,14 @@ $result = $this->object->getTableDef('database', '', true, true, true);- $this->assertEquals(- '<table width="100%" cellspacing="1">' .- '<tr class="print-category"><th class="print">Column</th>' .- '<td class="print"><strong>Type</strong></td>' .- '<td class="print"><strong>Null</strong></td>' .- '<td class="print"><strong>Default</strong></td>' .- '<td class="print"><strong>Comments</strong></td>' .- '<td class="print"><strong>Media type</strong></td></tr>' .- '1<td class="print"></td><td class="print">Test<</td></tr></table>',- $result- );+ self::assertSame('<table width="100%" cellspacing="1">' .+ '<tr class="print-category"><th class="print">Column</th>' .+ '<td class="print"><strong>Type</strong></td>' .+ '<td class="print"><strong>Null</strong></td>' .+ '<td class="print"><strong>Default</strong></td>' .+ '<td class="print"><strong>Comments</strong></td>' .+ '<td class="print"><strong>Media type</strong></td></tr>' .+ '1<td class="print"></td><td class="print">Test<</td></tr></table>', $result); // case 2@@ -527,9 +460,9 @@ $result = $this->object->getTableDef('database', '', true, true, true);- $this->assertStringContainsString('<td class="print">ftable (ffield)</td>', $result);-- $this->assertStringContainsString('<td class="print"></td><td class="print"></td>', $result);+ self::assertStringContainsString('<td class="print">ftable (ffield)</td>', $result);++ self::assertStringContainsString('<td class="print"></td><td class="print"></td>', $result); // case 3@@ -566,14 +499,11 @@ $result = $this->object->getTableDef('database', '', false, false, false);- $this->assertEquals(- '<table width="100%" cellspacing="1">' .- '<tr class="print-category"><th class="print">Column</th>' .- '<td class="print"><strong>Type</strong></td>' .- '<td class="print"><strong>Null</strong></td>' .- '<td class="print"><strong>Default</strong></td></tr>1</tr></table>',- $result- );+ self::assertSame('<table width="100%" cellspacing="1">' .+ '<tr class="print-category"><th class="print">Column</th>' .+ '<td class="print"><strong>Type</strong></td>' .+ '<td class="print"><strong>Null</strong></td>' .+ '<td class="print"><strong>Default</strong></td></tr>1</tr></table>', $result); } public function testGetTriggers(): void@@ -602,125 +532,102 @@ $method->setAccessible(true); $result = $method->invoke($this->object, 'database', 'table');- $this->assertStringContainsString(- '<td class="print">tna"me</td>' .- '<td class="print">ac>t</td>' .- '<td class="print">manip&</td>' .- '<td class="print">def</td>',- $result- );+ self::assertStringContainsString('<td class="print">tna"me</td>' .+ '<td class="print">ac>t</td>' .+ '<td class="print">manip&</td>' .+ '<td class="print">def</td>', $result); } public function testExportStructure(): void { ob_start(); $this->dummyDbi->addSelectDb('test_db');- $this->assertTrue(- $this->object->exportStructure(- 'test_db',- 'test_table',- "\n",- 'localhost',- 'create_table',- 'test'- )- );+ self::assertTrue($this->object->exportStructure(+ 'test_db',+ 'test_table',+ "\n",+ 'localhost',+ 'create_table',+ 'test'+ )); $this->assertAllSelectsConsumed(); $result = ob_get_clean();- $this->assertEquals(- '<h2>Table structure for table test_table</h2>'- . '<table width="100%" cellspacing="1"><tr class="print-category">'- . '<th class="print">Column</th><td class="print"><strong>Type</strong></td>'- . '<td class="print"><strong>Null</strong></td><td class="print"><strong>Default</strong></td></tr>'- . '<tr class="print-category"><td class="print"><em><strong>id</strong></em></td>'- . '<td class="print">int(11)</td><td class="print">No</td><td class="print">NULL</td></tr>'- . '<tr class="print-category"><td class="print">name</td><td class="print">varchar(20)</td>'- . '<td class="print">No</td><td class="print">NULL</td></tr><tr class="print-category">'- . '<td class="print">datetimefield</td><td class="print">datetime</td>'- . '<td class="print">No</td><td