Merge branch 'QA_5_2'

Signed-off-by: Maurício Meneghini Fauth <[email protected]>

Author: MauricioFauth

ChangeLog

@@ -18,7 +18,16 @@ phpMyAdmin - ChangeLog
 - issue #17480 Added an option in the SQL box to "Format as a single line"
 - issue        Add support for `INSERT IGNORE` into for non table imports
 
-5.2.2 (not yet released)
+5.2.3 (not yet released)
+- issue #19548 Fix missing tooltip in status monitor log table
+
+5.2.2 (2025-01-21)
+- issue        [security] Fix for a path disclosure leak in the Monitoring tab
+- issue        Prevent the user from deleting system databases
+- issue        [security] Fix an XSS vulnerability when checking tables (PMASA-2025-1)
+- issue        [security] Fix an XSS vulnerability on the Insert tab (PMASA-2025-2)
+- issue        [security] Fix a possible glibc/iconv vulnerability (CVE-2024-2961, assigned PMASA-2025-3 but please note that phpMyAdmin is not vulnerable by default)
+- issue        Fix for sql-parser relating to quadratic complexity in certain queries, which could have caused long execution times.
 - issue #17851 Fix total count of rows in not accurate
 - issue #17766 Allow to open in a new tab copy and edit row actions
 - issue #17599 Fix error when handling an user that is not in privileges table

phpstan-baseline.neon

@@ -3234,24 +3234,6 @@ parameters:
 			count: 1
 			path: src/Controllers/Server/Databases/DestroyController.php
 
-		-
-			message: '#^Parameter \#1 \$db of method PhpMyAdmin\\ConfigStorage\\RelationCleanup\:\:database\(\) expects string, mixed given\.$#'
-			identifier: argument.type
-			count: 1
-			path: src/Controllers/Server/Databases/DestroyController.php
-
-		-
-			message: '#^Parameter \#1 \$db of method PhpMyAdmin\\Transformations\:\:clear\(\) expects string, mixed given\.$#'
-			identifier: argument.type
-			count: 1
-			path: src/Controllers/Server/Databases/DestroyController.php
-
-		-
-			message: '#^Parameter \#1 \$identifier of static method PhpMyAdmin\\Util\:\:backquote\(\) expects string\|Stringable\|null, mixed given\.$#'
-			identifier: argument.type
-			count: 1
-			path: src/Controllers/Server/Databases/DestroyController.php
-
 		-
 			message: '''
 				#^Call to deprecated method getInstance\(\) of class PhpMyAdmin\\Config\:
@@ -6975,6 +6957,12 @@ parameters:
 			count: 2
 			path: src/Encoding.php
 
+		-
+			message: '#^Right side of && is always true\.$#'
+			identifier: booleanAnd.rightAlwaysTrue
+			count: 1
+			path: src/Encoding.php
+
 		-
 			message: '#^Static property PhpMyAdmin\\Encoding\:\:\$engine \(int\|null\) does not accept mixed\.$#'
 			identifier: assign.propertyType
@@ -19152,7 +19140,7 @@ parameters:
 				Use dependency injection instead\.$#
 			'''
 			identifier: staticMethod.deprecated
-			count: 2
+			count: 3
 			path: tests/unit/EncodingTest.php
 
 		-

psalm-baseline.xml

@@ -1897,11 +1897,8 @@
     <DeprecatedMethod>
       <code><![CDATA[Config::getInstance()]]></code>
     </DeprecatedMethod>
-    <MixedArgument>
-      <code><![CDATA[$database]]></code>
-    </MixedArgument>
     <MixedAssignment>
-      <code><![CDATA[$database]]></code>
+      <code><![CDATA[$selectedDbs]]></code>
     </MixedAssignment>
     <PossiblyUnusedReturnValue>
       <code><![CDATA[Response]]></code>
@@ -4410,6 +4407,11 @@
     <PossiblyUnusedMethod>
       <code><![CDATA[setKanjiEncodings]]></code>
     </PossiblyUnusedMethod>
+    <RedundantConditionGivenDocblockType>
+      <code><![CDATA[is_string($config->settings['IconvExtraParams'])]]></code>
+      <code><![CDATA[isset($config->settings['IconvExtraParams'])
+            && is_string($config->settings['IconvExtraParams'])]]></code>
+    </RedundantConditionGivenDocblockType>
   </file>
   <file src="src/Engines/Innodb.php">
     <DeprecatedMethod>
@@ -11469,6 +11471,7 @@
     <DeprecatedMethod>
       <code><![CDATA[Config::getInstance()]]></code>
       <code><![CDATA[Config::getInstance()]]></code>
+      <code><![CDATA[Config::getInstance()]]></code>
     </DeprecatedMethod>
   </file>
   <file src="tests/unit/Engines/PbxtTest.php">

resources/js/src/server/status/monitor.ts

@@ -2142,15 +2142,16 @@ AJAX.registerOnload('server/status/monitor.js', function () {
             '</span></th><th class="text-end">' + data.sum.TOTAL + '</th></tr></tfoot>');
 
         // Append a tooltip to the count column, if there exist one
-        if ($('#logTable').find('tr').first().find('th').last().text().indexOf('#') > -1) {
-            $('#logTable').find('tr').first().find('th').last().append('&nbsp;' + getImageTag('b_help', '', { 'class': 'qroupedQueryInfoIcon' }));
+        const amountColumn = $('#logTable').find('tr').first().find('th').last();
+        if (amountColumn.text().indexOf('#') > -1) {
+            amountColumn.append('&nbsp;' + getImageTag('b_help'));
 
-            var tooltipContent = window.Messages.strCountColumnExplanation;
+            let tooltipContent = window.Messages.strCountColumnExplanation;
             if (groupInserts) {
-                tooltipContent += '<p>' + window.Messages.strMoreCountColumnExplanation + '</p>';
+                tooltipContent += '<br>' + window.Messages.strMoreCountColumnExplanation;
             }
 
-            tooltip($('img.qroupedQueryInfoIcon'), 'img', tooltipContent);
+            tooltip(amountColumn, 'th', tooltipContent);
         }
 
         $('#logTable').find('table').tablesorter({

src/Controllers/Export/ExportController.php

@@ -225,7 +225,8 @@ public function __invoke(ServerRequest $request): Response
         // Do we need to convert charset?
         Export::$outputCharsetConversion = Export::$asFile
             && Encoding::isSupported()
-            && isset(Current::$charset) && Current::$charset !== 'utf-8';
+            && isset(Current::$charset) && Current::$charset !== 'utf-8'
+            && in_array(Current::$charset, Encoding::listEncodings(), true);
 
         // Use on the fly compression?
         Export::$onFlyCompression = $config->settings['CompressOnFly'] && Export::$compression === 'gzip';

src/Controllers/Import/ImportController.php

@@ -33,6 +33,7 @@
 
 use function __;
 use function _ngettext;
+use function in_array;
 use function ini_get;
 use function ini_parse_quantity;
 use function ini_set;
@@ -444,6 +445,7 @@ public function __invoke(ServerRequest $request): Response
         if (
             Encoding::isSupported()
             && ImportSettings::$charsetOfFile !== '' && ImportSettings::$charsetOfFile !== 'utf-8'
+            && in_array(ImportSettings::$charsetOfFile, Encoding::listEncodings(), true)
         ) {
             ImportSettings::$charsetConversion = true;
         } elseif (ImportSettings::$charsetOfFile !== '' && ImportSettings::$charsetOfFile !== 'utf-8') {

src/Controllers/Server/Databases/DestroyController.php

@@ -11,15 +11,18 @@
 use PhpMyAdmin\Http\Response;
 use PhpMyAdmin\Http\ServerRequest;
 use PhpMyAdmin\Message;
+use PhpMyAdmin\Query\Utilities;
 use PhpMyAdmin\ResponseRenderer;
 use PhpMyAdmin\Transformations;
 use PhpMyAdmin\UserPrivilegesFactory;
 use PhpMyAdmin\Util;
 
 use function __;
 use function _ngettext;
+use function array_filter;
 use function count;
 use function is_array;
+use function is_string;
 
 final class DestroyController implements InvocableController
 {
@@ -36,11 +39,10 @@ public function __invoke(ServerRequest $request): Response
     {
         $userPrivileges = $this->userPrivilegesFactory->getPrivileges();
 
