Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Navigation/Nodes/NodeTriggerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Navigation/Nodes/NodeTriggerTest.php@@ -27,19 +27,16 @@ public function testConstructor(): void { $parent = NodeFactory::getInstance('NodeTrigger');- $this->assertIsArray($parent->links);- $this->assertEquals(- [- 'text' => [- 'route' => '/database/triggers',- 'params' => ['edit_item' => 1, 'db' => null, 'item_name' => null],- ],- 'icon' => [- 'route' => '/database/triggers',- 'params' => ['export_item' => 1, 'db' => null, 'item_name' => null],- ],+ self::assertIsArray($parent->links);+ self::assertSame([+ 'text' => [+ 'route' => '/database/triggers',+ 'params' => ['edit_item' => 1, 'db' => null, 'item_name' => null], ],- $parent->links- );+ 'icon' => [+ 'route' => '/database/triggers',+ 'params' => ['export_item' => 1, 'db' => null, 'item_name' => null],+ ],+ ], $parent->links); } }
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] test/classes/Navigation/Nodes/NodeTriggerTest.php [Lines] 27-46
[Old Code]
$this->assertIsArray($parent->links);
$this->assertEquals(
[
'text' => [
'route' => '/database/triggers',
'params' => ['edit_item' => 1, 'db' => null, 'item_name' => null],
],
'icon' => [
'route' => '/database/triggers',
'params' => ['export_item' => 1, 'db' => null, 'item_name' => null],
],
],
$parent->links
);
[Fixed Code]
self::assertIsArray($parent->links);
self::assertSame([
'text' => [
'route' => '/database/triggers',
'params' => ['edit_item' => 1, 'db' => null, 'item_name' => null],
],
'icon' => [
'route' => '/database/triggers',
'params' => ['export_item' => 1, 'db' => null, 'item_name' => null],
],
], $parent->links);
The changes appear to be test code improvements rather than security fixes. The modifications include:
1. Changing assertion methods from `$this->` to `self::` style
2. Combining the assertions into a single `assertSame` call
3. Formatting changes to the array structure
No security vulnerabilities were addressed in this diff. The changes are purely related to test code quality and style.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/ConfigStorage/Relation.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/ConfigStorage/Relation.php@@ -9,7 +9,6 @@ use PhpMyAdmin\Dbal\DatabaseName; use PhpMyAdmin\Dbal\TableName; use PhpMyAdmin\InternalRelations;-use PhpMyAdmin\RecentFavoriteTable; use PhpMyAdmin\SqlParser\Parser; use PhpMyAdmin\SqlParser\Statements\CreateStatement; use PhpMyAdmin\SqlParser\Utils\Table as TableUtils;@@ -163,6 +162,10 @@ */ private function fillRelationParamsWithTableNames(array $relationParams): ?array {+ if ($this->arePmadbTablesAllDisabled()) {+ return null;+ }+ $tabQuery = 'SHOW TABLES FROM ' . Util::backquote($GLOBALS['cfg']['Server']['pmadb']); $tableRes = $this->dbi->tryQueryAsControlUser($tabQuery);@@ -441,7 +444,7 @@ if (($source === 'both' || $source === 'foreign') && strlen($table) > 0) { $tableObj = new Table($table, $db); $show_create_table = $tableObj->showCreate();- if ($show_create_table) {+ if ($show_create_table !== '') { $parser = new Parser($show_create_table); $stmt = $parser->statements[0]; $foreign['foreign_keys_data'] = [];@@ -1580,6 +1583,10 @@ */ public function fixPmaTables($db, $create = true): void {+ if ($this->arePmadbTablesAllDisabled()) {+ return;+ }+ $tablesToFeatures = [ 'pma__bookmark' => 'bookmarktable', 'pma__relation' => 'relation',@@ -1626,6 +1633,11 @@ $createQueries = null; $foundOne = false; foreach ($tablesToFeatures as $table => $feature) {+ if (($GLOBALS['cfg']['Server'][$feature] ?? null) === false) {+ // The feature is disabled by the user in config+ continue;+ }+ // Check if the table already exists // use the possible replaced name first and fallback on the table name // if no replacement exists@@ -1669,31 +1681,12 @@ } $GLOBALS['cfg']['Server']['pmadb'] = $db;++ //NOTE: I am unsure why we do that, as it defeats the purpose of the session cache+ // Unset the cache unset($_SESSION['relation'][$GLOBALS['server']]);-- $relationParameters = $this->getRelationParameters();- if (- $relationParameters->recentlyUsedTablesFeature === null- && $relationParameters->favoriteTablesFeature === null- ) {- return;- }-- // Since configuration storage is updated, we need to- // re-initialize the favorite and recent tables stored in the- // session from the current configuration storage.- if ($relationParameters->favoriteTablesFeature !== null) {- $fav_tables = RecentFavoriteTable::getInstance('favorite');- $_SESSION['tmpval']['favoriteTables'][$GLOBALS['server']] = $fav_tables->getFromDb();- }-- if ($relationParameters->recentlyUsedTablesFeature !== null) {- $recent_tables = RecentFavoriteTable::getInstance('recent');- $_SESSION['tmpval']['recentTables'][$GLOBALS['server']] = $recent_tables->getFromDb();- }-- // Reload navi panel to update the recent/favorite lists.- $GLOBALS['reload'] = true;+ // Fill back the cache+ $this->getRelationParameters(); } /**@@ -1722,6 +1715,32 @@ $res_rel, $have_rel, ];+ }++ /**+ * Verifies that all pmadb features are disabled+ */+ public function arePmadbTablesAllDisabled(): bool+ {+ return ($GLOBALS['cfg']['Server']['bookmarktable'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['relation'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['table_info'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['table_coords'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['column_info'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['pdf_pages'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['history'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['recent'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['favorite'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['table_uiprefs'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['tracking'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['userconfig'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['users'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['usergroups'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['navigationhiding'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['savedsearches'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['central_columns'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['designer_settings'] ?? null) === false+ && ($GLOBALS['cfg']['Server']['export_templates'] ?? null) === false; } /**
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Potential Null Pointer Dereference [File] libraries/classes/ConfigStorage/Relation.php [Lines] 441
[Old Code]
```php
if ($show_create_table) {
```
[Fixed Code]
```php
if ($show_create_table !== '') {
```
Additional Details: The change makes the condition more strict by checking for an empty string rather than just falsy values. This could prevent potential null pointer issues, but it's not clear if this was actually exploitable.
2. Vulnerability Existed: yes
Missing Feature Disable Check [File] libraries/classes/ConfigStorage/Relation.php [Lines] 1626-1628
[Old Code]
(No check for disabled features before processing tables)
[Fixed Code]
```php
if (($GLOBALS['cfg']['Server'][$feature] ?? null) === false) {
// The feature is disabled by the user in config
continue;
}
```
Additional Details: This adds proper checks for disabled features before processing them, preventing potential unauthorized access to disabled functionality.
3. Vulnerability Existed: yes
Incomplete Session Handling [File] libraries/classes/ConfigStorage/Relation.php [Lines] 1580-1686
[Old Code]
(Complex session handling with potential information leak through recent/favorite tables)
[Fixed Code]
```php
unset($_SESSION['relation'][$GLOBALS['server']]);
// Fill back the cache
$this->getRelationParameters();
```
Additional Details: The change simplifies session handling and removes potential information leakage by clearing and properly rebuilding the session cache.
4. Vulnerability Existed: yes
Missing pmadb Tables Disabled Check [File] libraries/classes/ConfigStorage/Relation.php [Lines] 163, 1580
[Old Code]
(No check for all pmadb tables being disabled)
[Fixed Code]
```php
if ($this->arePmadbTablesAllDisabled()) {
return null;
}
```
Additional Details: This adds proper checks to skip processing when all pmadb tables are disabled, preventing potential unauthorized access attempts.
The most significant security improvements appear to be:
1. Proper handling of disabled features
2. Better session management
3. More complete checks for disabled pmadb functionality
4. More strict condition checking
These changes help prevent potential unauthorized access and information leakage scenarios.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Console.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Console.php@@ -31,7 +31,7 @@ * * @var bool */- private $isAjax;+ private $isAjax = false; /** @var Relation */ private $relation;
Analysis of the provided code diff: 1. Vulnerability Existed: not sure [Uninitialized Property Vulnerability] [libraries/classes/Console.php] [Lines 31] [Old Code] `private $isAjax;` [Fixed Code] `private $isAjax = false;` Additional Details: - The change initializes a previously uninitialized class property. While not a direct security vulnerability, uninitialized properties can sometimes lead to undefined behavior or information leaks if the property is used before being set. - The fix ensures the property has a default value (false) which could prevent potential issues if the property is accessed before being explicitly set. - Without more context about how this property is used, we can't definitively say this was a security vulnerability, but it's a good defensive programming practice. No other vulnerabilities were identified in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/js/src/sql.js+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/js/src/sql.js@@ -189,7 +189,7 @@ $(document).off('click', 'a.delete_row.ajax'); $(document).off('submit', '.bookmarkQueryForm'); $('input#bkm_label').off('input');- $(document).off('makegrid', '.sqlqueryresults');+ $(document).off('makeGrid', '.sqlqueryresults'); $('#togglequerybox').off('click'); $(document).off('click', '#button_submit_query'); $(document).off('change', '#id_bookmark');@@ -377,6 +377,9 @@ textArea.value += '\n'; $('.table_results tbody tr').each(function () {+ if ($(this).hasClass('repeating_header_row')) {+ return;+ } $(this).find('.data span').each(function () { // Extract <em> tag for NULL values before converting to string to not mess up formatting var data = $(this).find('em').length !== 0 ? $(this).find('em')[0] : this;@@ -401,11 +404,11 @@ }); // end of Copy to Clipboard action /**- * Attach the {@link makegrid} function to a custom event, which will be+ * Attach the {@link makeGrid} function to a custom event, which will be * triggered manually everytime the table of results is reloaded * @memberOf jQuery */- $(document).on('makegrid', '.sqlqueryresults', function () {+ $(document).on('makeGrid', '.sqlqueryresults', function () { $('.table_results').each(function () { makeGrid(this); });@@ -625,7 +628,7 @@ }); }- $('.sqlqueryresults').trigger('makegrid');+ $('.sqlqueryresults').trigger('makeGrid'); $('#togglequerybox').show(); if (typeof data.action_bookmark === 'undefined') {@@ -663,7 +666,7 @@ var $sqlqueryresults = $form.parents('.sqlqueryresults'); $sqlqueryresults .html(data.message)- .trigger('makegrid');+ .trigger('makeGrid'); Functions.highlightSql($sqlqueryresults); }); // end $.post() }); // end displayOptionsForm handler@@ -761,7 +764,7 @@ for (var i = 0; i < len; i++) { dialogContent += '<strong>' + Messages.strSQLQuery + '</strong>' + response.sql_data[i].sql_query +- Messages.strMatchedRows ++ Messages.strAffectedRows + ' <a href="' + response.sql_data[i].matched_rows_url + '">' + response.sql_data[i].matched_rows + '</a><br>'; if (i < len - 1) {@@ -1014,7 +1017,7 @@ /** * create resizable table */- $('.sqlqueryresults').trigger('makegrid');+ $('.sqlqueryresults').trigger('makeGrid'); /** * Check if there is any saved query
I'll analyze the code diff for security fixes following the specified format. 1. Vulnerability Existed: no Event Listener Case Sensitivity Fix [js/src/sql.js] [Lines 189, 377, 401, 625, 663, 1014] Old Code: 'makegrid' Fixed Code: 'makeGrid' 2. Vulnerability Existed: no Repeating Header Row Filtering [js/src/sql.js] [Lines 377-379] Old Code: (no filtering for repeating_header_row) Fixed Code: Added check for repeating_header_row class 3. Vulnerability Existed: no Message String Update [js/src/sql.js] [Lines 761-766] Old Code: Messages.strMatchedRows Fixed Code: Messages.strAffectedRows The changes appear to be primarily about: 1. Correcting case sensitivity in event names (makegrid → makeGrid) 2. Adding filtering for repeating header rows in table processing 3. Updating message string identifiers 4. Minor code consistency improvements None of these changes appear to address security vulnerabilities directly, but rather improve code correctness and functionality. The changes are more about fixing potential bugs and improving code quality than addressing security issues.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/libraries/classes/Normalization.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/libraries/classes/Normalization.php@@ -201,7 +201,7 @@ 'max_rows' => intval($GLOBALS['cfg']['MaxRows']), 'char_editing' => $GLOBALS['cfg']['CharEditing'], 'attribute_types' => $this->dbi->types->getAttributes(),- 'privs_available' => $GLOBALS['col_priv'] && $GLOBALS['is_reload_priv'],+ 'privs_available' => ($GLOBALS['col_priv'] ?? false) && ($GLOBALS['is_reload_priv'] ?? false), 'max_length' => $this->dbi->getVersion() >= 50503 ? 1024 : 255, 'charsets' => $charsetsList, ]);
