bug #1712570 Deleting last record freezes

ChangeLog

@@ -5,7 +5,14 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL$
 
-2.10.1.0 (not released yet)
+2.10.2.0 (not yet released)
+
++ [data] display all warnings, not only last one
+- typo in fix for bug #1671813
+- bug #1714908 Inserted Row Count is wrong
+- bug #1712570 Deleting last record freezes
+
+2.10.1.0 (2007-04-23)
 =====================
 
 - bug #1541147 [js] '#' in database names not correctly handled by queywindow.js
@@ -33,13 +40,11 @@ $HeadURL$
 - bug #1690718 Can't edit if BLOB and no PK
 - bug #1672636 [export] PDF export too wide 
 + [lang] brazilian-portuguese update, thanks to Airon Luis Pereira  
-
-
-2.10.0.3 (not released yet)
-=====================
-
+- patch #1698964 javascript typo, thanks to Corey Hollaway
+- bug #1703897 [css] undefined index 'js_frame' 
 - bug #1690561 Blobs being cleared on Edit of row
 - bug #1679801 [core] XSS vulnerability in PMA_sanitize(), thanks to sp3x SecurityReason
+- bug #1704467 XSS vulnerability in browse_foreigners.php, thanks to sp3x SecurityReason
 
 2.10.0.2 (2007-03-02)
 =====================

Documentation.html

@@ -11,7 +11,7 @@
     <link rel="icon" href="./favicon.ico" type="image/x-icon" />
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-    <title>phpMyAdmin 2.10.1-rc1 - Documentation</title>
+    <title>phpMyAdmin 2.10.2-dev - Documentation</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 
@@ -33,7 +33,7 @@
     <li><a href="#glossary">Glossary</a></li>
 </ul>
 
-<h1>phpMyAdmin 2.10.1-rc1 Documentation</h1>
+<h1>phpMyAdmin 2.10.2-dev Documentation</h1>
 
 <ul><li><a href="http://www.phpmyadmin.net/">
             phpMyAdmin homepage</a></li>

README

@@ -5,7 +5,7 @@ phpMyAdmin - Readme
 
   A set of PHP-scripts to manage MySQL over the web.
 
-  Version 2.10.1-rc1
+  Version 2.10.2-dev
   ------------------
   http://www.phpmyadmin.net/
 

browse_foreigners.php

@@ -108,7 +108,7 @@ if (isset($disp_row) && is_array($disp_row)) {
             var element_name = field + '[]';
             <?php } ?>
 
-            <?php if ( isset( $fieldkey ) ) { ?>
+            <?php if ( isset( $fieldkey ) && is_numeric($fieldkey) ) { ?>
             var element_name_alt = field + '[<?php echo $fieldkey; ?>]';
             <?php } else { ?>
             var element_name_alt = field + '[0]';

js/functions.js

@@ -988,8 +988,8 @@ function getElement(e,f){
         if(f.document.layers[e]) {
             return f.document.layers[e];
         }
-        for(W=0;i<f.document.layers.length;W++) {
-            return(getElement(e,fdocument.layers[W]));
+        for(W=0;W<f.document.layers.length;W++) {
+            return(getElement(e,f.document.layers[W]));
         }
     }
     if(document.all) {

lang/dutch-iso-8859-1.inc.php

@@ -91,7 +91,7 @@ $strBzip = '"ge-bzipt"';
 