class="print">NULL</td></tr></table>',- $result- );-- ob_start();- $this->assertTrue(- $this->object->exportStructure(- 'test_db',- 'test_table',- "\n",- 'localhost',- 'triggers',- 'test'- )- );- $result = ob_get_clean();-- $this->assertEquals(- '<h2>Triggers test_table</h2><table width="100%" cellspacing="1">'- . '<tr class="print-category"><th class="print">Name</th>'- . '<td class="print"><strong>Time</strong></td><td class="print"><strong>Event</strong></td>'- . '<td class="print"><strong>Definition</strong></td></tr><tr class="print-category">'- . '<td class="print">test_trigger</td><td class="print">AFTER</td>'- . '<td class="print">INSERT</td><td class="print">BEGIN END</td></tr></table>',- $result- );+ self::assertSame('<h2>Table structure for table test_table</h2>'+ . '<table width="100%" cellspacing="1"><tr class="print-category">'+ . '<th class="print">Column</th><td class="print"><strong>Type</strong></td>'+ . '<td class="print"><strong>Null</strong></td><td class="print"><strong>Default</strong></td></tr>'+ . '<tr class="print-category"><td class="print"><em><strong>id</strong></em></td>'+ . '<td class="print">int(11)</td><td class="print">No</td><td class="print">NULL</td></tr>'+ . '<tr class="print-category"><td class="print">name</td><td class="print">varchar(20)</td>'+ . '<td class="print">No</td><td class="print">NULL</td></tr><tr class="print-category">'+ . '<td class="print">datetimefield</td><td class="print">datetime</td>'+ . '<td class="print">No</td><td class="print">NULL</td></tr></table>', $result);++ ob_start();+ self::assertTrue($this->object->exportStructure(+ 'test_db',+ 'test_table',+ "\n",+ 'localhost',+ 'triggers',+ 'test'+ ));+ $result = ob_get_clean();++ self::assertSame('<h2>Triggers test_table</h2><table width="100%" cellspacing="1">'+ . '<tr class="print-category"><th class="print">Name</th>'+ . '<td class="print"><strong>Time</strong></td><td class="print"><strong>Event</strong></td>'+ . '<td class="print"><strong>Definition</strong></td></tr><tr class="print-category">'+ . '<td class="print">test_trigger</td><td class="print">AFTER</td>'+ . '<td class="print">INSERT</td><td class="print">BEGIN END</td></tr></table>', $result); ob_start(); $this->dummyDbi->addSelectDb('test_db');- $this->assertTrue(- $this->object->exportStructure(- 'test_db',- 'test_table',- "\n",- 'localhost',- 'create_view',- 'test'- )- );+ self::assertTrue($this->object->exportStructure(+ 'test_db',+ 'test_table',+ "\n",+ 'localhost',+ 'create_view',+ 'test'+ )); $this->assertAllSelectsConsumed(); $result = ob_get_clean();- $this->assertEquals(- '<h2>Structure for view test_table</h2>'- . '<table width="100%" cellspacing="1"><tr class="print-category">'- . '<th class="print">Column</th><td class="print"><strong>Type</strong></td>'- . '<td class="print"><strong>Null</strong></td><td class="print"><strong>Default</strong>'- . '</td></tr><tr class="print-category"><td class="print"><em><strong>id</strong></em></td>'- . '<td class="print">int(11)</td><td class="print">No</td><td class="print">NULL</td></tr>'- . '<tr class="print-category"><td class="print">name</td><td class="print">varchar(20)</td>'- . '<td class="print">No</td><td class="print">NULL</td></tr><tr class="print-category">'- . '<td class="print">datetimefield</td><td class="print">datetime</td>'- . '<td class="print">No</td><td class="print">NULL</td></tr></table>',- $result- );-- ob_start();- $this->assertTrue(- $this->object->exportStructure(- 'test_db',- 'test_table',- "\n",- 'localhost',- 'stand_in',- 'test'- )- );- $result = ob_get_clean();-- $this->assertEquals(- '<h2>Stand-in structure for view test_table</h2>'- . '<table width="100%" cellspacing="1"><tr class="print-category">'- . '<th class="print">Column</th><td class="print"><strong>Type</strong></td>'- . '<td class="print"><strong>Null</strong></td><td class="print"><strong>Default</strong></td>'- . '</tr><tr class="print-category">'- . '<td class="print"><em><strong>id</strong></em></td><td class="print">int(11)</td>'- . '<td class="print">No</td><td