Here's the analysis of the provided code diff: 1. Vulnerability Existed: yes Null Pointer Dereference/Insecure Default Value [File] libraries/classes/Normalization.php [Lines] 201 [Old Code] `'privs_available' => $GLOBALS['col_priv'] && $GLOBALS['is_reload_priv'],` [Fixed Code] `'privs_available' => ($GLOBALS['col_priv'] ?? false) && ($GLOBALS['is_reload_priv'] ?? false),` Additional Details: The fix addresses a potential null pointer dereference or undefined variable issue by using the null coalescing operator (??) to provide default false values when the global variables $col_priv or $is_reload_priv are not set. This prevents potential PHP warnings or errors that could occur if these variables were undefined, and ensures consistent boolean evaluation. While not a critical security vulnerability, it improves code robustness and prevents potential information disclosure through error messages.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/UtilTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/UtilTest.php@@ -69,15 +69,12 @@ */ public function testListPHPExtensions(): void {- $this->assertSame(- [- 'mysqli',- 'curl',- 'mbstring',- 'sodium',- ],- Util::listPHPExtensions()- );+ self::assertSame([+ 'mysqli',+ 'curl',+ 'mbstring',+ 'sodium',+ ], Util::listPHPExtensions()); } public function testGetUniqueCondition(): void@@ -86,10 +83,10 @@ $GLOBALS['cfg']['Server']['DisableIS'] = false; $actual = Util::getUniqueCondition(0, [], []);- $this->assertEquals(['', false, []], $actual);+ self::assertSame(['', false, []], $actual); $actual = Util::getUniqueCondition(0, [], [], true);- $this->assertEquals(['', true, []], $actual);+ self::assertSame(['', true, []], $actual); } public function testGetUniqueConditionWithMultipleFields(): void@@ -183,30 +180,27 @@ 'value', 0x1, ], false, 'table');- $this->assertEquals(- [- '`table`.`field1` IS NULL AND `table`.`field2` = \'value\\\'s\' AND `table`.`field3` = 123456'- . ' AND `table`.`field4` = 123.456 AND `table`.`field5` = CAST(0x76616c7565 AS BINARY)'- . ' AND `table`.`field7` = \'value\' AND `table`.`field8` = \'value\''- . ' AND `table`.`field9` = CAST(0x76616c7565 AS BINARY)'- . ' AND `table`.`field10` = CAST(0x76616c7565 AS BINARY)'- . ' AND `table`.`field12` = b\'0001\'',- false,- [- '`table`.`field1`' => 'IS NULL',- '`table`.`field2`' => '= \'value\\\'s\'',- '`table`.`field3`' => '= 123456',- '`table`.`field4`' => '= 123.456',- '`table`.`field5`' => '= CAST(0x76616c7565 AS BINARY)',- '`table`.`field7`' => '= \'value\'',- '`table`.`field8`' => '= \'value\'',- '`table`.`field9`' => '= CAST(0x76616c7565 AS BINARY)',- '`table`.`field10`' => '',- '`table`.`field12`' => '= b\'0001\'',- ],- ],- $actual- );+ self::assertSame([+ '`table`.`field1` IS NULL AND `table`.`field2` = \'value\\\'s\' AND `table`.`field3` = 123456'+ . ' AND `table`.`field4` = 123.456 AND `table`.`field5` = CAST(0x76616c7565 AS BINARY)'+ . ' AND `table`.`field7` = \'value\' AND `table`.`field8` = \'value\''+ . ' AND `table`.`field9` = CAST(0x76616c7565 AS BINARY)'+ . ' AND `table`.`field10` = CAST(0x76616c7565 AS BINARY)'+ . ' AND `table`.`field12` = b\'0001\'',+ false,+ [+ '`table`.`field1`' => 'IS NULL',+ '`table`.`field2`' => '= \'value\\\'s\'',+ '`table`.`field3`' => '= 123456',+ '`table`.`field4`' => '= 123.456',+ '`table`.`field5`' => '= CAST(0x76616c7565 AS BINARY)',+ '`table`.`field7`' => '= \'value\'',+ '`table`.`field8`' => '= \'value\'',+ '`table`.`field9`' => '= CAST(0x76616c7565 AS BINARY)',+ '`table`.`field10`' => '',+ '`table`.`field12`' => '= b\'0001\'',+ ],+ ], $actual); } public function testGetUniqueConditionWithSingleBigBinaryField(): void@@ -221,10 +215,7 @@ ]; $actual = Util::getUniqueCondition(1, $meta, [str_repeat('*', 1001)]);- $this->assertEquals(- ['CHAR_LENGTH(`table`.`field`) = 1001', false, ['`table`.`field`' => ' = 1001']],- $actual- );+ self::assertSame(['CHAR_LENGTH(`table`.`field`) = 1001', false, ['`table`.`field`' => ' = 1001']], $actual); } public function testGetUniqueConditionWithPrimaryKey(): void@@ -243,7 +234,7 @@ ]; $actual = Util::getUniqueCondition(count($meta), $meta, [1, 'value']);- $this->assertEquals(['`table`.`id` = 1', true, ['`table`.`id`' => '= 1']], $actual);+ self::assertSame(['`table`.`id` = 1', true, ['`table`.`id`' => '= 1']], $actual); } public function testGetUniqueConditionWithUniqueKey(): void@@ -262,7 +253,7 @@ ]; $actual = Util::getUniqueCondition(count($meta), $meta, ['unique', 'value']);- $this->assertEquals(['`table`.`id` = \'unique\'', true, ['`table`.`id`' => '= \'unique\'']], $actual);+ self::assertSame(['`table`.`id` = \'unique\'', true, ['`table`.`id`' => '= \'unique\'']], $actual); } /**@@ -282,7 +273,7 @@ $fieldsCount = count($meta); $actual = Util::getUniqueCondition($fieldsCount, $meta, $row);- $this->assertEquals($expected, $actual);+ self::assertSame($expected, $actual); } /**@@ -290,7 +281,7 @@ * * @return array<string, array{FieldMetadata[], array<int, mixed>, array{string, bool, array<string, string>}}> */- public function providerGetUniqueConditionForGroupFlag(): array+ public static function providerGetUniqueConditionForGroupFlag(): array { return [ 'field type is integer, value is number - not escape string' => [@@ -399,13 +390,13 @@ */ public function testPageSelector(): void {- $this->assertStringContainsString(+ self::assertStringContainsString( '<select class="pageselector ajax" name="pma" >', Util::pageselector('pma', 3) ); // If pageNow > nbTotalPage, show the pageNow number to avoid confusion- $this->assertStringContainsString(+ self::assertStringContainsString( '<option selected="selected" style="font-weight: bold" value="297">100</option>', Util::pageselector('pma', 3, 100, 50) );@@ -421,10 +412,7 @@ */ public function testGenerateCharsetQueryPart(string $collation, string $expected): void {- $this->assertEquals(- $expected,- Util::getCharsetQueryPart($collation)- );+ self::assertSame($expected, Util::getCharsetQueryPart($collation)); } /**@@ -432,7 +420,7 @@ * * @return array test data */- public function charsetQueryData(): array+ public static function charsetQueryData(): array { return [ [@@ -455,28 +443,22 @@ */ public function testGenerateRandom(): void {- $this->assertEquals(32, strlen(Util::generateRandom(32)));- $this->assertEquals(16, strlen(Util::generateRandom(16)));+ self::assertSame(32, strlen(Util::generateRandom(32)));+ self::assertSame(16, strlen(Util::generateRandom(16))); } public function testClearUserCache(): void { $GLOBALS['server'] = 'server'; SessionCache::set('is_superuser', 'yes');- $this->assertEquals('yes', $_SESSION['cache']['server_server']['is_superuser']);+ self::assertSame('yes', $_SESSION['cache']['server_server']['is_superuser']); SessionCache::set('mysql_cur_user', 'mysql');- $this->assertEquals(- 'mysql',- $_SESSION['cache']['server_server']['mysql_cur_user']- );+ self::assertSame('mysql', $_SESSION['cache']['server_server']['mysql_cur_user']); Util::clearUserCache();- $this->assertArrayNotHasKey('is_superuser', $_SESSION['cache']['server_server']);- $this->assertArrayNotHasKey(- 'mysql_cur_user',- $_SESSION['cache']['server_server']- );+ self::assertArrayNotHasKey('is_superuser', $_SESSION['cache']['server_server']);+ self::assertArrayNotHasKey('mysql_cur_user', $_SESSION['cache']['server_server']); } public function testCheckParameterMissing(): void@@ -535,10 +517,7 @@ */ public function testConvertBitDefaultValue(?string $bit, string $val): void {- $this->assertEquals(- $val,- Util::convertBitDefaultValue($bit)- );+ self::assertSame($val, Util::convertBitDefaultValue($bit)); } /**@@ -546,7 +525,7 @@ * * @return array */- public function providerConvertBitDefaultValue(): array+ public static function providerConvertBitDefaultValue(): array { return [ [@@ -589,7 +568,7 @@ * * @return array */- public function providerUnEscapeMysqlWildcards(): array+ public static function providerUnEscapeMysqlWildcards(): array { return [ [@@ -637,10 +616,7 @@ */ public function testEscapeMysqlWildcards(string $a, string $b): void {- $this->assertEquals(- $a,- Util::escapeMysqlWildcards($b)- );+ self::assertSame($a, Util::escapeMysqlWildcards($b)); } /**@@ -653,10 +629,7 @@ */ public function testUnescapeMysqlWildcards(string $a, string $b): void {- $this->assertEquals(- $b,- Util::unescapeMysqlWildcards($a)- );+ self::assertSame($b, Util::unescapeMysqlWildcards($a)); } /**@@ -679,18 +652,12 @@ $GLOBALS['db'] = 'database'; $GLOBALS['table'] = 'table';- $this->assertEquals(- $out,- Util::expandUserString($in)- );-- $this->assertEquals(- htmlspecialchars($out),- Util::expandUserString(- $in,- 'htmlspecialchars'- )- );+ self::assertSame($out, Util::expandUserString($in));++ self::assertSame(htmlspecialchars($out), Util::expandUserString(+ $in,+ 'htmlspecialchars'+ )); } /**@@ -698,7 +665,7 @@ * * @return array */- public function providerExpandUserString(): array+ public static function providerExpandUserString(): array { return [ [@@ -740,10 +707,7 @@ { $GLOBALS['cfg']['LimitChars'] = 1000;- $this->assertEquals(- $out,- Util::extractColumnSpec($in)- );+ self::assertEquals($out, Util::extractColumnSpec($in)); } /**@@ -751,7 +715,7 @@ * * @return array */- public function providerExtractColumnSpec(): array+ public static function providerExtractColumnSpec(): array { return [ [@@ -782,7 +746,7 @@ 'zerofill' => false, 'spec_in_brackets' => "'\'a','b'", 'enum_set_values' => [- "'a",+ "\'a", 'b', ], 'attribute' => ' ',@@ -809,17 +773,17 @@ ], ], [- "ENUM('a&b', 'b''c\\'d', 'e\\\\f')",+ "ENUM('a&b','b''c\\'d','e\\\\f')", [ 'type' => 'enum', 'print_type' => "enum('a&b', 'b''c\\'d', 'e\\\\f')", 'binary' => false, 'unsigned' => false, 'zerofill' => false,- 'spec_in_brackets' => "'a&b', 'b''c\\'d', 'e\\\\f'",+ 'spec_in_brackets' => "'a&b','b''c\\'d','e\\\\f'", 'enum_set_values' => [ 'a&b',- 'b\'c\'d',+ 'b\'c\\\'d', 'e\\f', ], 'attribute' => ' ',@@ -891,6 +855,123 @@ } /**+ * Test case for parsing ENUM values+ *+ * @param string[] $out+ *+ * @dataProvider providerParseEnumSetValues+ */+ public function testParseEnumSetValues(string $in, bool $escapeHTML, array $out): void+ {+ self::assertSame($out, Util::parseEnumSetValues($in, $escapeHTML));+ }++ /**+ * Data provider for testParseEnumSetValues+ *+ * @return iterable<int, array{string, bool, string[]}>+ */+ public static function providerParseEnumSetValues(): iterable+ {+ $enumSpec = "enum('a&b','b''c''d','e\\f')";++ yield [+ $enumSpec,+ false,+ [+ 'a&b',+ 'b\'c\'d',+ 'e\\f',+ ],+ ];++ yield [+ $enumSpec,+ true,+ [+ 'a&b',+ 'b'c'd',+ 'e\\f',+ ],+ ];++ $enumSpec = "set('<script>alert(\"ok\")</script>','a&b','b&c','vrai&','','漢字','''','\\\\','\"\\\\''')";++ yield [+ $enumSpec,+ false,+ [+ '<script>alert("ok")</script>',+ 'a&b',+ 'b&c',+ 'vrai&',+ '',+ '漢字',+ "'",+ '\\',+ '"\\\'',+ ],+ ];++ yield [+ $enumSpec,+ true,+ [+ '<script>alert("ok")</script>',+ 'a&b',+ 'b&c',+ 'vrai&amp',+ '',+ '漢字',+ ''',+ '\\',+ '"\'',+ ],+ ];++ $enumSpec = "enum('1','2,','3''','''4')";++ yield [+ $enumSpec,+ false,+ [+ '1',+ '2,',+ '3\'',+ '\'4',+ ],+ ];++ yield [+ $enumSpec,+ true,+ [+ '1',+ '2,',+ '3'',+ ''4',+ ],+ ];++ $enumSpec = "enum('''','''''','\"','\\\\','\\\\''','\\\\\"',',','()')";++ yield [+ $enumSpec,+ false,+ [+ "'",+ "''",+ '"',+ '\\',+ "\\'",+ '\\"',+ ',',+ '()',+ ],+ ];+ }++ /** * Test for Util::extractValueFromFormattedSize * * @param int|string $size Size@@ -900,10 +981,7 @@ */ public function testExtractValueFromFormattedSize($size, $expected): void {- $this->assertEquals(- $expected,- Util::extractValueFromFormattedSize($size)- );+ self::assertSame($expected, Util::extractValueFromFormattedSize($size)); } /**@@ -911,7 +989,7 @@ * * @return array */- public function providerExtractValueFromFormattedSize(): array+ public static function providerExtractValueFromFormattedSize(): array { return [ [@@ -946,9 +1024,9 @@ public function testFormatByteDown($a, int $b, int $c, array $e): void { $result = Util::formatByteDown($a, $b, $c);- $this->assertIsArray($result);+ self::assertIsArray($result); $result[0] = trim($result[0]);- $this->assertSame($e, $result);+ self::assertSame($e, $result); } /**@@ -956,7 +1034,7 @@ * * @return array */- public function providerFormatByteDown(): array+ public static function providerFormatByteDown(): array { return [ [@@ -1134,15 +1212,12 @@ */ private function assertFormatNumber($a, int $b, int $c, string $d): void {- $this->assertEquals(- $d,- (string) Util::formatNumber(- $a,- $b,- $c,- false- )- );+ self::assertSame($d, (string) Util::formatNumber(+ $a,+ $b,+ $c,+ false+ )); } /**@@ -1203,7 +1278,7 @@ * * @return array */- public function providerFormatNumber(): array+ public static function providerFormatNumber(): array { return [ [@@ -1328,10 +1403,7 @@ */ public function testGetFormattedMaximumUploadSize($size, string $unit, string $res): void {- $this->assertEquals(- '(' . __('Max: ') . $res . $unit . ')',- Util::getFormattedMaximumUploadSize($size)- );+ self::assertSame('(' . __('Max: ') . $res . $unit . ')', Util::getFormattedMaximumUploadSize($size)); } /**@@ -1339,7 +1411,7 @@ * * @return array */- public function providerGetFormattedMaximumUploadSize(): array+ public static function providerGetFormattedMaximumUploadSize(): array { return [ [@@ -1407,10 +1479,7 @@ */ public function testGetTitleForTarget(string $target, string $result): void {- $this->assertEquals(- $result,- Util::getTitleForTarget($target)- );+ self::assertSame($result, Util::getTitleForTarget($target)); } /**@@ -1418,7 +1487,7 @@ * * @return array */- public function providerGetTitleForTarget(): array+ public static function providerGetTitleForTarget(): array { return [ [@@ -1467,10 +1536,7 @@ $tmpTimezone = date_default_timezone_get(); date_default_timezone_set($tz);- $this->assertEquals(- $e,- Util::localisedDate($a, $b)- );+ self::assertSame($e, Util::localisedDate($a, $b)); date_default_timezone_set($tmpTimezone); _setlocale(LC_ALL, 'en');@@ -1481,7 +1547,7 @@ * * @return array */- public function providerLocalisedDate(): array+ public static function providerLocalisedDate(): array { $hasJaTranslations = file_exists(LOCALE_PATH . '/cs/LC_MESSAGES/phpmyadmin.mo');@@ -1601,10 +1667,7 @@ $tmpTimezone = date_default_timezone_get(); date_default_timezone_set('Europe/London');- $this->assertEquals(- $e,- Util::timespanFormat($a)- );+ self::assertSame($e, Util::timespanFormat($a)); date_default_timezone_set($tmpTimezone); }@@ -1614,7 +1677,7 @@ * * @return array */- public function providerTimespanFormat(): array+ public static function providerTimespanFormat(): array { return [ [@@ -1639,10 +1702,7 @@ */ public function testPrintableBitValue(int $a, int $b, string $e): void {- $this->assertEquals(- $e,- Util::printableBitValue($a, $b)- );+ self::assertSame($e, Util::printableBitValue($a, $b)); } /**@@ -1650,7 +1710,7 @@ * * @return array */- public function providerPrintableBitValue(): array+ public static function providerPrintableBitValue(): array { return [ [@@ -1676,10 +1736,7 @@ */ public function testUnQuote(string $param, string $expected): void {- $this->assertEquals(- $expected,- Util::unQuote($param)- );+ self::assertSame($expected, Util::unQuote($param)); } /**@@ -1687,7 +1744,7 @@ * * @return array */- public function providerUnQuote(): array+ public static function providerUnQuote(): array { return [ [@@ -1719,10 +1776,7 @@ */ public function testUnQuoteSelectedChar(string $param, string $expected): void {- $this->assertEquals(- $expected,- Util::unQuote($param, '"')- );+ self::assertSame($expected, Util::unQuote($param, '"')); } /**@@ -1730,7 +1784,7 @@ * * @return array */- public function providerUnQuoteSelectedChar(): array+ public static function providerUnQuoteSelectedChar(): array { return [ [@@ -1757,17 +1811,17 @@ */ public function testBackquote(?string $entry, string $expectedNoneOutput, string $expectedMssqlOutput): void {- $this->assertSame($expectedNoneOutput, Util::backquote($entry));- $this->assertEquals($entry, Util::backquoteCompat($entry, 'NONE', false));- $this->assertEquals($entry, Util::backquoteCompat($entry, 'MSSQL', false));- $this->assertSame($expectedNoneOutput, Util::backquoteCompat($entry, 'NONE'));- $this->assertSame($expectedMssqlOutput, Util::backquoteCompat($entry, 'MSSQL'));+ self::assertSame($expectedNoneOutput, Util::backquote($entry));+ self::assertEquals($entry, Util::backquoteCompat($entry, 'NONE', false));+ self::assertEquals($entry, Util::backquoteCompat($entry, 'MSSQL', false));+ self::assertSame($expectedNoneOutput, Util::backquoteCompat($entry, 'NONE'));+ self::assertSame($expectedMssqlOutput, Util::backquoteCompat($entry, 'MSSQL')); } /** * @return array<int|string, string|null>[] */- public function providerForTestBackquote(): array+ public static function providerForTestBackquote(): array { return [ [@@ -1815,15 +1869,9 @@ { foreach (Context::$KEYWORDS as $keyword => $type) { if ($type & Token::FLAG_KEYWORD_RESERVED) {- $this->assertEquals(- '`' . $keyword . '`',- Util::backquoteCompat($keyword, 'NONE', false)- );+ self::assertSame('`' . $keyword . '`', Util::backquoteCompat($keyword, 'NONE', false)); } else {- $this->assertEquals(- $keyword,- Util::backquoteCompat($keyword, 'NONE', false)- );+ self::assertSame($keyword, Util::backquoteCompat($keyword, 'NONE', false)); } } }@@ -1840,7 +1888,7 @@ { $GLOBALS['cfg']['Server']['user'] = 'root';- $this->assertEquals($e, Util::userDir($a));+ self::assertSame($e, Util::userDir($a)); } /**@@ -1848,7 +1896,7 @@ * * @return array */- public function providerUserDir(): array+ public static function providerUserDir(): array { return [ [@@ -1872,10 +1920,7 @@ */ public function testDuplicateFirstNewline(string $a, string $e): void {- $this->assertEquals(- $e,- Util::duplicateFirstNewline($a)- );+ self::assertSame($e, Util::duplicateFirstNewline($a)); } /**@@ -1883,7 +1928,7 @@ * * @return array */- public function providerDuplicateFirstNewline(): array+ public static function providerDuplicateFirstNewline(): array { return [ [@@ -1908,18 +1953,15 @@ public function testUnsupportedDatatypes(): void { $no_support_types = [];- $this->assertEquals(- $no_support_types,- Util::unsupportedDatatypes()- );+ self::assertSame($no_support_types, Util::unsupportedDatatypes()); } public function testGetPageFromPosition(): void {- $this->assertEquals(Util::getPageFromPosition(0, 1), 1);- $this->assertEquals(Util::getPageFromPosition(1, 1), 2);- $this->assertEquals(Util::getPageFromPosition(1, 2), 1);- $this->assertEquals(Util::getPageFromPosition(1, 6), 1);+ self::assertSame(Util::getPageFromPosition(0, 1), 1);+ self::assertSame(Util::getPageFromPosition(1, 1), 2);+ self::assertSame(Util::getPageFromPosition(1, 2), 1);+ self::assertSame(Util::getPageFromPosition(1, 6), 1); } /**@@ -1933,7 +1975,7 @@ public function testIsInteger(bool $expected, $input): void { $isInteger = Util::isInteger($input);- $this->assertEquals($expected, $isInteger);+ self::assertSame($expected, $isInteger); } /**@@ -1941,7 +1983,7 @@ * * @return array */- public function providerIsInteger(): array+ public static function providerIsInteger(): array { return [ [@@ -1978,7 +2020,7 @@ public function testGetProtoFromForwardedHeader(string $header, string $proto): void { $protocolDetected = Util::getProtoFromForwardedHeader($header);- $this->assertEquals($proto, $protocolDetected);+ self::assertSame($proto, $protocolDetected); } /**@@ -1989,7 +2031,7 @@ * @source https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded MDN docs * @source https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ Nginx docs */- public function providerForwardedHeaders(): array+ public static function providerForwardedHeaders(): array { return [ [@@ -2094,7 +2136,7 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertTrue(Util::currentUserHasPrivilege('EVENT'));+ self::assertTrue(Util::currentUserHasPrivilege('EVENT')); $GLOBALS['dbi'] = $oldDbi; }@@ -2116,7 +2158,7 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertTrue(Util::currentUserHasPrivilege('EVENT'));+ self::assertTrue(Util::currentUserHasPrivilege('EVENT')); $GLOBALS['dbi'] = $oldDbi; }@@ -2138,10 +2180,13 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertFalse(Util::currentUserHasPrivilege('EVENT'));+ self::assertFalse(Util::currentUserHasPrivilege('EVENT')); $GLOBALS['dbi'] = $oldDbi; }+ /**+ * @requires PHPUnit < 10+ */ public function testCurrentUserHasNotUserPrivilegeButDbPrivilege(): void { $dbi = $this->getMockBuilder(DatabaseInterface::class)@@ -2169,10 +2214,13 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertTrue(Util::currentUserHasPrivilege('EVENT', 'my_data_base'));+ self::assertTrue(Util::currentUserHasPrivilege('EVENT', 'my_data_base')); $GLOBALS['dbi'] = $oldDbi; }+ /**+ * @requires PHPUnit < 10+ */ public function testCurrentUserHasNotUserPrivilegeAndNotDbPrivilege(): void { $dbi = $this->getMockBuilder(DatabaseInterface::class)@@ -2200,10 +2248,13 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertFalse(Util::currentUserHasPrivilege('EVENT', 'my_data_base'));+ self::assertFalse(Util::currentUserHasPrivilege('EVENT', 'my_data_base')); $GLOBALS['dbi'] = $oldDbi; }+ /**+ * @requires PHPUnit < 10+ */ public function testCurrentUserHasNotUserPrivilegeAndNotDbPrivilegeButTablePrivilege(): void { $dbi = $this->getMockBuilder(DatabaseInterface::class)@@ -2236,10 +2287,13 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertTrue(Util::currentUserHasPrivilege('EVENT', 'my_data_base', 'my_data_table'));+ self::assertTrue(Util::currentUserHasPrivilege('EVENT', 'my_data_base', 'my_data_table')); $GLOBALS['dbi'] = $oldDbi; }+ /**+ * @requires PHPUnit < 10+ */ public function testCurrentUserHasNotUserPrivilegeAndNotDbPrivilegeAndNotTablePrivilege(): void { $dbi = $this->getMockBuilder(DatabaseInterface::class)@@ -2272,14 +2326,14 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertFalse(Util::currentUserHasPrivilege('EVENT', 'my_data_base', 'my_data_table'));+ self::assertFalse(Util::currentUserHasPrivilege('EVENT', 'my_data_base', 'my_data_table')); $GLOBALS['dbi'] = $oldDbi; } /** * @return array[] */- public function dataProviderScriptNames(): array+ public static function dataProviderScriptNames(): array { // target // location@@ -2443,10 +2497,7 @@ */ public function testGetScriptNameForOption(string $target, string $location, string $finalLink): void {- $this->assertSame(- $finalLink,- Util::getScriptNameForOption($target, $location)- );+ self::assertSame($finalLink, Util::getScriptNameForOption($target, $location)); } /**@@ -2474,7 +2525,7 @@ $oldDbi = $GLOBALS['dbi']; $GLOBALS['dbi'] = $dbi;- $this->assertEquals(Util::isUUIDSupported(), $expected);+ self::assertSame(Util::isUUIDSupported(), $expected); $GLOBALS['dbi'] = $oldDbi; }@@ -2484,7 +2535,7 @@ * @return array * @psalm-return array<int, array{bool, int, bool}> */- public function provideForTestIsUUIDSupported(): array+ public static function provideForTestIsUUIDSupported(): array { return [ [
After analyzing the provided code diff, I don't find any security vulnerabilities being fixed. The changes appear to be primarily test improvements and code style adjustments. Here's the analysis: 1. Test Assertion Changes: Vulnerability Existed: no The diff shows changes from `$this->assert...` to `self::assert...` in test methods, which is a style/consistency improvement rather than a security fix. 2. Enum/Set Value Parsing Improvements: Vulnerability Existed: no The changes include updates to enum/set value parsing tests, but these appear to be test coverage improvements rather than security fixes. 3. Method Visibility Changes: Vulnerability Existed: no Some test provider methods were changed from instance methods to static methods (adding `static` keyword), which is a test optimization. 4. String Formatting Changes: Vulnerability Existed: no Various string formatting and assertion changes in tests, but no security implications. The diff primarily contains: - Test assertion style changes (instance to static method calls) - Improved test coverage for various utility functions - Code formatting improvements - Some test case additions for edge cases No actual security vulnerabilities appear to be addressed in this diff. The changes are focused on test quality and code consistency rather than security fixes.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Config/ServerConfigChecksTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Config/ServerConfigChecksTest.php@@ -79,29 +79,23 @@ $configChecker->performConfigChecks();- $this->assertEquals(- [- 'Servers/1/ssl',- 'Servers/1/auth_type',- 'Servers/1/AllowNoPassword',- 'AllowArbitraryServer',- 'LoginCookieValidity',- 'SaveDir',- 'TempDir',- ],- array_keys($_SESSION['messages']['notice'])- );-- $this->assertEquals(- [- 'LoginCookieValidity',- 'GZipDump',- 'BZipDump',- 'ZipDump_import',- 'ZipDump_export',- ],- array_keys($_SESSION['messages']['error'])- );+ self::assertSame([+ 'Servers/1/ssl',+ 'Servers/1/auth_type',+ 'Servers/1/AllowNoPassword',+ 'AllowArbitraryServer',+ 'LoginCookieValidity',+ 'SaveDir',+ 'TempDir',+ ], array_keys($_SESSION['messages']['notice']));++ self::assertSame([+ 'LoginCookieValidity',+ 'GZipDump',+ 'BZipDump',+ 'ZipDump_import',+ 'ZipDump_export',+ ], array_keys($_SESSION['messages']['error'])); } public function testBlowfish(): void@@ -133,16 +127,20 @@ * @psalm-suppress TypeDoesNotContainType */ $secret = $_SESSION[$this->sessionID]['blowfish_secret'] ?? '';- $this->assertIsString($secret);- $this->assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($secret, '8bit'));+ self::assertIsString($secret);+ self::assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($secret, '8bit')); $messages = $_SESSION['messages'] ?? null;- $this->assertIsArray($messages);- $this->assertArrayHasKey('notice', $messages);- $this->assertIsArray($messages['notice']);- $this->assertArrayHasKey('blowfish_secret_created', $messages['notice']);- $this->assertArrayNotHasKey('error', $messages);- }-+ self::assertIsArray($messages);+ self::assertArrayHasKey('notice', $messages);+ self::assertIsArray($messages['notice']);+ self::assertArrayHasKey('blowfish_secret_created', $messages['notice']);+ self::assertArrayNotHasKey('error', $messages);+ }++ /**+ * @requires extension zip+ * @requires extension bz2+ */ public function testBlowfishWithInvalidSecret(): void { $_SESSION[$this->sessionID] = [];@@ -164,16 +162,20 @@ * @psalm-suppress TypeDoesNotContainType */ $secret = $_SESSION[$this->sessionID]['blowfish_secret'] ?? '';- $this->assertIsString($secret);- $this->assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($secret, '8bit'));+ self::assertIsString($secret);+ self::assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($secret, '8bit')); $messages = $_SESSION['messages'] ?? null;- $this->assertIsArray($messages);- $this->assertArrayHasKey('notice', $messages);- $this->assertIsArray($messages['notice']);- $this->assertArrayHasKey('blowfish_secret_created', $messages['notice']);- $this->assertArrayNotHasKey('error', $messages);- }-+ self::assertIsArray($messages);+ self::assertArrayHasKey('notice', $messages);+ self::assertIsArray($messages['notice']);+ self::assertArrayHasKey('blowfish_secret_created', $messages['notice']);+ self::assertArrayNotHasKey('error', $messages);+ }++ /**+ * @requires extension zip+ * @requires extension bz2+ */ public function testBlowfishWithValidSecret(): void { $_SESSION[$this->sessionID] = [];@@ -188,13 +190,13 @@ * @psalm-suppress TypeDoesNotContainType */ $secret = $_SESSION[$this->sessionID]['blowfish_secret'] ?? '';- $this->assertIsString($secret);- $this->assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($secret, '8bit'));+ self::assertIsString($secret);+ self::assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($secret, '8bit')); $messages = $_SESSION['messages'] ?? null;- $this->assertIsArray($messages);- $this->assertArrayHasKey('notice', $messages);- $this->assertIsArray($messages['notice']);- $this->assertArrayNotHasKey('blowfish_secret_created', $messages['notice']);- $this->assertArrayNotHasKey('error', $messages);+ self::assertIsArray($messages);+ self::assertArrayHasKey('notice', $messages);+ self::assertIsArray($messages['notice']);+ self::assertArrayNotHasKey('blowfish_secret_created', $messages['notice']);+ self::assertArrayNotHasKey('error', $messages); } }
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily test code improvements and assertions being updated from `assertEquals` to `assertSame` for stricter type checking. Here's the analysis: 1. Vulnerability Existed: no Test Assertion Improvements [test/classes/Config/ServerConfigChecksTest.php] [Lines 79-127] Old Code: Various `assertEquals` assertions Fixed Code: Changed to `assertSame` assertions 2. Vulnerability Existed: no Test Documentation Improvements [test/classes/Config/ServerConfigChecksTest.php] [Lines 133-190] Old Code: Missing `@requires` annotations for extension dependencies Fixed Code: Added `@requires extension zip` and `@requires extension bz2` annotations The changes are focused on improving test reliability and documentation rather than addressing security vulnerabilities. The modifications to the blowfish secret handling tests maintain the same security checks but use more precise assertions.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Plugins/Auth/AuthenticationCookieTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Plugins/Auth/AuthenticationCookieTest.php@@ -85,9 +85,7 @@ ->with('redirect_flag', '1'); $GLOBALS['conn_error'] = true;- $this->assertTrue(- $this->object->showLoginForm()- );+ self::assertTrue($this->object->showLoginForm()); } private function getAuthErrorMockResponse(): void@@ -202,45 +200,36 @@ $this->object->showLoginForm(); $result = ob_get_clean();- $this->assertIsString($result);-- $this->assertStringContainsString(' id="imLogo"', $result);-- $this->assertStringContainsString('<div class="alert alert-danger" role="alert">', $result);-- $this->assertStringContainsString(+ self::assertIsString($result);++ self::assertStringContainsString(' id="imLogo"', $result);++ self::assertStringContainsString('<div class="alert alert-danger" role="alert">', $result);++ self::assertStringContainsString( '<form method="post" id="login_form" action="index.php?route=/" name="login_form" ' . 'class="disableAjax hide js-show">', $result );- $this->assertStringContainsString(+ self::assertStringContainsString( '<input type="text" name="pma_servername" id="serverNameInput" value="localhost"', $result );- $this->assertStringContainsString(- '<input type="text" name="pma_username" id="input_username" ' .- 'value="pmauser" class="form-control" autocomplete="username" spellcheck="false">',- $result- );-- $this->assertStringContainsString(- '<input type="password" name="pma_password" id="input_password" ' .- 'value="" class="form-control" autocomplete="current-password" spellcheck="false">',- $result- );-- $this->assertStringContainsString(- '<select name="server" id="select_server" class="form-select" ' .- 'onchange="document.forms[\'login_form\'].' .- 'elements[\'pma_servername\'].value = \'\'">',- $result- );-- $this->assertStringContainsString('<input type="hidden" name="db" value="testDb">', $result);-- $this->assertStringContainsString('<input type="hidden" name="table" value="testTable">', $result);+ self::assertStringContainsString('<input type="text" name="pma_username" id="input_username" ' .+ 'value="pmauser" class="form-control" autocomplete="username" spellcheck="false">', $result);++ self::assertStringContainsString('<input type="password" name="pma_password" id="input_password" ' .+ 'value="" class="form-control" autocomplete="current-password" spellcheck="false">', $result);++ self::assertStringContainsString('<select name="server" id="select_server" class="form-select" ' .+ 'onchange="document.forms[\'login_form\'].' .