 $strCalendar = 'Kalender';
 $strCannotLogin = 'Kan niet inloggen op de MySQL server';
-$strCantLoad = 'Kan de %s extentie niet laden,<br />Controleer de PHP Configuratie';
+$strCantLoad = 'Kan de [a@http://php.net/%1$s@Documentation][em]%1$s[/em][/a]-extensie niet laden. Controleer de PHP configuratie.';
 $strCantLoadRecodeIconv = 'Kan iconv of recode extensies niet laden die nodig zijn voor de Karakterset conversie, configureer php om deze extensies toe te laten of schakel Karakterset conversie uit in phpMyAdmin';
 $strCantRenameIdxToPrimary = 'Kan index niet naar PRIMARY hernoemen';
 $strCantUseRecodeIconv = 'Kan iconv, libiconv en recode_string functies niet gebruiken zolang de extensies geladen moeten worden. Controleer de php configuratie.';

lang/dutch-iso-8859-15.inc.php

@@ -91,7 +91,7 @@ $strBzip = '"ge-bzipt"';
 
 $strCalendar = 'Kalender';
 $strCannotLogin = 'Kan niet inloggen op de MySQL server';
-$strCantLoad = 'Kan de %s extentie niet laden,<br />Controleer de PHP Configuratie';
+$strCantLoad = 'Kan de [a@http://php.net/%1$s@Documentation][em]%1$s[/em][/a]-extensie niet laden. Controleer de PHP configuratie.';
 $strCantLoadRecodeIconv = 'Kan iconv of recode extensies niet laden die nodig zijn voor de Karakterset conversie, configureer php om deze extensies toe te laten of schakel Karakterset conversie uit in phpMyAdmin';
 $strCantRenameIdxToPrimary = 'Kan index niet naar PRIMARY hernoemen';
 $strCantUseRecodeIconv = 'Kan iconv, libiconv en recode_string functies niet gebruiken zolang de extensies geladen moeten worden. Controleer de php configuratie.';

lang/dutch-utf-8.inc.php

@@ -92,7 +92,7 @@ $strBzip = '"ge-bzipt"';
 
 $strCalendar = 'Kalender';
 $strCannotLogin = 'Kan niet inloggen op de MySQL server';
-$strCantLoad = 'Kan de %s extentie niet laden,<br />Controleer de PHP Configuratie';
+$strCantLoad = 'Kan de [a@http://php.net/%1$s@Documentation][em]%1$s[/em][/a]-extensie niet laden. Controleer de PHP configuratie.';
 $strCantLoadRecodeIconv = 'Kan iconv of recode extensies niet laden die nodig zijn voor de Karakterset conversie, configureer php om deze extensies toe te laten of schakel Karakterset conversie uit in phpMyAdmin';
 $strCantRenameIdxToPrimary = 'Kan index niet naar PRIMARY hernoemen';
 $strCantUseRecodeIconv = 'Kan iconv, libiconv en recode_string functies niet gebruiken zolang de extensies geladen moeten worden. Controleer de php configuratie.';

libraries/Config.class.php

@@ -81,7 +81,7 @@ class PMA_Config
      */
     function checkSystem()
     {
-        $this->set('PMA_VERSION', '2.10.1-rc1');
+        $this->set('PMA_VERSION', '2.10.2-dev');
         /**
          * @deprecated
          */

libraries/PMA_List_Database.class.php

@@ -368,7 +368,7 @@ require_once './libraries/PMA_List.class.php';
 	$return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n";
         foreach ($this->getGroupedDetails() as $group => $dbs) {
             if (count($dbs) > 1) {
-                $return .= '<li><ul>' . "\n";
+		$return .= '<li>' . $group . '<ul>' . "\n";
                 // wether display db_name cuted by the group part
                 $cut = true;
             } else {
@@ -377,10 +377,10 @@ require_once './libraries/PMA_List.class.php';
             }
             foreach ($dbs as $db) {
 	    	$return .= '<li';
-			if ($db['name'] == $selected) {
-			    $return .= ' class="selected"';
-			}
-		$return .= '><a title="' . $db['comment'] . ' "href="index.php?' . PMA_generate_common_url($db['name']) . '" target="_parent">';
+		if ($db['name'] == $selected) {
+		    $return .= ' class="selected"';
+		}
+                $return .= '><a' . (! empty($db['comment']) ? ' title="' . $db['comment'] . '"' : '') . ' href="index.php?' . PMA_generate_common_url($db['name']) . '" target="_parent">';
                 $return .= ($cut ? $db['disp_name_cut'] : $db['disp_name'])
 			.' (' . $db['num_tables'] . ')';
 		$return .= '</a></li>' . "\n";

libraries/common.lib.php

@@ -290,7 +290,7 @@ function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
             }
         }
     }
-    $recursive_counter++;
+    $recursive_counter--;
 }
 