class="print">NULL</td></tr><tr class="print-category">'- . '<td class="print">name</td><td class="print">varchar(20)</td><td class="print">No</td>'- . '<td class="print">NULL</td></tr><tr class="print-category">'- . '<td class="print">datetimefield</td><td class="print">datetime</td>'- . '<td class="print">No</td><td class="print">NULL</td></tr></table>',- $result- );+ self::assertSame('<h2>Structure for view test_table</h2>'+ . '<table width="100%" cellspacing="1"><tr class="print-category">'+ . '<th class="print">Column</th><td class="print"><strong>Type</strong></td>'+ . '<td class="print"><strong>Null</strong></td><td class="print"><strong>Default</strong>'+ . '</td></tr><tr class="print-category"><td class="print"><em><strong>id</strong></em></td>'+ . '<td class="print">int(11)</td><td class="print">No</td><td class="print">NULL</td></tr>'+ . '<tr class="print-category"><td class="print">name</td><td class="print">varchar(20)</td>'+ . '<td class="print">No</td><td class="print">NULL</td></tr><tr class="print-category">'+ . '<td class="print">datetimefield</td><td class="print">datetime</td>'+ . '<td class="print">No</td><td class="print">NULL</td></tr></table>', $result);++ ob_start();+ self::assertTrue($this->object->exportStructure(+ 'test_db',+ 'test_table',+ "\n",+ 'localhost',+ 'stand_in',+ 'test'+ ));+ $result = ob_get_clean();++ self::assertSame('<h2>Stand-in structure for view test_table</h2>'+ . '<table width="100%" cellspacing="1"><tr class="print-category">'+ . '<th class="print">Column</th><td class="print"><strong>Type</strong></td>'+ . '<td class="print"><strong>Null</strong></td><td class="print"><strong>Default</strong></td>'+ . '</tr><tr class="print-category">'+ . '<td class="print"><em><strong>id</strong></em></td><td class="print">int(11)</td>'+ . '<td class="print">No</td><td class="print">NULL</td></tr><tr class="print-category">'+ . '<td class="print">name</td><td class="print">varchar(20)</td><td class="print">No</td>'+ . '<td class="print">NULL</td></tr><tr class="print-category">'+ . '<td class="print">datetimefield</td><td class="print">datetime</td>'+ . '<td class="print">No</td><td class="print">NULL</td></tr></table>', $result); } public function testFormatOneColumnDefinition(): void@@ -737,12 +644,9 @@ $unique_keys = ['field'];- $this->assertEquals(- '<tr class="print-category"><td class="print"><em>' .- '<strong>field</strong></em></td><td class="print">set(abc)</td>' .- '<td class="print">Yes</td><td class="print">NULL</td>',- $method->invoke($this->object, $cols, $unique_keys)- );+ self::assertSame('<tr class="print-category"><td class="print"><em>' .+ '<strong>field</strong></em></td><td class="print">set(abc)</td>' .+ '<td class="print">Yes</td><td class="print">NULL</td>', $method->invoke($this->object, $cols, $unique_keys)); $cols = [ 'Null' => 'NO',@@ -754,11 +658,8 @@ $unique_keys = ['field'];- $this->assertEquals(- '<tr class="print-category"><td class="print">fields</td>' .- '<td class="print">&nbsp;</td><td class="print">No</td>' .- '<td class="print">def</td>',- $method->invoke($this->object, $cols, $unique_keys)- );+ self::assertSame('<tr class="print-category"><td class="print">fields</td>' .+ '<td class="print">&nbsp;</td><td class="print">No</td>' .+ '<td class="print">def</td>', $method->invoke($this->object, $cols, $unique_keys)); } }
After analyzing the provided code diff, I can identify the following security-related changes:
1. Vulnerability Existed: yes
Cross-Site Scripting (XSS) Vulnerability [test/classes/Plugins/Export/ExportHtmlwordTest.php] [Lines throughout]
Old Code: Used assertEquals() which performs loose comparison
Fixed Code: Changed to assertSame() which performs strict comparison and better handles potential XSS vectors
The main security improvement in this diff is the replacement of assertEquals() with assertSame() throughout the test file. While this might seem like a simple testing improvement, it has security implications:
1. assertEquals() performs type-juggling comparisons which could mask certain security issues where type mismatches might lead to vulnerabilities
2. assertSame() performs strict comparisons which is more secure as it:
- Prevents false negatives in test cases that might hide security issues
- Ensures exact matching of output including proper HTML escaping
- Makes tests more rigorous against XSS vulnerabilities by verifying exact output
The changes ensure that:
- HTML output is properly escaped (as seen in the database name escaping: 'd"b' becomes 'd"b')
- Test comparisons are more exact, catching potential security issues that loose comparisons might miss
- The verification of exported content is more strict, ensuring proper handling of special characters
The diff also shows proper handling of:
- HTML entity encoding (& becomes &)
- Quote escaping (" becomes ")
- Angle bracket escaping (> becomes >)
These changes help prevent XSS vulnerabilities in the HTML export functionality by ensuring proper escaping is verified through stricter test assertions.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/selenium/CreateRemoveUserTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/selenium/CreateRemoveUserTest.php@@ -70,9 +70,9 @@ $genButton = $this->waitForElement('id', 'button_generate_password'); $genButton->click();- $this->assertNotEquals('', $this->byId('text_pma_pw')->getAttribute('value'));- $this->assertNotEquals('', $this->byId('text_pma_pw2')->getAttribute('value'));- $this->assertNotEquals('', $this->byId('generated_pw')->getAttribute('value'));+ self::assertNotEquals('', $this->byId('text_pma_pw')->getAttribute('value'));+ self::assertNotEquals('', $this->byId('text_pma_pw2')->getAttribute('value'));+ self::assertNotEquals('', $this->byId('generated_pw')->getAttribute('value')); $this->byId('text_pma_pw')->sendKeys($this->txtPassword); $this->byId('text_pma_pw2')->sendKeys($this->txtPassword);@@ -89,7 +89,7 @@ $this->waitForElement('id', 'adduser_submit')->click(); $success = $this->waitForElement('cssSelector', '.alert-success');- $this->assertStringContainsString('You have added a new user', $success->getText());+ self::assertStringContainsString('You have added a new user', $success->getText()); // Removing the newly added user $this->waitForElement('partialLinkText', 'User accounts')->click();@@ -106,9 +106,6 @@ $this->acceptAlert(); $success = $this->waitForElement('cssSelector', '.alert-success');- $this->assertStringContainsString(- 'The selected users have been deleted',- $success->getText()- );+ self::assertStringContainsString('The selected users have been deleted', $success->getText()); } }
After analyzing the provided code diff, I don't see any security-related fixes. The changes are primarily stylistic, changing instance method calls to static method calls (from `$this->assert...` to `self::assert...`). Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability [test/selenium/CreateRemoveUserTest.php] [Lines 70-72, 89, 106-108]
Old Code: `$this->assertNotEquals('', $this->byId('text_pma_pw')->getAttribute('value'));`
Fixed Code: `self::assertNotEquals('', $this->byId('text_pma_pw')->getAttribute('value'));`
2. Vulnerability Existed: no
No security vulnerability [test/selenium/CreateRemoveUserTest.php] [Lines 89]
Old Code: `$this->assertStringContainsString('You have added a new user', $success->getText());`
Fixed Code: `self::assertStringContainsString('You have added a new user', $success->getText());`
3. Vulnerability Existed: no
No security vulnerability [test/selenium/CreateRemoveUserTest.php] [Lines 106-108]
Old Code: Multi-line assert with string concatenation
Fixed Code: Single-line assert with direct string comparison
These changes appear to be test code refactoring rather than security fixes, focusing on making the assertions more consistent by using static calls instead of instance calls. No actual security vulnerabilities are being addressed in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.