+ 'elements[\'pma_servername\'].value = \'\'">', $result);++ self::assertStringContainsString('<input type="hidden" name="db" value="testDb">', $result);++ self::assertStringContainsString('<input type="hidden" name="table" value="testTable">', $result); } /**@@ -284,38 +273,32 @@ $this->object->showLoginForm(); $result = ob_get_clean();- $this->assertIsString($result);-- $this->assertStringContainsString('id="imLogo"', $result);+ self::assertIsString($result);++ self::assertStringContainsString('id="imLogo"', $result); // Check for language selection if locales are there $loc = LOCALE_PATH . '/cs/LC_MESSAGES/phpmyadmin.mo'; if (is_readable($loc)) {- $this->assertStringContainsString(- '<select name="lang" class="form-select autosubmit" lang="en" dir="ltr"'- . ' id="languageSelect" aria-labelledby="languageSelectLabel">',- $result- );+ self::assertStringContainsString('<select name="lang" class="form-select autosubmit" lang="en" dir="ltr"'+ . ' id="languageSelect" aria-labelledby="languageSelectLabel">', $result); }- $this->assertStringContainsString(+ self::assertStringContainsString( '<form method="post" id="login_form" action="index.php?route=/" name="login_form"' . ' class="disableAjax hide js-show" autocomplete="off">', $result );- $this->assertStringContainsString('<input type="hidden" name="server" value="0">', $result);-- $this->assertStringContainsString(+ self::assertStringContainsString('<input type="hidden" name="server" value="0">', $result);++ self::assertStringContainsString( '<script src="https://www.google.com/recaptcha/api.js?hl=en" async defer></script>', $result );- $this->assertStringContainsString(- '<input class="btn btn-primary g-recaptcha" data-sitekey="testpubkey"'- . ' data-callback="Functions_recaptchaCallback" value="Log in" type="submit" id="input_go">',- $result- );+ self::assertStringContainsString('<input class="btn btn-primary g-recaptcha" data-sitekey="testpubkey"'+ . ' data-callback="Functions_recaptchaCallback" value="Log in" type="submit" id="input_go">', $result); } /**@@ -360,36 +343,33 @@ $this->object->showLoginForm(); $result = ob_get_clean();- $this->assertIsString($result);-- $this->assertStringContainsString('id="imLogo"', $result);+ self::assertIsString($result);++ self::assertStringContainsString('id="imLogo"', $result); // Check for language selection if locales are there $loc = LOCALE_PATH . '/cs/LC_MESSAGES/phpmyadmin.mo'; if (is_readable($loc)) {- $this->assertStringContainsString(- '<select name="lang" class="form-select autosubmit" lang="en" dir="ltr"'- . ' id="languageSelect" aria-labelledby="languageSelectLabel">',- $result- );+ self::assertStringContainsString('<select name="lang" class="form-select autosubmit" lang="en" dir="ltr"'+ . ' id="languageSelect" aria-labelledby="languageSelectLabel">', $result); }- $this->assertStringContainsString(+ self::assertStringContainsString( '<form method="post" id="login_form" action="index.php?route=/" name="login_form"' . ' class="disableAjax hide js-show" autocomplete="off">', $result );- $this->assertStringContainsString('<input type="hidden" name="server" value="0">', $result);-- $this->assertStringContainsString(+ self::assertStringContainsString('<input type="hidden" name="server" value="0">', $result);++ self::assertStringContainsString( '<script src="https://www.google.com/recaptcha/api.js?hl=en" async defer></script>', $result );- $this->assertStringContainsString('<div class="g-recaptcha" data-sitekey="testpubkey"></div>', $result);-- $this->assertStringContainsString(+ self::assertStringContainsString('<div class="g-recaptcha" data-sitekey="testpubkey"></div>', $result);++ self::assertStringContainsString( '<input class="btn btn-primary" value="Log in" type="submit" id="input_go">', $result );@@ -437,11 +417,9 @@ $_POST['g-recaptcha-response'] = ''; $_POST['pma_username'] = 'testPMAUser';- $this->assertFalse(- $this->object->readCredentials()- );-- $this->assertEquals(+ self::assertFalse($this->object->readCredentials());++ self::assertSame( 'Missing reCAPTCHA verification, maybe it has been blocked by adblock?', $GLOBALS['conn_error'] );@@ -465,7 +443,7 @@ $this->object->logOut();- $this->assertArrayNotHasKey('pmaAuth-0', $_COOKIE);+ self::assertArrayNotHasKey('pmaAuth-0', $_COOKIE); } public function testLogout(): void@@ -488,7 +466,7 @@ $this->object->logOut();- $this->assertArrayNotHasKey('pmaAuth-1', $_COOKIE);+ self::assertArrayNotHasKey('pmaAuth-1', $_COOKIE); } public function testAuthCheckArbitrary(): void@@ -504,17 +482,15 @@ $_POST['pma_password'] = 'testPMAPSWD'; $GLOBALS['cfg']['AllowArbitraryServer'] = true;- $this->assertTrue(- $this->object->readCredentials()- );-- $this->assertEquals('testPMAUser', $this->object->user);-- $this->assertEquals('testPMAPSWD', $this->object->password);-- $this->assertEquals('testPMAServer', $GLOBALS['pma_auth_server']);-- $this->assertArrayNotHasKey('pmaAuth-1', $_COOKIE);+ self::assertTrue($this->object->readCredentials());++ self::assertSame('testPMAUser', $this->object->user);++ self::assertSame('testPMAPSWD', $this->object->password);++ self::assertSame('testPMAServer', $GLOBALS['pma_auth_server']);++ self::assertArrayNotHasKey('pmaAuth-1', $_COOKIE); } public function testAuthCheckInvalidCookie(): void@@ -527,9 +503,7 @@ $_COOKIE['pmaUser-1'] = ''; $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');- $this->assertFalse(- $this->object->readCredentials()- );+ self::assertFalse($this->object->readCredentials()); } public function testAuthCheckExpires(): void@@ -543,9 +517,7 @@ $_SESSION['last_access_time'] = time() - 1000; $GLOBALS['cfg']['LoginCookieValidity'] = 1440;- $this->assertFalse(- $this->object->readCredentials()- );+ self::assertFalse($this->object->readCredentials()); } public function testAuthCheckDecryptUser(): void@@ -575,11 +547,9 @@ ->method('cookieDecrypt') ->will($this->returnValue('testBF'));- $this->assertFalse(- $this->object->readCredentials()- );-- $this->assertEquals('testBF', $this->object->user);+ self::assertFalse($this->object->readCredentials());++ self::assertSame('testBF', $this->object->user); } public function testAuthCheckDecryptPassword(): void@@ -611,13 +581,11 @@ ->method('cookieDecrypt') ->will($this->returnValue('{"password":""}'));- $this->assertTrue(- $this->object->readCredentials()- );-- $this->assertTrue($GLOBALS['from_cookie']);-- $this->assertEquals('', $this->object->password);+ self::assertTrue($this->object->readCredentials());++ self::assertTrue($GLOBALS['from_cookie']);++ self::assertSame('', $this->object->password); } public function testAuthCheckAuthFails(): void@@ -652,9 +620,7 @@ $this->object->expects($this->once()) ->method('showFailure');- $this->assertFalse(- $this->object->readCredentials()- );+ self::assertFalse($this->object->readCredentials()); } public function testAuthSetUser(): void@@ -683,14 +649,14 @@ $this->object->rememberCredentials();- $this->assertArrayHasKey('pmaUser-2', $_COOKIE);-- $this->assertArrayHasKey('pmaAuth-2', $_COOKIE);+ self::assertArrayHasKey('pmaUser-2', $_COOKIE);++ self::assertArrayHasKey('pmaAuth-2', $_COOKIE); $arr['password'] = 'testPW'; $arr['host'] = 'b'; $arr['port'] = '2';- $this->assertEquals($arr, $GLOBALS['cfg']['Server']);+ self::assertSame($arr, $GLOBALS['cfg']['Server']); } public function testAuthSetUserWithHeaders(): void@@ -723,6 +689,9 @@ $this->object->rememberCredentials(); }+ /**+ * @requires PHPUnit < 10+ */ public function testAuthFailsNoPass(): void { $this->object = $this->getMockBuilder(AuthenticationCookie::class)@@ -739,32 +708,26 @@ ); $this->object->showFailure('empty-denied');- $this->assertEquals(- $GLOBALS['conn_error'],- 'Login without a password is forbidden by configuration (see AllowNoPassword)'- );- }-- public function dataProviderPasswordLength(): array+ self::assertSame(+ 'Login without a password is forbidden by configuration (see AllowNoPassword)',+ $GLOBALS['conn_error']+ );+ }++ public static function dataProviderPasswordLength(): array { return [ [- str_repeat('a', 1000),+ str_repeat('a', 2001), false, 'Your password is too long. To prevent denial-of-service attacks,'- . ' phpMyAdmin restricts passwords to less than 1000 characters.',- ],- [- str_repeat('a', 1001),- false,- 'Your password is too long. To prevent denial-of-service attacks,'- . ' phpMyAdmin restricts passwords to less than 1000 characters.',+ . ' phpMyAdmin restricts passwords to less than 2000 characters.', ], [ str_repeat('a', 3000), false, 'Your password is too long. To prevent denial-of-service attacks,'- . ' phpMyAdmin restricts passwords to less than 1000 characters.',+ . ' phpMyAdmin restricts passwords to less than 2000 characters.', ], [ str_repeat('a', 256),@@ -788,18 +751,17 @@ $_POST['pma_password'] = $password; if ($trueFalse === false) {- $this->assertFalse(- $this->object->readCredentials()- );+ self::assertFalse($this->object->readCredentials()); } else {- $this->assertTrue(- $this->object->readCredentials()- );+ self::assertTrue($this->object->readCredentials()); }- $this->assertEquals($GLOBALS['conn_error'], $connError);- }-+ self::assertSame($GLOBALS['conn_error'], $connError);+ }++ /**+ * @requires PHPUnit < 10+ */ public function testAuthFailsDeny(): void { $this->object = $this->getMockBuilder(AuthenticationCookie::class)@@ -816,9 +778,12 @@ ); $this->object->showFailure('allow-denied');- $this->assertEquals($GLOBALS['conn_error'], 'Access denied!');- }-+ self::assertSame($GLOBALS['conn_error'], 'Access denied!');+ }++ /**+ * @requires PHPUnit < 10+ */ public function testAuthFailsActivity(): void { $this->object = $this->getMockBuilder(AuthenticationCookie::class)@@ -829,7 +794,6 @@ $GLOBALS['server'] = 2; $_COOKIE['pmaAuth-2'] = 'pass';- $GLOBALS['allowDeny_forbidden'] = ''; $GLOBALS['cfg']['LoginCookieValidity'] = 10; $this->mockResponse(@@ -838,13 +802,16 @@ ); $this->object->showFailure('no-activity');- $this->assertEquals(- $GLOBALS['conn_error'],+ self::assertSame( 'You have been automatically logged out due to inactivity of 10 seconds.'- . ' Once you log in again, you should be able to resume the work where you left off.'- );- }-+ . ' Once you log in again, you should be able to resume the work where you left off.',+ $GLOBALS['conn_error']+ );+ }++ /**+ * @requires PHPUnit < 10+ */ public function testAuthFailsDBI(): void { $this->object = $this->getMockBuilder(AuthenticationCookie::class)@@ -872,9 +839,12 @@ ); $this->object->showFailure('');- $this->assertEquals($GLOBALS['conn_error'], '#42 Cannot log in to the MySQL server');- }-+ self::assertSame($GLOBALS['conn_error'], '#42 Cannot log in to the MySQL server');+ }++ /**+ * @requires PHPUnit < 10+ */ public function testAuthFailsErrno(): void { $this->object = $this->getMockBuilder(AuthenticationCookie::class)@@ -902,7 +872,7 @@ ); $this->object->showFailure('');- $this->assertEquals($GLOBALS['conn_error'], 'Cannot log in to the MySQL server');+ self::assertSame($GLOBALS['conn_error'], 'Cannot log in to the MySQL server'); } public function testGetEncryptionSecretEmpty(): void@@ -915,8 +885,8 @@ $result = $method->invoke($this->object, null);- $this->assertSame($result, $_SESSION['encryption_key']);- $this->assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($result, '8bit'));+ self::assertSame($result, $_SESSION['encryption_key']);+ self::assertSame(SODIUM_CRYPTO_SECRETBOX_KEYBYTES, mb_strlen($result, '8bit')); } public function testGetEncryptionSecretConfigured(): void@@ -930,7 +900,7 @@ $result = $method->invoke($this->object, null);- $this->assertSame($key, $result);+ self::assertSame($key, $result); } public function testGetSessionEncryptionSecretConfigured(): void@@ -944,28 +914,28 @@ $result = $method->invoke($this->object, null);- $this->assertSame($key, $result);+ self::assertSame($key, $result); } public function testCookieEncryption(): void { $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); $encrypted = $this->object->cookieEncrypt('data123', $key);- $this->assertNotFalse(base64_decode($encrypted, true));- $this->assertSame('data123', $this->object->cookieDecrypt($encrypted, $key));+ self::assertNotFalse(base64_decode($encrypted, true));+ self::assertSame('data123', $this->object->cookieDecrypt($encrypted, $key)); } public function testCookieDecryptInvalid(): void {- $this->assertNull($this->object->cookieDecrypt('', ''));+ self::assertNull($this->object->cookieDecrypt('', '')); $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); $encrypted = $this->object->cookieEncrypt('data123', $key);- $this->assertSame('data123', $this->object->cookieDecrypt($encrypted, $key));-- $this->assertNull($this->object->cookieDecrypt('', $key));- $this->assertNull($this->object->cookieDecrypt($encrypted, ''));- $this->assertNull($this->object->cookieDecrypt($encrypted, random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES)));+ self::assertSame('data123', $this->object->cookieDecrypt($encrypted, $key));++ self::assertNull($this->object->cookieDecrypt('', $key));+ self::assertNull($this->object->cookieDecrypt($encrypted, ''));+ self::assertNull($this->object->cookieDecrypt($encrypted, random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES))); } /**@@ -984,12 +954,12 @@ $payload = ['password' => $newPassword, 'server' => 'b 2'];- $this->assertIsString($_COOKIE['pmaAuth-' . $GLOBALS['server']]);+ self::assertIsString($_COOKIE['pmaAuth-' . $GLOBALS['server']]); $decryptedCookie = $this->object->cookieDecrypt( $_COOKIE['pmaAuth-' . $GLOBALS['server']], $_SESSION['encryption_key'] );- $this->assertSame(json_encode($payload), $decryptedCookie);+ self::assertSame(json_encode($payload), $decryptedCookie); } public function testAuthenticate(): void@@ -1010,15 +980,15 @@ $result = ob_get_clean(); /* Nothing should be printed */- $this->assertEquals('', $result);+ self::assertSame('', $result); /* Verify readCredentials worked */- $this->assertEquals('testUser', $this->object->user);- $this->assertEquals('testPassword', $this->object->password);+ self::assertSame('testUser', $this->object->user);+ self::assertSame('testPassword', $this->object->password); /* Verify storeCredentials worked */- $this->assertEquals('testUser', $GLOBALS['cfg']['Server']['user']);- $this->assertEquals('testPassword', $GLOBALS['cfg']['Server']['password']);+ self::assertSame('testUser', $GLOBALS['cfg']['Server']['user']);+ self::assertSame('testPassword', $GLOBALS['cfg']['Server']['password']); } /**@@ -1059,16 +1029,16 @@ $this->object->checkRules(); $result = ob_get_clean();- $this->assertIsString($result);+ self::assertIsString($result); if (empty($expected)) {- $this->assertEquals($expected, $result);+ self::assertSame($expected, $result); } else {- $this->assertStringContainsString($expected, $result);+ self::assertStringContainsString($expected, $result); } }- public function checkRulesProvider(): array+ public static function checkRulesProvider(): array { return [ 'nopass-ok' => [
After analyzing the provided code diff, I don't identify any security vulnerabilities being fixed. The changes appear to be primarily test code refactoring and assertions updates. Here's the analysis: 1. The main changes are replacing `$this->assert` with `self::assert` throughout the test file 2. Some test cases were simplified by removing line breaks in string assertions 3. The password length validation was updated from 1000 to 2000 characters 4. Some test method annotations were added/updated No security vulnerabilities appear to be addressed in this diff. The changes are focused on test improvements and maintenance. Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are test-related improvements and refactoring. The password length change (from 1000 to 2000 characters) could be considered a security-related adjustment, but it's not fixing a vulnerability - rather adjusting a security control: Vulnerability Existed: no Password Length Policy Adjustment [test/classes/Plugins/Auth/AuthenticationCookieTest.php] [Lines around 720-730] [Old password length limit was 1000 characters] [New password length limit is 2000 characters] However, this is a policy adjustment rather than a vulnerability fix. The original limit was already providing protection against denial-of-service attacks.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/CommonTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/CommonTest.php@@ -25,10 +25,10 @@ $_SERVER['REQUEST_URI'] = $request; $_SERVER['PATH_INFO'] = $path_info; Common::cleanupPathInfo();- $this->assertEquals($expected, $GLOBALS['PMA_PHP_SELF']);+ self::assertSame($expected, $GLOBALS['PMA_PHP_SELF']); }- public function providerForTestCleanupPathInfo(): array+ public static function providerForTestCleanupPathInfo(): array { return [ [@@ -88,33 +88,33 @@ $_SERVER['REQUEST_METHOD'] = 'GET'; Common::checkTokenRequestParam();- $this->assertTrue($token_mismatch);- $this->assertFalse($token_provided);+ self::assertTrue($token_mismatch);+ self::assertFalse($token_provided); $_SERVER['REQUEST_METHOD'] = 'POST'; $_POST['test'] = 'test'; Common::checkTokenRequestParam();- $this->assertTrue($token_mismatch);- $this->assertFalse($token_provided);- $this->assertArrayNotHasKey('test', $_POST);+ self::assertTrue($token_mismatch);+ self::assertFalse($token_provided);+ self::assertArrayNotHasKey('test', $_POST); $_SERVER['REQUEST_METHOD'] = 'POST'; $_POST['token'] = 'token'; $_POST['test'] = 'test'; $_SESSION[' PMA_token '] = 'mismatch'; Common::checkTokenRequestParam();- $this->assertTrue($token_mismatch);- $this->assertTrue($token_provided);- $this->assertArrayNotHasKey('test', $_POST);+ self::assertTrue($token_mismatch);+ self::assertTrue($token_provided);+ self::assertArrayNotHasKey('test', $_POST); $_SERVER['REQUEST_METHOD'] = 'POST'; $_POST['token'] = 'token'; $_POST['test'] = 'test'; $_SESSION[' PMA_token '] = 'token'; Common::checkTokenRequestParam();- $this->assertFalse($token_mismatch);- $this->assertTrue($token_provided);- $this->assertArrayHasKey('test', $_POST);- $this->assertEquals('test', $_POST['test']);+ self::assertFalse($token_mismatch);+ self::assertTrue($token_provided);+ self::assertArrayHasKey('test', $_POST);+ self::assertSame('test', $_POST['test']); } }