 /**
@@ -2610,6 +2610,14 @@ if (get_magic_quotes_gpc()) {
     PMA_arrayWalkRecursive($_REQUEST, 'stripslashes', true);
 }
 
+/**
+ * In some cases, this one is not set
+ *
+ */
+if (! isset($_REQUEST['js_frame']) || ! is_string($_REQUEST['js_frame'])) {
+    $_REQUEST['js_frame'] = '';
+}
+
 /**
  * clean cookies on new install or upgrade
  * when changing something with increment the cookie version

libraries/database_interface.lib.php

@@ -1166,6 +1166,30 @@ function PMA_DBI_getCompatibilities()
     return $compats;
 }
 
+/**
+ * returns warnings for last query
+ * 
+ * @uses    $GLOBALS['userlink']
+ * @uses    PMA_DBI_fetch_result()
+ * @param   resource mysql link  $link   mysql link resource
+ * @return  array   warnings
+ */
+function PMA_DBI_get_warnings($link = null)
+{
+    if (PMA_MYSQL_INT_VERSION < 40100) {
+    	return array();
+    }
+    
+    if (empty($link)) {
+        if (isset($GLOBALS['userlink'])) {
+            $link = $GLOBALS['userlink'];
+        } else {
+            return array();
+        }
+    }
+    
+    return PMA_DBI_fetch_result('SHOW WARNINGS', null, null, $link);
+}
 
 /**
  * returns true (int > 0) if current user is superuser

libraries/dbi/mysqli.dbi.lib.php

@@ -178,22 +178,7 @@ function PMA_DBI_try_query($query, $link = null, $options = 0)
     if (defined('PMA_MYSQL_INT_VERSION') && PMA_MYSQL_INT_VERSION < 40100) {
         $query = PMA_convert_charset($query);
     }
-    $result = mysqli_query($link, $query, $method);
-
-    if (mysqli_warning_count($link)) {
-        /**
-         * @todo check $method ?
-         */
-        $warning_result = mysqli_query($link, 'SHOW WARNINGS');
-        if ($warning_result) {
-            $warning_row = mysqli_fetch_row($warning_result);
-            $GLOBALS['warning'] = sprintf("%s (%d): %s", $warning_row[0], $warning_row[1], $warning_row[2]);
-        }
-    } else {
-        unset($GLOBALS['warning']);
-    }
-
-    return $result;
+    return mysqli_query($link, $query, $method);
 
     // From the PHP manual:
     // "note: returns true on success or false on failure. For SELECT,

libraries/sanitizing.lib.php

@@ -1,5 +1,5 @@
 <?php
-/* vim: expandtab sw=4 ts=4 sts=4: */
+/* vim: set expandtab sw=4 ts=4 sts=4: */
 /**
  *
  * @version $Id$
@@ -9,7 +9,6 @@
  * Sanitizes $message, taking into account our special codes
  * for formatting
  *
- * @uses    PMA_sanitizeUri()
  * @uses    preg_replace()
  * @uses    strtr()
  * @param   string   the message
@@ -39,32 +38,33 @@ function PMA_sanitize($message)
         '[/kbd]'    => '</kbd>',
         '[br]'      => '<br />',
         '[/a]'      => '</a>',
+        '[sup]'      => '<sup>',
+        '[/sup]'      => '</sup>',
     );
-    $sanitized_message = strtr($message, $replace_pairs);
-    $sanitized_message = preg_replace(
-        '/\[a@([^"@]*)@([^]"]*)\]/e',
-        '\'<a href="\' . PMA_sanitizeUri(\'$1\') . \'" target="\2">\'',
-        $sanitized_message);
+    $message = strtr($message, $replace_pairs);
 
