- bug #3563824 [export] Support Apache's mod_deflate
- bug #3585523 [interface] Inline query editing broken after row update
- bug #3586389 [setup] Cannot switch language in /setup
- bug #3585695 [CSS] Font size in inline query editor is way too big
- bug #3588354 [l10n] Portuguese Language not displaying correctly
- bug #3591412 [status] Live charts don't work for non-default server
- bug [core] Proxy ajax calls to pma.net to avoid browser notices
- bug #3593534 [tracking] Structure Snapshot on tracked view renders
invalid SQL
- bug #3544366 [events] Event comments not saved
Approved by Thomas Klausner.
- bug #3570212 [edit] uuid_short() is a no-arguments function
- bug #3569577 [edit] Add routine parameter headers not valid for "function"
- bug #3575799 [search] Various search operators not working as expected
- bug #3576322 [search] Invalid select query generated for tables with
ENUM fields
- bug #3577468 [display] Incorrect imagejpeg Syntax Breaks Image Transformation
- bug #3578776 [search] Editing SQL not possible when no records found
- bug #3571970 [interface] Display chart and number of rows to plot
- bug #3582631 [core] Wrong redirect url caused cookies error with ForceSSL
- bug #3539044 [interface] Browse mode "Show" button gives blank page if no
results anymore
- bug #3534979 [interface] Copy Database Ajax feedback vanishes long before
copying is done
- bug #3527531 [interface] GC-maxlifetime warning incorrectly displayed
- bug #3526916 [interface] Search fails with JS error when tooltips disabled
- bug #3544366 [interface] Event comments not saved
- bug #3549084 [edit] Can't enter date directly when editing inline
- bug #3548491 [interface] Inline query editor doesn't work from search results
- bug #3547825 [edit] BLOB download no longer works
- bug #3541966 [config] Error in generated configuration arrray
- bug #3553551 [GUI] Invalid HTML code in multi submits confirmation form
- [interface] Designer sometimes places tables on the top menu
- bug #3546277 [core] Call to undefined function __() when config file has
wrong permissions
- bug #3540922 [edit] Error searching table with many fields
- bug #3555104 [edit] Cannot copy a DB with table & views
- bug #3559925 [privileges] Incorrect updating of the list of users
- bug #3561224 [edit] cell edit date field with empty date fills in current
date
- bug #3559955 [edit] current_date from function drop down fails on update
- bug #3562472 add support for Solaris and FreeBSD system load and memory
display in server status
- bug #3553068 [import] Table import from XML file fails
- replace Highcharts with jqplot for Display chart
- bug #3567684 [edit] Pasting value doesn't clear null checkbox
- bug #3570786 [edit] Datepicker for date and datetime fields is broken
- The setup scripts *must* not get write access to the real "config.inc.php".
Allow then instead to generate a file in "/var/phpmyadmin" which the
administrator copies it place manually. This is the intended procedure
as documented by the developers.
- Restore the normal "config.inc.php" to its original location. Not sure
why I didn't encounter any problems during testing the last change
because phpMyAdmin isn't working very well without this.
While here change dependences to require both the "php-mysql" and the
"php-mysqli" packages. Old installations will use the former, new
installation will use the later.
Bump the package revision again because of these changes.
1.) Install PHP script in the "setup" directory.
2.) Use Vendor override to set the location of the configuration file.
It is now possible to use phpMyAdmin's setup for configuration.
Based on a suggestion by Peter Avalos in private e-mail.