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily test-related improvements and code quality enhancements. Here's the analysis: 1. Vulnerability Existed: no Test Assertion Improvement [test/classes/CommonTest.php] [Lines 25, 88-114] Old Code: `$this->assertEquals(...)` Fixed Code: `self::assertSame(...)` (This is a test improvement making assertions stricter, not a security fix) 2. Vulnerability Existed: no Test Method Visibility Change [test/classes/CommonTest.php] [Lines 28] Old Code: `public function providerForTestCleanupPathInfo(): array` Fixed Code: `public static function providerForTestCleanupPathInfo(): array` (This is a test structure improvement, not a security fix) The changes focus on: - Using more precise assertions (`assertSame` instead of `assertEquals`) - Making test data provider methods static - Consistent use of `self::` instead of `$this->` for assertions No security vulnerabilities appear to have been addressed in this diff. The changes are related to test quality and maintainability rather than security fixes.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Controllers/Table/IndexesControllerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Controllers/Table/IndexesControllerTest.php@@ -119,16 +119,13 @@ $html = $response->getHTMLResult(); //Url::getHiddenInputs- $this->assertStringContainsString(- Url::getHiddenInputs(- [- 'db' => 'db',- 'table' => 'table',- 'create_index' => 1,- ]- ),- $html- );+ self::assertStringContainsString(Url::getHiddenInputs(+ [+ 'db' => 'db',+ 'table' => 'table',+ 'create_index' => 1,+ ]+ ), $html); $doc_html = Generator::showHint( Message::notice(@@ -137,20 +134,14 @@ ) )->getMessage() );- $this->assertStringContainsString($doc_html, $html);+ self::assertStringContainsString($doc_html, $html);- $this->assertStringContainsString(- MySQLDocumentation::show('ALTER_TABLE'),- $html- );+ self::assertStringContainsString(MySQLDocumentation::show('ALTER_TABLE'), $html);- $this->assertStringContainsString(- sprintf(__('Add %s column(s) to index'), 1),- $html- );+ self::assertStringContainsString(sprintf(__('Add %s column(s) to index'), 1), $html); //$field_name & $field_type- $this->assertStringContainsString('field_name', $html);- $this->assertStringContainsString('field_type', $html);+ self::assertStringContainsString('field_name', $html);+ self::assertStringContainsString('field_type', $html); } }
After analyzing the provided code diff, I don't find any security vulnerabilities being fixed. The changes appear to be primarily stylistic and testing-related improvements rather than security fixes. Here's the analysis: 1. Vulnerability Existed: no [No security vulnerability found] [test/classes/Controllers/Table/IndexesControllerTest.php] [Lines 119-137] [Old Code: Multiple assertStringContainsString calls with different formatting] [Fixed Code: Consolidated assertStringContainsString calls using self:: and consistent formatting] The changes made in this diff include: 1. Changing `$this->assertStringContainsString` to `self::assertStringContainsString` 2. Reformatting the code for consistency 3. Making the assertions more concise These changes are related to test code quality and maintainability rather than addressing any security vulnerabilities. The test functionality remains the same, only the style of writing the tests has been modified.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Controllers/Sql/EnumValuesControllerTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Controllers/Sql/EnumValuesControllerTest.php@@ -48,10 +48,7 @@ $this->assertResponseWasNotSuccessfull();- $this->assertSame(- ['message' => 'Error in processing request'],- $this->getResponseJsonResult()- );+ self::assertSame(['message' => 'Error in processing request'], $this->getResponseJsonResult()); } public function testGetEnumValuesSuccess(): void@@ -63,7 +60,7 @@ [ [ 'set',- 'set(\'<script>alert("ok")</script>\',\'a&b\',\'b&c\',\'vrai&\',\'\')',+ "set('<script>alert(\"ok\")</script>','a&b','b&c','vrai&','','漢字','''','\\\\','\"\\\\''')", 'No', '', 'NULL',@@ -98,19 +95,19 @@ $this->assertResponseWasSuccessfull();- $this->assertSame(- [- 'dropdown' => '<select>' . "\n"- . ' <option value=""> </option>' . "\n"- . ' <option value="<script>alert("ok")</script>">'- . '<script>alert("ok")</script></option>' . "\n"- . ' <option value="a&b">a&b</option>' . "\n"- . ' <option value="b&c" selected>b&c</option>' . "\n"- . ' <option value="vrai&amp">vrai&amp</option>' . "\n"- . ' <option value=""></option>' . "\n"- . ' </select>' . "\n",- ],- $this->getResponseJsonResult()- );+ self::assertSame([+ 'dropdown' => '<select>' . "\n"+ . ' <option value="<script>alert("ok")</script>">'+ . '<script>alert("ok")</script></option>' . "\n"+ . ' <option value="a&b">a&b</option>' . "\n"+ . ' <option value="b&c" selected>b&c</option>' . "\n"+ . ' <option value="vrai&amp">vrai&amp</option>' . "\n"+ . ' <option value=""></option>' . "\n"+ . ' <option value="漢字">漢字</option>' . "\n"+ . ' <option value="'">'</option>' . "\n"+ . ' <option value="\">\</option>' . "\n"+ . ' <option value=""\'">"\'</option>' . "\n"+ . ' </select>' . "\n",+ ], $this->getResponseJsonResult()); } }
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be test case updates and code style improvements rather than security fixes. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability [File] test/classes/Controllers/Sql/EnumValuesControllerTest.php [Lines] 48-60 Old Code: Different assertion style and test data Fixed Code: Updated assertion style and expanded test cases 2. Vulnerability Existed: no No security vulnerability [File] test/classes/Controllers/Sql/EnumValuesControllerTest.php [Lines] 63-98 Old Code: Limited test data for enum values Fixed Code: Expanded test data to include more edge cases (Unicode, quotes, backslashes) The changes primarily: 1. Update assertion style from $this->assertSame() to self::assertSame() 2. Expand test coverage with more edge cases 3. Update expected HTML output to match new test cases There's no indication of any security vulnerabilities being addressed in these changes. The test updates appear to be for improving test coverage rather than fixing security issues.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Properties/PropertyItemTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Properties/PropertyItemTest.php@@ -36,9 +36,6 @@ public function testGetGroup(): void {- $this->assertEquals(- null,- $this->stub->getGroup()- );+ self::assertNull($this->stub->getGroup()); } }
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability] [test/classes/Properties/PropertyItemTest.php] [Lines 36-39]
[Old Code]
$this->assertEquals(
null,
$this->stub->getGroup()
);
[Fixed Code]
self::assertNull($this->stub->getGroup());
Explanation: This appears to be a simple test case improvement rather than a security fix. The change replaces assertEquals(null) with the more specific assertNull() assertion method, which is a better practice for testing null values but doesn't indicate any security vulnerability. The functionality being tested remains the same.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Query/GeneratorTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Query/GeneratorTest.php@@ -14,150 +14,85 @@ { public function testGetColumnsSql(): void {- $this->assertEquals(+ self::assertSame( 'SHOW COLUMNS FROM `mydb`.`mytable`',- Generator::getColumnsSql(- 'mydb',- 'mytable'- )+ Generator::getColumnsSql('mydb', 'mytable') );- $this->assertEquals(+ self::assertSame( 'SHOW COLUMNS FROM `mydb`.`mytable` LIKE \'_idcolumn\'',- Generator::getColumnsSql(- 'mydb',- 'mytable',- '_idcolumn'- )+ Generator::getColumnsSql('mydb', 'mytable', '_idcolumn') );- $this->assertEquals(+ self::assertSame( 'SHOW FULL COLUMNS FROM `mydb`.`mytable`',- Generator::getColumnsSql(- 'mydb',- 'mytable',- null,- true- )+ Generator::getColumnsSql('mydb', 'mytable', null, true) );- $this->assertEquals(+ self::assertSame( 'SHOW FULL COLUMNS FROM `mydb`.`mytable` LIKE \'_idcolumn\'',- Generator::getColumnsSql(- 'mydb',- 'mytable',- '_idcolumn',- true- )+ Generator::getColumnsSql('mydb', 'mytable', '_idcolumn', true) ); } public function testGetTableIndexesSql(): void {- $this->assertEquals(+ self::assertSame( 'SHOW INDEXES FROM `mydb`.`mytable`',- Generator::getTableIndexesSql(- 'mydb',- 'mytable'- )+ Generator::getTableIndexesSql('mydb', 'mytable') );- $this->assertEquals(+ self::assertSame( 'SHOW INDEXES FROM `mydb`.`mytable` WHERE (1)',- Generator::getTableIndexesSql(- 'mydb',- 'mytable',- '1'- )+ Generator::getTableIndexesSql('mydb', 'mytable', '1') ); } public function testGetSqlQueryForIndexRename(): void {- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mydb`.`mytable` RENAME INDEX `oldIndexName` TO `newIndexName`;',- Generator::getSqlQueryForIndexRename(- 'mydb',- 'mytable',- 'oldIndexName',- 'newIndexName'- )+ Generator::getSqlQueryForIndexRename('mydb', 'mytable', 'oldIndexName', 'newIndexName') ); } public function testGetQueryForReorderingTable(): void {- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` ORDER BY `myOrderField` ASC;',- Generator::getQueryForReorderingTable(- 'mytable',- 'myOrderField',- ''- )+ Generator::getQueryForReorderingTable('mytable', 'myOrderField', '') );- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` ORDER BY `myOrderField` ASC;',- Generator::getQueryForReorderingTable(- 'mytable',- 'myOrderField',- 'S'- )+ Generator::getQueryForReorderingTable('mytable', 'myOrderField', 'S') );- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` ORDER BY `myOrderField` ASC;',- Generator::getQueryForReorderingTable(- 'mytable',- 'myOrderField',- 'DESC'- )+ Generator::getQueryForReorderingTable('mytable', 'myOrderField', 'DESC') );- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` ORDER BY `myOrderField` DESC;',- Generator::getQueryForReorderingTable(- 'mytable',- 'myOrderField',- 'desc'- )+ Generator::getQueryForReorderingTable('mytable', 'myOrderField', 'desc') );- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` ORDER BY `myOrderField` ASC;',- Generator::getQueryForReorderingTable(- 'mytable',- 'myOrderField',- null- )+ Generator::getQueryForReorderingTable('mytable', 'myOrderField', null) ); } public function testGetQueryForPartitioningTable(): void {- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` PARTITION ;',- Generator::getQueryForPartitioningTable(- 'mytable',- '',- []- )+ Generator::getQueryForPartitioningTable('mytable', '', []) );- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` PARTITION p1;',- Generator::getQueryForPartitioningTable(- 'mytable',- '',- ['p1']- )+ Generator::getQueryForPartitioningTable('mytable', '', ['p1']) );- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` PARTITION p1, p2;',- Generator::getQueryForPartitioningTable(- 'mytable',- '',- ['p1', 'p2']- )+ Generator::getQueryForPartitioningTable('mytable', '', ['p1', 'p2']) );- $this->assertEquals(+ self::assertSame( 'ALTER TABLE `mytable` COALESCE PARTITION 2',- Generator::getQueryForPartitioningTable(- 'mytable',- 'COALESCE',- ['p1', 'p2']- )+ Generator::getQueryForPartitioningTable('mytable', 'COALESCE', ['p1', 'p2']) ); } }
After analyzing the provided code diff, I don't find any security-related fixes. The changes appear to be primarily code style improvements and test assertion updates. Here's the analysis: 1. Vulnerability Existed: no The changes are test-related improvements, switching from assertEquals to assertSame for more strict comparisons and simplifying test code formatting. 2. Vulnerability Existed: no The modifications are all in test files (GeneratorTest.php) and don't affect production code or security-related functionality. 3. Vulnerability Existed: no The changes involve test method refactoring (removing unnecessary line breaks and parentheses) but don't address any security vulnerabilities. The diff shows: - Replacement of assertEquals with assertSame for more precise testing - Code formatting improvements (removing unnecessary line breaks) - No changes to actual database query generation logic - No security-related fixes or vulnerability patches Since these are all test file changes and don't affect the actual functionality or security of the application, there are no security vulnerabilities being addressed in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/FlashMessagesTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/FlashMessagesTest.php@@ -16,10 +16,10 @@ public function testConstructor(): void {- $this->assertArrayNotHasKey(self::STORAGE_KEY, $_SESSION);+ self::assertArrayNotHasKey(self::STORAGE_KEY, $_SESSION); $flash = new FlashMessages();- $this->assertIsArray($_SESSION[self::STORAGE_KEY]);- $this->assertSame([], $flash->getMessages());+ self::assertIsArray($_SESSION[self::STORAGE_KEY]);+ self::assertSame([], $flash->getMessages()); } public function testConstructorSessionNotFound(): void@@ -33,11 +33,11 @@ public function testAddMessage(): void { $flash = new FlashMessages();- $this->assertArrayNotHasKey('error', $_SESSION[self::STORAGE_KEY]);+ self::assertArrayNotHasKey('error', $_SESSION[self::STORAGE_KEY]); $flash->addMessage('error', 'Error');- $this->assertArrayHasKey('error', $_SESSION[self::STORAGE_KEY]);- $this->assertIsArray($_SESSION[self::STORAGE_KEY]['error']);- $this->assertEquals(['Error'], $_SESSION[self::STORAGE_KEY]['error']);+ self::assertArrayHasKey('error', $_SESSION[self::STORAGE_KEY]);+ self::assertIsArray($_SESSION[self::STORAGE_KEY]['error']);+ self::assertSame(['Error'], $_SESSION[self::STORAGE_KEY]['error']); } public function testGetMessage(): void@@ -45,9 +45,9 @@ $_SESSION[self::STORAGE_KEY] = ['warning' => ['Warning']]; $flash = new FlashMessages(); $message = $flash->getMessage('error');- $this->assertNull($message);+ self::assertNull($message); $message = $flash->getMessage('warning');- $this->assertEquals(['Warning'], $message);+ self::assertSame(['Warning'], $message); } public function testGetMessages(): void@@ -59,12 +59,9 @@ $flash = new FlashMessages(); $flash->addMessage('notice', 'Notice'); $messages = $flash->getMessages();- $this->assertEquals(- [- 'error' => ['Error1', 'Error2'],- 'warning' => ['Warning'],- ],- $messages- );+ self::assertSame([+ 'error' => ['Error1', 'Error2'],+ 'warning' => ['Warning'],+ ], $messages); } }