-    return $sanitized_message;
-}
+    $pattern = '/\[a@([^"@]*)@([^]"]*)\]/';
 
-/**
- * removes javascript
- *
- * @uses    trim()
- * @uses    strtolower()
- * @uses    substr()
- * @param   string  uri
- */
-function PMA_sanitizeUri($uri)
-{
-    $uri = trim($uri);
+    if (preg_match_all($pattern, $message, $founds, PREG_SET_ORDER)) {
+        $valid_links = array(
+            'http',  // default http:// links (and https://)
+            './Do',  // ./Documentation
+        );
 
-    if (strtolower(substr($uri, 0, 10)) === 'javascript') {
-        return '';
+        foreach ($founds as $found) {
+            // only http... and ./Do... allowed
+            if (! in_array(substr($found[1], 0, 4), $valid_links)) {
+                return $message;
+            }
+            // a-z and _ allowed in target
+            if (! empty($found[2]) && preg_match('/[^a-z_]+/i', $found[2])) {
+                return $message;
+            }
+        }
+
+        $message = preg_replace($pattern, '<a href="\1" target="\2">', $message);
     }
 
-    return $uri;
+    return $message;
 }
 ?>

sql.php

@@ -654,6 +654,10 @@ if ($num_rows < 1 || $is_affected) {
         $active_page = $goto;
         require './' . $goto;
     } else {
+        // avoid a redirect loop when last record was deleted
+        if ('sql.php' == $cfg['DefaultTabTable']) {
+            $goto = str_replace('sql.php','tbl_structure.php',$goto);
+        }
         PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . str_replace('&amp;', '&', $goto) . '&message=' . urlencode($message));
     } // end else
     exit();

tbl_replace.php

@@ -225,7 +225,10 @@ foreach ($loop_array as $primary_key) {
             // no need to add column into the valuelist
             if (strlen($cur_value)) {
                 $query_values[] = $cur_value;
-                $query_fields[] = PMA_backquote($key);
+                // first inserted row so prepare the list of fields
+                if (empty($value_sets)) {
+                    $query_fields[] = PMA_backquote($key);
+                }
             }
 
         //  u p d a t e
@@ -306,9 +309,7 @@ foreach ($query as $single_query) {
     } else {
         $result = PMA_DBI_query($single_query);
     }
-    if (isset($GLOBALS['warning'])) {
-        $warning_message .= $GLOBALS['warning'] . '[br]';
-    }
+    
     if (! $result) {
         $message .= PMA_DBI_getError();
     } else {
@@ -328,6 +329,12 @@ foreach ($query as $single_query) {
         }
         PMA_DBI_free_result($result);
     } // end if
+
+    foreach (PMA_DBI_get_warnings() as $warning) {
+        $warning_message .= $warning['Level'] . ': #' . $warning['Code'] 
+            . ' ' . $warning['Message'] . '[br]';
+    }
+    
     unset($result);
 }
 unset($single_query, $query);

translators.html

@@ -8,7 +8,7 @@
     <link rel="icon" href="./favicon.ico" type="image/x-icon" />
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-    <title>phpMyAdmin 2.10.1-rc1 - Official translators</title>
+    <title>phpMyAdmin 2.10.2-dev - Official translators</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 
@@ -31,7 +31,7 @@
     <li><a href="Documentation.html#glossary">Glossary</a></li>
 </ul>
 
-<h1>phpMyAdmin 2.10.1-rc1 official translators list</h1>
+<h1>phpMyAdmin 2.10.2-dev official translators list</h1>
 
 <p> Here is the list of the &quot;official translators&quot; of
     phpMyAdmin.</p>