-        $selectedDbs = $request->getParsedBodyParam('selected_dbs');
-
+        $config = Config::getInstance();
         if (
             ! $request->isAjax()
-            || (! $this->dbi->isSuperUser() && ! Config::getInstance()->settings['AllowUserDropDatabase'])
+            || (! $this->dbi->isSuperUser() && ! $config->settings['AllowUserDropDatabase'])
         ) {
             $message = Message::error();
             $json = ['message' => $message];
@@ -50,10 +52,15 @@ public function __invoke(ServerRequest $request): Response
             return $this->response->response();
         }
 
-        if (
-            ! is_array($selectedDbs)
-            || $selectedDbs === []
-        ) {
+        $selectedDbs = $request->getParsedBodyParam('selected_dbs');
+        $selectedDbs = is_array($selectedDbs) ? $selectedDbs : [];
+        $selectedDbs = array_filter($selectedDbs, static function ($database) use ($config): bool {
+            return is_string($database)
+                && ! Utilities::isSystemSchema($database, true)
+                && $database !== ($config->selectedServer['pmadb'] ?? '');
+        });
+
+        if ($selectedDbs === []) {
             $message = Message::error(__('No databases selected.'));
             $json = ['message' => $message];
             $this->response->setRequestStatus($message->isSuccess());

src/Encoding.php

@@ -4,6 +4,7 @@
 
 namespace PhpMyAdmin;
 
+use function array_filter;
 use function array_intersect;
 use function array_map;
 use function explode;
@@ -14,11 +15,16 @@
 use function function_exists;
 use function fwrite;
 use function iconv;
+use function is_string;
 use function mb_convert_encoding;
 use function mb_convert_kana;
 use function mb_detect_encoding;
 use function mb_list_encodings;
+use function preg_replace;
+use function str_contains;
+use function str_starts_with;
 use function strtolower;
+use function strtoupper;
 use function tempnam;
 use function unlink;
 
@@ -156,11 +162,18 @@ public static function convertString(
             self::initEngine();
         }
 
+        $config = Config::getInstance();
+        $iconvExtraParams = '';
+        if (
+            isset($config->settings['IconvExtraParams'])
+            && is_string($config->settings['IconvExtraParams'])
+            && str_starts_with($config->settings['IconvExtraParams'], '//')
+        ) {
+            $iconvExtraParams = $config->settings['IconvExtraParams'];
+        }
+
         return match (self::$engine) {
-            self::ENGINE_ICONV => iconv(
-                $srcCharset,
-                $destCharset . (Config::getInstance()->settings['IconvExtraParams'] ?? ''), $what,
-            ),
+            self::ENGINE_ICONV => iconv($srcCharset, $destCharset . $iconvExtraParams, $what),
             self::ENGINE_MB => mb_convert_encoding($what, $destCharset, $srcCharset),
             default => $what,
         };
@@ -310,7 +323,14 @@ public static function listEncodings(): array
         /* Most engines do not support listing */
         $config = Config::getInstance();
         if (self::$engine != self::ENGINE_MB) {
-            return $config->settings['AvailableCharsets'];
+            return array_filter($config->settings['AvailableCharsets'], static function (string $charset): bool {
+                // Removes any ignored character
+                $normalizedCharset = strtoupper((string) preg_replace(['/[^A-Za-z0-9\-\/]/'], '', $charset));
+
+                // The character set ISO-2022-CN-EXT can be vulnerable (CVE-2024-2961).
+                return ! str_contains($normalizedCharset, 'ISO-2022-CN-EXT')
+                    && ! str_contains($normalizedCharset, 'ISO2022CNEXT');
+            });
         }
 
         return array_intersect(

src/Error/ErrorHandler.php

@@ -236,8 +236,13 @@ public function handleError(
     public function handleException(Throwable $exception): void
     {
         $this->hideLocation = Config::getInstance()->get('environment') !== 'development';
+        $message = $exception::class;
+        if (! ($exception instanceof \Error) || ! $this->hideLocation) {
+            $message .= ': ' . $exception->getMessage();
+        }
+
         $this->addError(
-            $exception::class . ': ' . $exception->getMessage(),
+            $message,
             (int) $exception->getCode(),
             $exception->getFile(),
             $exception->getLine(),

src/InsertEdit.php

@@ -782,7 +782,7 @@ private function getSpecialCharsForInsertingMode(
             $specialChars = bin2hex($defaultValue);
         } elseif (str_ends_with($trueType, 'text')) {
             $textDefault = substr($defaultValue, 1, -1);
-            $specialChars = stripcslashes($textDefault !== '' ? $textDefault : $defaultValue);
+            $specialChars = htmlspecialchars(stripcslashes($textDefault !== '' ? $textDefault : $defaultValue));
         } else {
             $specialChars = htmlspecialchars($defaultValue);
         }

src/Table/Maintenance.php

@@ -13,6 +13,7 @@
 use PhpMyAdmin\Util;
 
 use function __;
+use function htmlspecialchars;
 use function implode;
 use function sprintf;
 
@@ -113,7 +114,7 @@ public function getIndexesProblems(DatabaseName $db, array $tables): string
                 continue;
             }
 
-            $indexesProblems .= sprintf(__('Problems with indexes of table `%s`'), $table->getName());
+            $indexesProblems .= htmlspecialchars(sprintf(__('Problems with indexes of table `%s`'), $table->getName()));
             $indexesProblems .= $check;
         }
 

tests/unit/EncodingTest.php

@@ -197,4 +197,23 @@ public function testListEncodings(): void
         $result = Encoding::listEncodings();
         self::assertContains('utf-8', $result);
     }
+
+    public function testListEncodingsForIso2022CnExt(): void
+    {
+        Encoding::setEngine(Encoding::ENGINE_ICONV);
+        Config::getInstance()->settings['AvailableCharsets'] = [
+            'utf-8',
+            'ISO-2022-CN',
+            'ISO2022CN',
+            'ISO-2022-CN-EXT',
+            'ISO2022CNEXT',
+            ' iso-2022-cn-ext ',
+            'ISO-2022-CN-EXT//TRANSLIT',
+            ' I S O - 2 0 2 2 - C N - E X T ',
+            ' I S O 2 0 2 2 C N E X T ',
+            'IS%O-20(22-CN-E$XT',
+        ];
+
+        self::assertSame(['utf-8', 'ISO-2022-CN', 'ISO2022CN'], Encoding::listEncodings());
+    }
 }

tests/unit/InsertEditTest.php

@@ -1248,13 +1248,18 @@ public static function providerForTestGetSpecialCharsForInsertingMode(): array
             'any text with escape text default' => [
                 '"lorem\"ipsem"',
                 'text',
-                'lorem"ipsem',
+                'lorem"ipsem',
             ],
             'varchar with html special chars' => [
                 'hello world<br><b>lorem</b> ipsem',
                 'varchar',
                 'hello world&lt;br&gt;&lt;b&gt;lorem&lt;/b&gt; ipsem',
             ],
+            'text with html special chars' => [
+                '\'</textarea><script>alert(1)</script>\'',
+                'text',
+                '&lt;/textarea&gt;&lt;script&gt;alert(1)&lt;/script&gt;',
+            ],
         ];
     }