After analyzing the provided code diff, I don't see any security-related changes. The changes appear to be test code improvements, specifically changing assertion methods from `$this->assert...` to `self::assert...` and using `assertSame()` instead of `assertEquals()` for more strict comparisons. Here's the structured response: Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are test code improvements. The modifications are: 1. Changing assertion style from instance method to static method calls 2. Using stricter equality comparisons with assertSame() instead of assertEquals() 3. Formatting improvements in array assertions These changes don't address any security issues but rather improve test code quality and consistency. The test cases continue to verify the same functionality of the FlashMessages class, just with more precise assertions.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/NormalizationTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/NormalizationTest.php@@ -123,11 +123,11 @@ { $db = 'PMA_db'; $table = 'PMA_table';- $this->assertStringContainsString(+ self::assertStringContainsString( '<option value="id">id [ integer ]</option>', $this->normalization->getHtmlForColumnsList($table, $db) );- $this->assertEquals(+ self::assertSame( '<input type="checkbox" value="col1">col1 [ varchar(100) ]<br>', $this->normalization->getHtmlForColumnsList($table, $db, 'String', 'checkbox') );@@ -153,7 +153,7 @@ new Template() ); $result = $normalization->getHtmlForCreateNewColumn($numFields, $db, $table);- $this->assertStringContainsString('<table id="table_columns"', $result);+ self::assertStringContainsString('<table id="table_columns"', $result); } /**@@ -165,28 +165,22 @@ $table = 'PMA_table'; $normalizedTo = '1nf'; $result = $this->normalization->getHtmlFor1NFStep1($db, $table, $normalizedTo);- $this->assertStringContainsString(- "<h3 class='text-center'>"- . __('First step of normalization (1NF)') . '</h3>',- $result- );- $this->assertStringContainsString("<div id='mainContent'", $result);- $this->assertStringContainsString('<legend>' . __('Step 1.'), $result);-- $this->assertStringContainsString('<h4', $result);-- $this->assertStringContainsString('<p', $result);-- $this->assertStringContainsString("<select id='selectNonAtomicCol'", $result);-- $this->assertStringContainsString(- $this->normalization->getHtmlForColumnsList(- $db,- $table,- _pgettext('string types', 'String')- ),- $result- );+ self::assertStringContainsString("<h3 class='text-center'>"+ . __('First step of normalization (1NF)') . '</h3>', $result);+ self::assertStringContainsString("<div id='mainContent'", $result);+ self::assertStringContainsString('<legend>' . __('Step 1.'), $result);++ self::assertStringContainsString('<h4', $result);++ self::assertStringContainsString('<p', $result);++ self::assertStringContainsString("<select id='selectNonAtomicCol'", $result);++ self::assertStringContainsString($this->normalization->getHtmlForColumnsList(+ $db,+ $table,+ _pgettext('string types', 'String')+ ), $result); } /**@@ -197,18 +191,18 @@ $db = 'PMA_db'; $table = 'PMA_table1'; $result = $this->normalization->getHtmlContentsFor1NFStep2($db, $table);- $this->assertIsArray($result);- $this->assertArrayHasKey('legendText', $result);- $this->assertArrayHasKey('headText', $result);- $this->assertArrayHasKey('subText', $result);- $this->assertArrayHasKey('hasPrimaryKey', $result);- $this->assertArrayHasKey('extra', $result);- $this->assertStringContainsString('<a href="#" id="createPrimaryKey">', $result['subText']);- $this->assertStringContainsString('<a href="#" id="addNewPrimary">', $result['extra']);- $this->assertEquals('0', $result['hasPrimaryKey']);- $this->assertStringContainsString(__('Step 1.') . 2, $result['legendText']);+ self::assertIsArray($result);+ self::assertArrayHasKey('legendText', $result);+ self::assertArrayHasKey('headText', $result);+ self::assertArrayHasKey('subText', $result);+ self::assertArrayHasKey('hasPrimaryKey', $result);+ self::assertArrayHasKey('extra', $result);+ self::assertStringContainsString('<a href="#" id="createPrimaryKey">', $result['subText']);+ self::assertStringContainsString('<a href="#" id="addNewPrimary">', $result['extra']);+ self::assertSame('0', $result['hasPrimaryKey']);+ self::assertStringContainsString(__('Step 1.') . 2, $result['legendText']); $result1 = $this->normalization->getHtmlContentsFor1NFStep2($db, 'PMA_table');- $this->assertEquals('1', $result1['hasPrimaryKey']);+ self::assertSame('1', $result1['hasPrimaryKey']); } /**@@ -219,17 +213,17 @@ $db = 'PMA_db'; $table = 'PMA_table'; $result = $this->normalization->getHtmlContentsFor1NFStep4($db, $table);- $this->assertIsArray($result);- $this->assertArrayHasKey('legendText', $result);- $this->assertArrayHasKey('headText', $result);- $this->assertArrayHasKey('subText', $result);- $this->assertArrayHasKey('extra', $result);- $this->assertStringContainsString(__('Step 1.') . 4, $result['legendText']);- $this->assertStringContainsString(+ self::assertIsArray($result);+ self::assertArrayHasKey('legendText', $result);+ self::assertArrayHasKey('headText', $result);+ self::assertArrayHasKey('subText', $result);+ self::assertArrayHasKey('extra', $result);+ self::assertStringContainsString(__('Step 1.') . 4, $result['legendText']);+ self::assertStringContainsString( $this->normalization->getHtmlForColumnsList($db, $table, 'all', 'checkbox'), $result['extra'] );- $this->assertStringContainsString(+ self::assertStringContainsString( '<input class="btn btn-secondary" type="submit" id="removeRedundant"', $result['extra'] );@@ -243,22 +237,22 @@ $db = 'PMA_db'; $table = 'PMA_table'; $result = $this->normalization->getHtmlContentsFor1NFStep3($db, $table);- $this->assertIsArray($result);- $this->assertArrayHasKey('legendText', $result);- $this->assertArrayHasKey('headText', $result);- $this->assertArrayHasKey('subText', $result);- $this->assertArrayHasKey('extra', $result);- $this->assertArrayHasKey('primary_key', $result);- $this->assertStringContainsString(__('Step 1.') . 3, $result['legendText']);- $this->assertStringContainsString(+ self::assertIsArray($result);+ self::assertArrayHasKey('legendText', $result);+ self::assertArrayHasKey('headText', $result);+ self::assertArrayHasKey('subText', $result);+ self::assertArrayHasKey('extra', $result);+ self::assertArrayHasKey('primary_key', $result);+ self::assertStringContainsString(__('Step 1.') . 3, $result['legendText']);+ self::assertStringContainsString( $this->normalization->getHtmlForColumnsList($db, $table, 'all', 'checkbox'), $result['extra'] );- $this->assertStringContainsString(+ self::assertStringContainsString( '<input class="btn btn-secondary" type="submit" id="moveRepeatingGroup"', $result['extra'] );- $this->assertEquals(json_encode(['id']), $result['primary_key']);+ self::assertSame(json_encode(['id']), $result['primary_key']); } /**@@ -269,18 +263,18 @@ $db = 'PMA_db'; $table = 'PMA_table'; $result = $this->normalization->getHtmlFor2NFstep1($db, $table);- $this->assertIsArray($result);- $this->assertArrayHasKey('legendText', $result);- $this->assertArrayHasKey('headText', $result);- $this->assertArrayHasKey('subText', $result);- $this->assertArrayHasKey('extra', $result);- $this->assertArrayHasKey('primary_key', $result);- $this->assertStringContainsString(__('Step 2.') . 1, $result['legendText']);- $this->assertEquals('id', $result['primary_key']);+ self::assertIsArray($result);+ self::assertArrayHasKey('legendText', $result);+ self::assertArrayHasKey('headText', $result);+ self::assertArrayHasKey('subText', $result);+ self::assertArrayHasKey('extra', $result);+ self::assertArrayHasKey('primary_key', $result);+ self::assertStringContainsString(__('Step 2.') . 1, $result['legendText']);+ self::assertSame('id', $result['primary_key']); $result1 = $this->normalization->getHtmlFor2NFstep1($db, 'PMA_table2');- $this->assertEquals('id, col1', $result1['primary_key']);- $this->assertStringContainsString('<a href="#" id="showPossiblePd"', $result1['headText']);- $this->assertStringContainsString('<input type="checkbox" name="pd" value="id"', $result1['extra']);+ self::assertSame('id, col1', $result1['primary_key']);+ self::assertStringContainsString('<a href="#" id="showPossiblePd"', $result1['headText']);+ self::assertStringContainsString('<input type="checkbox" name="pd" value="id"', $result1['extra']); } /**@@ -291,7 +285,7 @@ $table = 'PMA_table'; $partialDependencies = ['col1' => ['col2']]; $result = $this->normalization->getHtmlForNewTables2NF($partialDependencies, $table);- $this->assertStringContainsString('<input type="text" name="col1"', $result);+ self::assertStringContainsString('<input type="text" name="col1"', $result); } /**@@ -306,18 +300,18 @@ $tablesName->col1 = 'PMA_table1'; $partialDependencies = ['id' => ['col2']]; $result = $this->normalization->createNewTablesFor2NF($partialDependencies, $tablesName, $table, $db);- $this->assertIsArray($result);- $this->assertArrayHasKey('legendText', $result);- $this->assertArrayHasKey('headText', $result);- $this->assertArrayHasKey('queryError', $result);+ self::assertIsArray($result);+ self::assertArrayHasKey('legendText', $result);+ self::assertArrayHasKey('headText', $result);+ self::assertArrayHasKey('queryError', $result); $partialDependencies = [ 'id' => ['col2'], 'col1' => ['col2'], ]; $result1 = $this->normalization->createNewTablesFor2NF($partialDependencies, $tablesName, $table, $db);- $this->assertArrayHasKey('extra', $result1);- $this->assertEquals(__('End of step'), $result1['legendText']);- $this->assertEquals('', $result1['extra']);+ self::assertArrayHasKey('extra', $result1);+ self::assertSame(__('End of step'), $result1['legendText']);+ self::assertSame('', $result1['extra']); } /**@@ -330,14 +324,11 @@ $dependencies = new stdClass(); $dependencies->col1 = ['col2']; $result = $this->normalization->getHtmlForNewTables3NF($dependencies, $tables, $db);- $this->assertEquals(- [- 'html' => '',- 'success' => true,- 'newTables' => [],- ],- $result- );+ self::assertEquals([+ 'html' => '',+ 'success' => true,+ 'newTables' => [],+ ], $result); $tables = [ 'PMA_table' => [ 'col1',@@ -350,23 +341,20 @@ 'col5', ]; $result1 = $this->normalization->getHtmlForNewTables3NF($dependencies, $tables, $db);- $this->assertIsArray($result1);- $this->assertStringContainsString('<input type="text" name="PMA_table"', $result1['html']);- $this->assertEquals(- [+ self::assertIsArray($result1);+ self::assertStringContainsString('<input type="text" name="PMA_table"', $result1['html']);+ self::assertSame([+ 'PMA_table' => [ 'PMA_table' => [- 'PMA_table' => [- 'pk' => 'col1',- 'nonpk' => 'col2',- ],- 'table2' => [- 'pk' => 'id',- 'nonpk' => 'col4, col5',- ],- ],- ],- $result1['newTables']- );+ 'pk' => 'col1',+ 'nonpk' => 'col2',+ ],+ 'table2' => [+ 'pk' => 'id',+ 'nonpk' => 'col4, col5',+ ],+ ],+ ], $result1['newTables']); } /**@@ -388,15 +376,15 @@ ], ]; $result = $this->normalization->createNewTablesFor3NF($newTables, $db);- $this->assertIsArray($result);- $this->assertArrayHasKey('legendText', $result);- $this->assertArrayHasKey('headText', $result);- $this->assertArrayHasKey('queryError', $result);+ self::assertIsArray($result);+ self::assertArrayHasKey('legendText', $result);+ self::assertArrayHasKey('headText', $result);+ self::assertArrayHasKey('queryError', $result); $newTables1 = []; $result1 = $this->normalization->createNewTablesFor3NF($newTables1, $db);- $this->assertArrayHasKey('queryError', $result1);- $this->assertEquals(__('End of step'), $result1['legendText']);- $this->assertFalse($result1['queryError']);+ self::assertArrayHasKey('queryError', $result1);+ self::assertSame(__('End of step'), $result1['legendText']);+ self::assertFalse($result1['queryError']); } /**@@ -418,10 +406,10 @@ $table, $db );- $this->assertIsArray($result);- $this->assertArrayHasKey('queryError', $result);- $this->assertArrayHasKey('message', $result);- $this->assertInstanceOf(Message::class, $result['message']);+ self::assertIsArray($result);+ self::assertArrayHasKey('queryError', $result);+ self::assertArrayHasKey('message', $result);+ self::assertInstanceOf(Message::class, $result['message']); } /**@@ -432,16 +420,16 @@ $db = 'PMA_db'; $tables = ['PMA_table']; $result = $this->normalization->getHtmlFor3NFstep1($db, $tables);- $this->assertIsArray($result);- $this->assertArrayHasKey('legendText', $result);- $this->assertArrayHasKey('headText', $result);- $this->assertArrayHasKey('subText', $result);- $this->assertArrayHasKey('extra', $result);- $this->assertStringContainsString(__('Step 3.') . 1, $result['legendText']);- $this->assertStringContainsString('<form', $result['extra']);- $this->assertStringContainsString('<input type="checkbox" name="pd" value="col1"', $result['extra']);+ self::assertIsArray($result);+ self::assertArrayHasKey('legendText', $result);+ self::assertArrayHasKey('headText', $result);+ self::assertArrayHasKey('subText', $result);+ self::assertArrayHasKey('extra', $result);+ self::assertStringContainsString(__('Step 3.') . 1, $result['legendText']);+ self::assertStringContainsString('<form', $result['extra']);+ self::assertStringContainsString('<input type="checkbox" name="pd" value="col1"', $result['extra']); $result1 = $this->normalization->getHtmlFor3NFstep1($db, ['PMA_table2']);- $this->assertEquals('', $result1['subText']);+ self::assertSame('', $result1['subText']); } /**@@ -450,17 +438,14 @@ public function testgetHtmlForNormalizeTable(): void { $result = $this->normalization->getHtmlForNormalizeTable();- $this->assertStringContainsString(- '<form method="post" action="' . Url::getFromRoute('/normalization')- . '" name="normalize" id="normalizeTable"',- $result- );- $this->assertStringContainsString('<input type="hidden" name="step1" value="1">', $result);-- $this->assertStringContainsString('type="radio" name="normalizeTo"', $result);- $this->assertStringContainsString('id="normalizeToRadio1" value="1nf" checked>', $result);- $this->assertStringContainsString('id="normalizeToRadio2" value="2nf">', $result);- $this->assertStringContainsString('id="normalizeToRadio3" value="3nf">', $result);+ self::assertStringContainsString('<form method="post" action="' . Url::getFromRoute('/normalization')+ . '" name="normalize" id="normalizeTable"', $result);+ self::assertStringContainsString('<input type="hidden" name="step1" value="1">', $result);++ self::assertStringContainsString('type="radio" name="normalizeTo"', $result);+ self::assertStringContainsString('id="normalizeToRadio1" value="1nf" checked>', $result);+ self::assertStringContainsString('id="normalizeToRadio2" value="2nf">', $result);+ self::assertStringContainsString('id="normalizeToRadio3" value="3nf">', $result); } /**@@ -471,8 +456,8 @@ $table = 'PMA_table2'; $db = 'PMA_db'; $result = $this->normalization->findPartialDependencies($table, $db);- $this->assertStringContainsString('<div class="dependencies_box"', $result);- $this->assertStringContainsString(__('No partial dependencies found!'), $result);+ self::assertStringContainsString('<div class="dependencies_box"', $result);+ self::assertStringContainsString(__('No partial dependencies found!'), $result); } /**@@ -492,17 +477,14 @@ [$primaryKey] );- $this->assertEquals(- [- '',- 'id',- 'col1',- 'col1,id',- 'col2',- 'col2,id',- 'col2,col1',- ],- $result- );+ self::assertSame([+ '',+ 'id',+ 'col1',+ 'col1,id',+ 'col2',+ 'col2,id',+ 'col2,col1',+ ], $result); } }
After analyzing the provided code diff, I can confirm that this is a test file (NormalizationTest.php) containing unit tests for normalization functionality. The changes are primarily focused on updating test assertions from `$this->assert...` to `self::assert...` and some minor formatting changes. Here's the analysis: 1. Vulnerability Existed: no No security vulnerabilities found [File] test/classes/NormalizationTest.php [Lines] All The changes are test-related improvements with no security implications The diff shows: - Changing assertion methods from instance (`$this->assert`) to static (`self::assert`) calls - Some code formatting adjustments (like combining multi-line string assertions) - Changing some `assertEquals` to `assertSame` for stricter comparisons - No changes to actual application logic or security-related functionality These changes are purely test-related improvements and don't indicate any security fixes. The modifications are focused on making the tests more consistent and maintainable, not addressing any vulnerabilities.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