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
- browse-mode improvements
- grid editing
- remember recent tables
- remember last sort order by table
- flexible column width
- reorder columns
- more compact navigation bar
- AJAXification of many operations
- reorganised server status page, with server monitoring
- improved support for stored routines, events and triggers
- openGIS support
- zoom-search in table search
- Drizzle support
- improved ENUM/SET editor
- bug #3486970 [import] Exception on XML import
- bug #3488777 [navi] $cfg['ShowTooltipAliasTB'] and blank names in
navigation
- bug #3512565 [navi] Fixed missing word "Rows" in table list tooltip
after cli
- [security] Fixed local path disclosure vulnerability, see PMASA-2012-2
- bug #3460090 [interface] TextareaAutoSelect feature broken
- patch #3375984 [export] PHP Array export might generate invalid php code
- bug #3049209 [import] Import from ODS ignores cell that is the same as
cell before
- bug #3463933 [display] SELECT DISTINCT displays wrong total records found
- patch #3458944 [operations] copy table data missing
SET SQL_MODE='NO_AUTO_VALUE_ON_ZERO'
- bug #3469254 [edit] Setting data to NULL and drop-downs
- bug #3477063 [edit] Missing set fields and values in generated INSERT query
- bug #3460867 [libraries] license issue with TCPDF (updated to 5.9.145)
- bug #3442028 [edit] Inline editing enum fields with null shows
no dropdown
- bug #3442004 [interface] DB suggestion not correct for user with
underscore
- bug #3438420 [core] Magic quotes removed in PHP 5.4
- bug #3398788 [session] No feedback when result is empty
(signon auth_type)
- bug #3384035 [display] Problems regarding ShowTooltipAliasTB
- bug #3306875 [edit] Can't rename a database that contains views
- bug #3452506 [edit] Unable to move tables with triggers
- bug #3449659 [navi] Fast filter broken with table tree
- bug #3448485 [GUI] Firefox favicon frameset regression
- [core] Better compatibility with mysql extension
- [security] Self-XSS on export options (export server/database/table),
see PMASA-2011-20
- [security] Self-XSS in setup (host parameter), see PMASA-2011-19
- bug #3425230 [interface] enum data split at space char (more space to edit)
- bug #3426840 [interface] ENUM/SET editor can't handle commas in values
- bug #3427256 [interface] no links to browse/empty views and tables
- bug #3430377 [interface] Deleted search results remain visible
- bug #3428627 [import] ODS import ignores memory limits
- bug #3426836 [interface] Visual column separation
- bug #3428065 [parser] TRUE not recognized by parser
+ patch #3433770 [config] Make location of php-gettext configurable
- patch #3430291 [import] Handle conflicts in some open_basedir situations
- bug #3431427 [display] Dropdown results - setting NULL does not work
- patch #3428764 [edit] Inline edit on multi-server configuration
- patch #3437354 [core] Notice: Array to string conversion in PHP 5.4
- [interface] When ShowTooltipAliasTB is true, VIEW is wrongly shown as the
view name in main panel db Structure page
- bug #3439292 [core] Fail to synchronize column with name of keyword
- bug #3425156 [interface] Add column after drop
- [interface] Avoid showing the password in phpinfo()'s output
- bug #3441572 [GUI] 'newer version of phpMyAdmin' message not shown in IE8
- bug #3407235 [interface] Entering the key through a lookup window does not reset NULL
- [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
- [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
- [security] Self-XSS on column type (Create index), see PMASA-2011-18
- [security] Self-XSS on column type (table Search), see PMASA-2011-18
- [security] Self-XSS on invalid query (table overview), see PMASA-2011-18
- bug #3418610 [interface] Links in navigation when
$cfg['MainPageIconic'] = false
- bug #3418849 [interface] Inline edit shows dropdowns even after closing
- bug [view] View renaming did not work
- bug [navi] Wrong icon for view (MySQL 5.5)
- bug #3420229 [doc] Missing documentation section
- bug #3423725 [pdf] Broken PDF file when exporting database to PDF
- [core] Allow to set language in URL
- bug #3425184 [doc] Fix links to PHP documentation
- bug #3426031 [export] Export to bzip2 is not working
Welcome to phpMyAdmin 3.4.6, a bugfix and minor security release.
Please refer to the upcoming PMASA-2011-15 and -16 announcements on
http://www.phpmyadmin.net/home_page/security/.
- bug #3375325 [interface] Page list in navigation frame looks odd
- bug #3313235 [interface] Error div misplaced
- bug #3374802 [interface] Comment on a column breaks inline editing
- patch #3383711 [display] Order by a column in a view doesn't work in
some cases
- bug #3386434 [interface] Add missing space to server status
- [core] Remove library PHPExcel, due to license issues
- [export] Remove native Excel export modules (xls and xlsx formats)
- [import] Remove native Excel import modules (xls and xlsx formats)
- bug #3392920 [edit] BLOB emptied after editing another column
- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14
- [security] Fixed XSS with db/table/column names, see PMASA-2011-14
- bug #3323060 [parser] SQL parser breaks AJAX requests if query has
unclosed quotes
- bug #3323101 [parser] Invalid escape sequence in SQL parser
- bug #3348995 [config] $cfg['Export']['asfile'] set to false does not
select asText option
- bug #3340151 [export] Working SQL query exports error page
- bug #3353649 [interface] "Create an index on X columns" form not validated
- bug #3350790 [interface] JS error in Table->Structure->Index->Edit
- bug #3353811 [interface] Info message has "error" class
- bug #3357837 [interface] TABbing through a NULL field in the inline mode
resets NULL
- remove version number in /setup
- bug #3367993 [usability] Missing "Generate Password" button
- bug #3363221 [display] Missing Server Parameter on inline sql query
- bug #3367986 [navi] Drop field -> lost active table
- remove misleading comment on the "Rename database" interface
- bug #3374374 [interface] Fix footnote for inexact count while browsing
- bug #3372807 [interface] Fix security warning link in setup
- bug #3374347 [display] Backquotes in normal text on import page
- bug #3358750 [core] With Suhosin, urls are too long in edit links
- [security] Missing sanitization on the table, column and index names leads
to XSS vulnerabilities, see PMASA-2011-13
This is major feature update which requires at least PHP 5.2.0 and
MySQL 5.0. It features a new user interface and uses MySQL for
authentication and access control.
The update was necessary as "phpmyadmin" 2.11 is no longer supported:
http://sourceforge.net/news/?group_id=23067&id=301992
Changes since version 2.11.10:
- [setup] Fixed output sanitizing in setup script, see PMASA-2010-4 for
more details.
- [core] Fixed various XSS issues, see PMASA-2010-5 for more details.
Changes since version 2.11.9.6:
- [core] safer handling of temporary files with open_basedir
(thanks to Thijs Kinkhorst)
- [core] do not automatically set and create TempDir, it might lead to
security issue (thanks to Thijs Kinkhorst)
- [setup] avoid usage of (un)serialize, what might be unsafe in some cases
This fixes the security vulnerabilities reported in PMASA-2010-1,
PMASA-2010-2 and PMASA-2010-3.
- bug #2031221 [auth] Links to version number on login screen
- bug #2032707 [core] PMA does not start if ini_set() is disabled
- bug #2004915 [bookmarks] Saved queries greater than 1000 chars
not displayed
- bug #2037381 [export] Export type "replace" does not work
- bug #2037375 [export] DROP PROCEDURE needs IF EXISTS
- bug #2045512 [export] Numbers in Excel export
+ [lang] Norwegian UTF-8 original file remerged
- bug #2074250 [parser] Undefined variable seen_from
- [security] Code execution vulnerability
This update fixes the security vulnerability reported in PMASA-2008-7.
- patch #1987593 [interface] Table list pagination in navi
- bug #1989081 [profiling] Profiling causes query to be executed again
(really causes a problem in case of INSERT/UPDATE)
- bug #1990342 [import] SQL file import very slow on Windows
- bug [XHTML] problem with tabindex and radio fields
- bug #1971221 [interface] tabindex not set correctly
- bug [views] VIEW name created via the GUI was not protected
with backquotes
- bug #1989813 [interface] Deleting multiple views (space in name)
- bug #1992628 [parser] SQL parser removes essential space
- bug #1989281 [export] CSV for MS Excel incorrect escaping of
double quotes
- bug #1959855 [interface] Font size option problem when no
config file
- bug #1982489 [relation] Relationship view should check for changes
- bug [history] Do not save too big queries in history
- [security] Do not show version info on login screen
- bug #2018595 [import] Potential data loss on import resubmit
- patch #2020630 [export] Safari and timedate
- bug #2022182 [import, export] Import/Export fails because of
Mac files
- [security] protection against cross-frame scripting and
new directive AllowThirdPartyFraming
- [security] possible XSS during setup
- [interface] revert language changing problem introduced
with 2.11.7.1
- small fix for notice about "lang"
This update fixes the security vulnerability reported in PMASA-2008-6.
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
- (2.11.7.1) [security] XSRF/CSRF by manipulating the db,
convcharset and collation_connection parameters,
thanks to YGN Ethical Hacker Group
This update fixes the security vulnerability reported in PMASA-2008-5.
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
- bug #1903724 [interface] Displaying of very large queries
in error message
- bug #1905711 [compatibility] Functions deprecated in PHP 5.3:
is_a() and get_magic_quotes_gpc()
- bug [lang] catalan wrong accented characters
- bug #1893034 [Export] SET NAMES for importing with command-line
client
+ [lang] Russian update
- bug #1910485 [core] Unsetting the whitelist during the loop
- bug #1906980 [Export] Import of VIEWs fails if temp table exists
- bug #1812763 [Copy] Table copy when server is in ANSI_QUOTES
sql_mode
- bug #1918531 [compatibility] Navigation isn't w3.org valid
- bug #1926357 [data] BIT defaults displayed incorrectly
- patch #1930057 [auth] colon in password prevents HTTP login
on CGI/IIS
- patch #1929553 [lang] Don't output BOM character in Swedish
language file
- patch #1895796 [lang] Typo in Japanese lang files
- bug #1935652 [auth] Access denied (show warning about mcrypt
on login page)
- bug #1906983 [export] Reimport of FUNCTION fails
- bug #1919808 [operations] Renaming a database fails to handle
functions
- bug #1934401 [core] Cannot force a language
- bug #1944077 [core] Config file containing a BOM
- bug #1947189 [scripts] Missing head tag in scripts/signon.php
+ [lang] Romanian update
The new version fixes several bugs including the cross site scripting
vulnerability reported in PMASA-2007-8 and the SQL inject vulnerability
report in PMASA-2008-1.