Failed to fetch CVE description: 503 Server Error: Service Unavailable for url: https://nvd.nist.gov/vuln/detail/CVE-2025-24529
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/ConsoleTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/ConsoleTest.php@@ -5,6 +5,7 @@ namespace PhpMyAdmin\Tests; use PhpMyAdmin\Console;+use ReflectionProperty; /** * @covers \PhpMyAdmin\Console@@ -14,6 +15,19 @@ public function testGetScripts(): void { $console = new Console();- $this->assertEquals(['console.js'], $console->getScripts());+ self::assertSame(['console.js'], $console->getScripts());+ }++ public function testSetAjax(): void+ {+ $isAjax = new ReflectionProperty(Console::class, 'isAjax');+ $isAjax->setAccessible(true);+ $console = new Console();++ self::assertFalse($isAjax->getValue($console));+ $console->setAjax(true);+ self::assertTrue($isAjax->getValue($console));+ $console->setAjax(false);+ self::assertFalse($isAjax->getValue($console)); } }
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be test-related improvements and additions rather than security fixes. Here's the analysis:
1. Vulnerability Existed: no
Test Improvement [File] test/classes/ConsoleTest.php [Lines 5,14-27]
[Old Code]
namespace PhpMyAdmin\Tests;
use PhpMyAdmin\Console;
/**
* @covers \PhpMyAdmin\Console
*/
class ConsoleTest extends AbstractTestCase
{
public function testGetScripts(): void
{
$console = new Console();
$this->assertEquals(['console.js'], $console->getScripts());
}
}
[Fixed Code]
namespace PhpMyAdmin\Tests;
use PhpMyAdmin\Console;
use ReflectionProperty;
/**
* @covers \PhpMyAdmin\Console
*/
class ConsoleTest extends AbstractTestCase
{
public function testGetScripts(): void
{
$console = new Console();
self::assertSame(['console.js'], $console->getScripts());
}
public function testSetAjax(): void
{
$isAjax = new ReflectionProperty(Console::class, 'isAjax');
$isAjax->setAccessible(true);
$console = new Console();
self::assertFalse($isAjax->getValue($console));
$console->setAjax(true);
self::assertTrue($isAjax->getValue($console));
$console->setAjax(false);
self::assertFalse($isAjax->getValue($console));
}
}
The changes include:
1. Added a new test method `testSetAjax` using ReflectionProperty to test private properties
2. Changed `assertEquals` to `assertSame` in the existing test for stricter comparison
3. Added `use ReflectionProperty` statement
These changes appear to be test quality improvements rather than security fixes. No vulnerabilities were identified in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/TrackingTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/TrackingTest.php@@ -80,8 +80,8 @@ $ret = $this->tracking->filter($data, $filter_ts_from, $filter_ts_to, $filter_users);- $this->assertEquals('username1', $ret[0]['username']);- $this->assertEquals('statement1', $ret[0]['statement']);+ self::assertSame('username1', $ret[0]['username']);+ self::assertSame('statement1', $ret[0]['statement']); } /**@@ -103,38 +103,32 @@ ], ]; $untracked_tables = $this->tracking->extractTableNames($table_list, 'db', true);- $this->assertContains('hello_world', $untracked_tables);- $this->assertContains('hello_lovely_world', $untracked_tables);- $this->assertContains('hello_lovely_world2', $untracked_tables);+ self::assertContains('hello_world', $untracked_tables);+ self::assertContains('hello_lovely_world', $untracked_tables);+ self::assertContains('hello_lovely_world2', $untracked_tables); } public function testGetHtmlForMain(): void { $html = $this->tracking->getHtmlForMainPage('PMA_db', 'PMA_table', [], 'ltr');- $this->assertStringContainsString('PMA_db.PMA_table', $html);- $this->assertStringContainsString('<td>date_created</td>', $html);- $this->assertStringContainsString(__('Delete version'), $html);- $this->assertStringContainsString('<div class="card mt-3">', $html);- $this->assertStringContainsString('<div class="card-header">', $html);- $this->assertStringContainsString('<div class="card-body">', $html);- $this->assertStringContainsString('<div class="card-footer">', $html);- $this->assertStringContainsString(Url::getHiddenInputs($GLOBALS['db']), $html);- $this->assertStringContainsString(- sprintf(- __('Create version %1$s of %2$s'),- 2,- htmlspecialchars($GLOBALS['db'] . '.' . $GLOBALS['table'])- ),- $html- );- $this->assertStringContainsString(- '<input type="checkbox" name="delete" value="true"'- . ' checked="checked">' . "\n" . ' DELETE<br>',- $html- );- $this->assertStringContainsString(__('Create version'), $html);- $this->assertStringContainsString('Deactivate now', $html);+ self::assertStringContainsString('PMA_db.PMA_table', $html);+ self::assertStringContainsString('<td>date_created</td>', $html);+ self::assertStringContainsString(__('Delete version'), $html);+ self::assertStringContainsString('<div class="card mt-3">', $html);+ self::assertStringContainsString('<div class="card-header">', $html);+ self::assertStringContainsString('<div class="card-body">', $html);+ self::assertStringContainsString('<div class="card-footer">', $html);+ self::assertStringContainsString(Url::getHiddenInputs($GLOBALS['db']), $html);+ self::assertStringContainsString(sprintf(+ __('Create version %1$s of %2$s'),+ 2,+ htmlspecialchars($GLOBALS['db'] . '.' . $GLOBALS['table'])+ ), $html);+ self::assertStringContainsString('<input type="checkbox" name="delete" value="true"'+ . ' checked="checked">' . "\n" . ' DELETE<br>', $html);+ self::assertStringContainsString(__('Create version'), $html);+ self::assertStringContainsString('Deactivate now', $html); } /**@@ -143,10 +137,10 @@ public function testGetTableLastVersionNumber(): void { $sql_result = $this->tracking->getSqlResultForSelectableTables('PMA_db');- $this->assertNotFalse($sql_result);+ self::assertNotFalse($sql_result); $last_version = $this->tracking->getTableLastVersionNumber($sql_result);- $this->assertSame(10, $last_version);+ self::assertSame(10, $last_version); } /**@@ -156,7 +150,7 @@ { $ret = $this->tracking->getSqlResultForSelectableTables('PMA_db');- $this->assertNotFalse($ret);+ self::assertNotFalse($ret); } /**@@ -187,69 +181,27 @@ $html = $this->tracking->getHtmlForColumns($columns);- $this->assertStringContainsString(- __('Column'),- $html- );- $this->assertStringContainsString(- __('Type'),- $html- );- $this->assertStringContainsString(- __('Collation'),- $html- );- $this->assertStringContainsString(- __('Default'),- $html- );- $this->assertStringContainsString(- __('Comment'),- $html- );+ self::assertStringContainsString(__('Column'), $html);+ self::assertStringContainsString(__('Type'), $html);+ self::assertStringContainsString(__('Collation'), $html);+ self::assertStringContainsString(__('Default'), $html);+ self::assertStringContainsString(__('Comment'), $html); //column1 $item1 = $columns[0];- $this->assertStringContainsString(- htmlspecialchars($item1['Field']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($item1['Type']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($item1['Collation']),- $html- );- $this->assertStringContainsString('<em>NULL</em>', $html);- $this->assertStringContainsString(- htmlspecialchars($item1['Comment']),- $html- );+ self::assertStringContainsString(htmlspecialchars($item1['Field']), $html);+ self::assertStringContainsString(htmlspecialchars($item1['Type']), $html);+ self::assertStringContainsString(htmlspecialchars($item1['Collation']), $html);+ self::assertStringContainsString('<em>NULL</em>', $html);+ self::assertStringContainsString(htmlspecialchars($item1['Comment']), $html); //column2 $item1 = $columns[1];- $this->assertStringContainsString(- htmlspecialchars($item1['Field']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($item1['Type']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($item1['Collation']),- $html- );- $this->assertStringContainsString(- _pgettext('None for default', 'None'),- $html- );- $this->assertStringContainsString(- htmlspecialchars($item1['Comment']),- $html- );+ self::assertStringContainsString(htmlspecialchars($item1['Field']), $html);+ self::assertStringContainsString(htmlspecialchars($item1['Type']), $html);+ self::assertStringContainsString(htmlspecialchars($item1['Collation']), $html);+ self::assertStringContainsString(_pgettext('None for default', 'None'), $html);+ self::assertStringContainsString(htmlspecialchars($item1['Comment']), $html); } /**@@ -259,7 +211,7 @@ { $ret = $this->tracking->getListOfVersionsOfTable('PMA_db', 'PMA_table');- $this->assertNotFalse($ret);+ self::assertNotFalse($ret); } /**@@ -296,56 +248,32 @@ $filter_users );- $this->assertStringContainsString(- __('Tracking report'),- $html- );-- $this->assertStringContainsString(- __('Tracking statements'),- $html- );-- $this->assertStringContainsString($data['tracking'], $html);+ self::assertStringContainsString(__('Tracking report'), $html);++ self::assertStringContainsString(__('Tracking statements'), $html);++ self::assertStringContainsString($data['tracking'], $html); $version = Url::getHiddenInputs($url_params + [ 'report' => 'true', 'version' => $_POST['version'], ]);- $this->assertStringContainsString($version, $html);-- $this->assertStringContainsString($version, $html);-- $this->assertStringContainsString(- __('Structure only'),- $html- );-- $this->assertStringContainsString(- __('Data only'),- $html- );-- $this->assertStringContainsString(- __('Structure and data'),- $html- );-- $this->assertStringContainsString(- htmlspecialchars($_POST['date_from']),- $html- );-- $this->assertStringContainsString(- htmlspecialchars($_POST['date_to']),- $html- );-- $this->assertStringContainsString(- htmlspecialchars($_POST['users']),- $html- );+ self::assertStringContainsString($version, $html);++ self::assertStringContainsString($version, $html);++ self::assertStringContainsString(__('Structure only'), $html);++ self::assertStringContainsString(__('Data only'), $html);++ self::assertStringContainsString(__('Structure and data'), $html);++ self::assertStringContainsString(htmlspecialchars($_POST['date_from']), $html);++ self::assertStringContainsString(htmlspecialchars($_POST['date_to']), $html);++ self::assertStringContainsString(htmlspecialchars($_POST['users']), $html); } /**@@ -382,24 +310,15 @@ $drop_image_or_text );- $this->assertStringContainsString(- __('Date'),- $html- );-- $this->assertStringContainsString(- __('Username'),- $html- );-- $this->assertStringContainsString(- __('Data manipulation statement'),- $html- );-- $this->assertStringContainsString($data['dmlog'][0]['date'], $html);-- $this->assertStringContainsString($data['dmlog'][0]['username'], $html);+ self::assertStringContainsString(__('Date'), $html);++ self::assertStringContainsString(__('Username'), $html);++ self::assertStringContainsString(__('Data manipulation statement'), $html);++ self::assertStringContainsString($data['dmlog'][0]['date'], $html);++ self::assertStringContainsString($data['dmlog'][0]['username'], $html); } /**@@ -435,33 +354,18 @@ $drop_image_or_text );- $this->assertStringContainsString(- __('Date'),- $html- );-- $this->assertStringContainsString(- __('Username'),- $html- );-- $this->assertStringContainsString(- __('Data definition statement'),- $html- );-- $this->assertStringContainsString(- __('Action'),- $html- );+ self::assertStringContainsString(__('Date'), $html);++ self::assertStringContainsString(__('Username'), $html);++ self::assertStringContainsString(__('Data definition statement'), $html);++ self::assertStringContainsString(__('Action'), $html); //PMA_getHtmlForDataDefinitionStatement- $this->assertStringContainsString(- htmlspecialchars($data['ddlog'][0]['username']),- $html- );-- $this->assertEquals(2, $count);+ self::assertStringContainsString(htmlspecialchars($data['ddlog'][0]['username']), $html);++ self::assertSame(2, $count); } /**@@ -485,55 +389,19 @@ $html = $this->tracking->getHtmlForIndexes($indexs);- $this->assertStringContainsString(- __('Indexes'),- $html- );- $this->assertStringContainsString(- __('Keyname'),- $html- );- $this->assertStringContainsString(- __('Type'),- $html- );- $this->assertStringContainsString(- __('Unique'),- $html- );- $this->assertStringContainsString(- __('Packed'),- $html- );- $this->assertStringContainsString(- __('Column'),- $html- );- $this->assertStringContainsString(- __('Cardinality'),- $html- );+ self::assertStringContainsString(__('Indexes'), $html);+ self::assertStringContainsString(__('Keyname'), $html);+ self::assertStringContainsString(__('Type'), $html);+ self::assertStringContainsString(__('Unique'), $html);+ self::assertStringContainsString(__('Packed'), $html);+ self::assertStringContainsString(__('Column'), $html);+ self::assertStringContainsString(__('Cardinality'), $html); // items- $this->assertStringContainsString(- htmlspecialchars($indexs[0]['Key_name']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($indexs[0]['Index_type']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($indexs[0]['Column_name']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($indexs[0]['Cardinality']),- $html- );- $this->assertStringContainsString(- htmlspecialchars($indexs[0]['Collation']),- $html- );+ self::assertStringContainsString(htmlspecialchars($indexs[0]['Key_name']), $html);+ self::assertStringContainsString(htmlspecialchars($indexs[0]['Index_type']), $html);+ self::assertStringContainsString(htmlspecialchars($indexs[0]['Column_name']), $html);+ self::assertStringContainsString(htmlspecialchars($indexs[0]['Cardinality']), $html);+ self::assertStringContainsString(htmlspecialchars($indexs[0]['Collation']), $html); } /**@@ -553,7 +421,7 @@ $_POST['truncate'] = true; $tracking_set = $this->tracking->getTrackingSet();- $this->assertEquals('RENAME TABLE,CREATE TABLE,DROP TABLE,DROP INDEX,INSERT,DELETE,TRUNCATE', $tracking_set);+ self::assertSame('RENAME TABLE,CREATE TABLE,DROP TABLE,DROP INDEX,INSERT,DELETE,TRUNCATE', $tracking_set); //other set to true $_POST['alter_table'] = true;@@ -568,7 +436,7 @@ $_POST['truncate'] = false; $tracking_set = $this->tracking->getTrackingSet();- $this->assertEquals('ALTER TABLE,CREATE INDEX,UPDATE', $tracking_set);+ self::assertSame('ALTER TABLE,CREATE INDEX,UPDATE', $tracking_set); } /**@@ -599,7 +467,7 @@ $filter_ts_from = 0; $entries = $this->tracking->getEntries($data, $filter_ts_from, $filter_ts_to, $filter_users);- $this->assertEquals('username3', $entries[0]['username']);- $this->assertEquals('statement1', $entries[0]['statement']);+ self::assertSame('username3', $entries[0]['username']);+ self::assertSame('statement1', $entries[0]['statement']); } }
After analyzing the provided code diff, I can confirm that this is a test file modification where the changes are primarily focused on updating test assertions from `$this->assert...` to `self::assert...` style. There are no security-related fixes or vulnerabilities being addressed in this diff. Here's the structured response: Vulnerability Existed: no [No security vulnerabilities found] [test/classes/TrackingTest.php] [Various lines] [Old assertion style using $this->assert...] [New assertion style using self::assert...] The changes are purely stylistic/refactoring changes to the test code and don't affect the application's security posture. The modifications: 1. Change assertion method calls from instance style to static style 2. Change some assertEquals calls to assertSame for stricter comparison 3. Reformat some multi-line assertions into single lines 4. No changes to actual application logic or security-related functionality No security vulnerabilities were fixed in this diff.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Config/FormDisplayTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Config/FormDisplayTest.php@@ -68,29 +68,23 @@ $this->object->registerForm('pma_testform', $array, 2); $_forms = $attrForms->getValue($this->object);- $this->assertInstanceOf(Form::class, $_forms['pma_testform']);+ self::assertInstanceOf(Form::class, $_forms['pma_testform']); $attrSystemPaths = $reflection->getProperty('systemPaths'); $attrSystemPaths->setAccessible(true);- $this->assertEquals(- [- 'Servers/2/test' => 'Servers/1/test',- 'Servers/2/:group:end:0' => 'Servers/1/:group:end:0',- ],- $attrSystemPaths->getValue($this->object)- );+ self::assertSame([+ 'Servers/2/test' => 'Servers/1/test',+ 'Servers/2/:group:end:0' => 'Servers/1/:group:end:0',+ ], $attrSystemPaths->getValue($this->object)); $attrTranslatedPaths = $reflection->getProperty('translatedPaths'); $attrTranslatedPaths->setAccessible(true);- $this->assertEquals(- [- 'Servers/2/test' => 'Servers-2-test',- 'Servers/2/:group:end:0' => 'Servers-2-:group:end:0',- ],- $attrTranslatedPaths->getValue($this->object)- );+ self::assertSame([+ 'Servers/2/test' => 'Servers-2-test',+ 'Servers/2/:group:end:0' => 'Servers-2-:group:end:0',+ ], $attrTranslatedPaths->getValue($this->object)); } /**@@ -100,9 +94,7 @@ */ public function testProcess(): void {- $this->assertFalse(- $this->object->process(true, true)- );+ self::assertFalse($this->object->process(true, true)); $this->object = $this->getMockBuilder(FormDisplay::class) ->disableOriginalConstructor()@@ -118,15 +110,11 @@ ->with([0, 1, 2], false) ->will($this->returnValue(true));- $this->assertTrue(- $this->object->process(false, false)- );+ self::assertTrue($this->object->process(false, false)); $attrForms->setValue($this->object, []);- $this->assertFalse(- $this->object->process(false, false)- );+ self::assertFalse($this->object->process(false, false)); } /**@@ -146,7 +134,7 @@ $result = $this->object->displayErrors();- $this->assertNull($result);+ self::assertNull($result); $arr = [ 'Servers/1/test' => ['e1'],@@ -166,12 +154,12 @@ $result = $this->object->displayErrors();- $this->assertIsString($result);- $this->assertStringContainsString('<dt>Servers/1/test2</dt>', $result);- $this->assertStringContainsString('<dd>e1</dd>', $result);- $this->assertStringContainsString('<dt>Form_foobar</dt>', $result);- $this->assertStringContainsString('<dd>e2</dd>', $result);- $this->assertStringContainsString('<dd>e3</dd>', $result);+ self::assertIsString($result);+ self::assertStringContainsString('<dt>Servers/1/test2</dt>', $result);+ self::assertStringContainsString('<dd>e1</dd>', $result);+ self::assertStringContainsString('<dt>Form_foobar</dt>', $result);+ self::assertStringContainsString('<dd>e2</dd>', $result);+ self::assertStringContainsString('<dd>e3</dd>', $result); } /**@@ -210,14 +198,11 @@ $this->object->fixErrors();- $this->assertEquals(- [- 'Servers' => [- '1' => ['test' => 'localhost'],- ],+ self::assertSame([+ 'Servers' => [+ '1' => ['test' => 'localhost'], ],- $_SESSION['ConfigFile0']- );+ ], $_SESSION['ConfigFile0']); } /**@@ -230,55 +215,44 @@ $arr = ['foo' => 'var']; $value = 'foo';- $this->assertTrue(- $attrValidateSelect->invokeArgs(- $this->object,- [- &$value,- $arr,- ]- )- );+ self::assertTrue($attrValidateSelect->invokeArgs(+ $this->object,+ [+ &$value,+ $arr,+ ]+ )); $arr = ['' => 'foobar']; $value = null;- $this->assertTrue(- $attrValidateSelect->invokeArgs(- $this->object,- [- &$value,- $arr,- ]- )- );- $this->assertEquals(- 'string',- gettype($value)- );+ self::assertTrue($attrValidateSelect->invokeArgs(+ $this->object,+ [+ &$value,+ $arr,+ ]+ ));+ self::assertSame('string', gettype($value)); $arr = [0 => 'foobar']; $value = 0;- $this->assertTrue(- $attrValidateSelect->invokeArgs(- $this->object,- [- &$value,- $arr,- ]- )- );+ self::assertTrue($attrValidateSelect->invokeArgs(+ $this->object,+ [+ &$value,+ $arr,+ ]+ )); $arr = ['1' => 'foobar']; $value = 0;- $this->assertFalse(- $attrValidateSelect->invokeArgs(- $this->object,- [- &$value,- $arr,- ]- )- );+ self::assertFalse($attrValidateSelect->invokeArgs(+ $this->object,+ [+ &$value,+ $arr,+ ]+ )); } /**@@ -289,9 +263,7 @@ $attrErrors = new ReflectionProperty(FormDisplay::class, 'errors'); $attrErrors->setAccessible(true);- $this->assertFalse(- $this->object->hasErrors()- );+ self::assertFalse($this->object->hasErrors()); $attrErrors->setValue( $this->object,@@ -301,9 +273,7 @@ ] );- $this->assertTrue(- $this->object->hasErrors()- );+ self::assertTrue($this->object->hasErrors()); } /**@@ -311,20 +281,14 @@ */ public function testGetDocLink(): void {- $this->assertEquals(+ self::assertSame( './url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2Fen%2Flatest%2Fconfig.html%23cfg_Servers_3_test_2_', $this->object->getDocLink('Servers/3/test/2/') );- $this->assertEquals(- '',- $this->object->getDocLink('Import')- );-- $this->assertEquals(- '',- $this->object->getDocLink('Export')- );+ self::assertSame('', $this->object->getDocLink('Import'));++ self::assertSame('', $this->object->getDocLink('Export')); } /**@@ -335,15 +299,9 @@ $method = new ReflectionMethod(FormDisplay::class, 'getOptName'); $method->setAccessible(true);- $this->assertEquals(- 'Servers_',- $method->invoke($this->object, 'Servers/1/')- );-- $this->assertEquals(- 'Servers_23_',- $method->invoke($this->object, 'Servers/1/23/')- );+ self::assertSame('Servers_', $method->invoke($this->object, 'Servers/1/'));++ self::assertSame('Servers_23_', $method->invoke($this->object, 'Servers/1/23/')); } /**@@ -358,10 +316,7 @@ $attrUserprefs->setAccessible(true); $method->invoke($this->object, null);- $this->assertEquals(- [],- $attrUserprefs->getValue($this->object)- );+ self::assertSame([], $attrUserprefs->getValue($this->object)); } /**@@ -404,7 +359,7 @@ $expect['comment_warning'] = 1;- $this->assertEquals($expect, $opts);+ self::assertEquals($expect, $opts); // ZipDump, GZipDump, BZipDump $method->invokeArgs(@@ -425,9 +380,9 @@ 'due to missing function gzcompress.'; }- $this->assertEquals($comment, $opts['comment']);-- $this->assertTrue($opts['comment_warning']);+ self::assertSame($comment, $opts['comment']);++ self::assertTrue($opts['comment_warning']); $method->invokeArgs( $this->object,@@ -447,9 +402,9 @@ 'due to missing function gzencode.'; }- $this->assertEquals($comment, $opts['comment']);-- $this->assertTrue($opts['comment_warning']);+ self::assertSame($comment, $opts['comment']);++ self::assertTrue($opts['comment_warning']); $method->invokeArgs( $this->object,@@ -469,9 +424,9 @@ 'due to missing function bzcompress.'; }- $this->assertEquals($comment, $opts['comment']);-- $this->assertTrue($opts['comment_warning']);+ self::assertSame($comment, $opts['comment']);++ self::assertTrue($opts['comment_warning']); $GLOBALS['config']->set('is_setup', false);@@ -487,7 +442,7 @@ ] );- $this->assertEquals('maximum 10', $opts['comment']);+ self::assertSame('maximum 10', $opts['comment']); $method->invokeArgs( $this->object,@@ -497,7 +452,7 @@ ] );- $this->assertEquals('maximum 10', $opts['comment']);+ self::assertSame('maximum 10', $opts['comment']); $method->invokeArgs( $this->object,@@ -507,6 +462,6 @@ ] );- $this->assertEquals('maximum 10', $opts['comment']);+ self::assertSame('maximum 10', $opts['comment']); } }
After analyzing the provided code diff, I don't find any security-related fixes. The changes appear to be primarily about test code improvements and refactoring, with the main changes being: 1. Changing test assertions from `$this->assert...` to `self::assert...` style 2. Changing some `assertEquals` calls to `assertSame` for stricter type checking 3. Code formatting improvements (like collapsing multi-line array assertions into single lines) Here's the structured response: Vulnerability Existed: no No security vulnerability found in test/classes/Config/FormDisplayTest.php [No old/fixed code pairs as these are test improvements, not security fixes] The changes are focused on test code quality rather than addressing any security issues. The modifications don't indicate any vulnerability fixes, but rather improvements in test assertions and code style.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/Plugins/Import/ImportLdiTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/Plugins/Import/ImportLdiTest.php@@ -82,14 +82,8 @@ public function testGetProperties(): void { $properties = $this->object->getProperties();- $this->assertEquals(- __('CSV using LOAD DATA'),- $properties->getText()- );- $this->assertEquals(- 'ldi',- $properties->getExtension()- );+ self::assertSame(__('CSV using LOAD DATA'), $properties->getText());+ self::assertSame('ldi', $properties->getExtension()); } /**@@ -120,15 +114,9 @@ $GLOBALS['cfg']['Import']['ldi_local_option'] = 'auto'; $this->object = new ImportLdi(); $properties = $this->object->getProperties();- $this->assertTrue($GLOBALS['cfg']['Import']['ldi_local_option']);- $this->assertEquals(- __('CSV using LOAD DATA'),- $properties->getText()- );- $this->assertEquals(- 'ldi',- $properties->getExtension()- );+ self::assertTrue($GLOBALS['cfg']['Import']['ldi_local_option']);+ self::assertSame(__('CSV using LOAD DATA'), $properties->getText());+ self::assertSame('ldi', $properties->getExtension()); } /**@@ -158,12 +146,12 @@ $this->object->doImport($importHandle); //asset that all sql are executed- $this->assertStringContainsString(+ self::assertStringContainsString( 'LOAD DATA INFILE \'test/test_data/db_test_ldi.csv\' INTO TABLE `phpmyadmintest`', $sql_query );- $this->assertTrue($GLOBALS['finished']);+ self::assertTrue($GLOBALS['finished']); } /**@@ -180,12 +168,12 @@ $this->object->doImport(); // We handle only some kind of data!- $this->assertStringContainsString(+ self::assertStringContainsString( __('This plugin does not support compressed imports!'), $GLOBALS['message']->__toString() );- $this->assertTrue($GLOBALS['error']);+ self::assertTrue($GLOBALS['error']); } /**@@ -227,20 +215,20 @@ //asset that all sql are executed //replace- $this->assertStringContainsString(+ self::assertStringContainsString( 'LOAD DATA LOCAL INFILE \'test/test_data/db_test_ldi.csv\' REPLACE INTO TABLE `phpmyadmintest`', $sql_query ); //FIELDS TERMINATED- $this->assertStringContainsString("FIELDS TERMINATED BY ','", $sql_query);+ self::assertStringContainsString("FIELDS TERMINATED BY ','", $sql_query); //LINES TERMINATED- $this->assertStringContainsString("LINES TERMINATED BY 'newline_mark'", $sql_query);+ self::assertStringContainsString("LINES TERMINATED BY 'newline_mark'", $sql_query); //IGNORE- $this->assertStringContainsString('IGNORE 1 LINES', $sql_query);-- $this->assertTrue($GLOBALS['finished']);+ self::assertStringContainsString('IGNORE 1 LINES', $sql_query);++ self::assertTrue($GLOBALS['finished']); } }
After analyzing the provided code diff, I don't find any security vulnerabilities being fixed. The changes appear to be primarily test code improvements, switching from `assertEquals()` to `assertSame()` for more strict comparisons, and some minor formatting changes. Here's the structured response: Vulnerability Existed: no No security vulnerability found in test/classes/Plugins/Import/ImportLdiTest.php The changes are test code improvements and modernization: - Switching from assertEquals() to assertSame() for more strict comparisons - Minor formatting and consistency improvements - No security-related changes were made The diff shows changes to test assertions but doesn't indicate any security fixes or vulnerability patches. The modifications are focused on test quality rather than addressing security issues.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.
--- /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_1/phpmyadmin-RELEASE_5_2_1/test/classes/TypesByDatabaseVersionTest.php+++ /root/PatchLeaks-main/products/phpmyadmin_downloads/RELEASE_5_2_2/phpmyadmin-RELEASE_5_2_2/test/classes/TypesByDatabaseVersionTest.php@@ -66,7 +66,7 @@ if ($includes) { foreach ($includes as $value) {- $this->assertContains($value, $result);+ self::assertContains($value, $result); } }@@ -75,7 +75,7 @@ } foreach ($excludes as $value) {- $this->assertNotContains($value, $result);+ self::assertNotContains($value, $result); } }@@ -84,7 +84,7 @@ * * @psalm-return array<string, array{string, int, string, array<string>, array<string>}> */- public function providerFortTestGetFunctionsClass(): array+ public static function providerFortTestGetFunctionsClass(): array { return [ 'mysql 5.1.0 - CHAR - not support INET6 Converter' => [@@ -286,7 +286,7 @@ if ($includes) { foreach ($includes as $value) {- $this->assertContains($value, $result);+ self::assertContains($value, $result); } }@@ -295,7 +295,7 @@ } foreach ($excludes as $value) {- $this->assertNotContains($value, $result);+ self::assertNotContains($value, $result); } }@@ -304,7 +304,7 @@ * * @psalm-return array<string, array{string, int, array<string>, array<string>}> */- public function providerFortTestGetFunctions(): array+ public static function providerFortTestGetFunctions(): array { return [ 'mysql 5.1.0 - not support INET6 Converter' => [@@ -362,7 +362,7 @@ if ($includes) { foreach ($includes as $value) {- $this->assertContains($value, $result);+ self::assertContains($value, $result); } }@@ -371,7 +371,7 @@ } foreach ($excludes as $value) {- $this->assertNotContains($value, $result);+ self::assertNotContains($value, $result); } }@@ -380,7 +380,7 @@ * * @psalm-return array<string, array{string, int, array<string>, array<string>}> */- public function providerFortTestGetAllFunctions(): array+ public static function providerFortTestGetAllFunctions(): array { return [ 'mysql 5.1.0 - not support INET6_ATON, ST_Geometry' => [@@ -618,7 +618,7 @@ { $this->createObject($database, $dbVersion);- $this->assertEquals($expected, $this->object->getColumns());+ self::assertSame($expected, $this->object->getColumns()); } /**@@ -626,7 +626,7 @@ * * @psalm-return array<string, array{string, int, array<int|string, array<int, string>|string>}> */- public function providerFortTestGetColumns(): array+ public static function providerFortTestGetColumns(): array { return [ 'mysql 5.1.0 - not support INET6, JSON and UUID' => [
Analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be primarily test code improvements and style changes. Here's the analysis: 1. Vulnerability Existed: no Test Code Improvement [File] [Lines 66-371] Old Code: $this->assertContains/assertNotContains Fixed Code: self::assertContains/assertNotContains Details: Changed instance method calls to static calls in test assertions 2. Vulnerability Existed: no Test Code Improvement [File] [Lines 84,304,380,626] Old Code: public function providerFortTest... Fixed Code: public static function providerFortTest... Details: Changed test data provider methods to be static 3. Vulnerability Existed: no Test Code Improvement [File] [Line 618] Old Code: $this->assertEquals Fixed Code: self::assertSame Details: Changed assertion method to be more strict (identical comparison) The changes are focused on improving test code quality by: 1. Using static calls for assertions (better performance in PHPUnit) 2. Making data provider methods static (best practice) 3. Using assertSame instead of assertEquals for stricter comparisons 4. Consistent code style No security vulnerabilities were identified in these changes. The modifications are all related to test code quality improvements rather than security fixes.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab.