New upstream version 4.6.6

Author: nijel

ChangeLog

@@ -1,6 +1,53 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.6.6 (2017-01-23)
+- issue #12759 Fix Notice regarding 'Undefined index: old_usergroup'
+- issue #12760 Fix Notice regarding 'Undefined index: users'
+- issue #12762 Fixed parsing of SQL with BINARY function
+- issue #12588 ReCaptcha now works without allow_url_fopen
+- issue #12699 Show no local storage warning only on settings tab
+- issue #12778 Syntax Error in Adding/Changing TIMESTAMP columns with default value as NULL
+- issue #12769 Edit/Export links are not clickable under Routines tab
+- issue #12757 Fixed creating new user with older MariaDB
+- issue #12784 Remove ctype installation suggestion
+- issue #12780 Format button replaces all text with blank spaces
+- issue #12786 Fixed database searching
+- issue #12792 Fixed javascript error on new version link
+- issue #12785 Add information about required and suggested extensions to composer.json
+- issue #12801 Custom header shown twice with cookie login form
+- issue #12802 Custom footer not shown with auth_type http login failure
+- issue #12434 Improve documentation for servers running with Suhosin
+- issue #12800 Updated embedded phpSecLib to 2.0.4
+- issue #12800 Fixed various issues with PHP 7.1
+- issue #11816 Fixed operation with lower_case_table_names=2
+- issue #12813 Fixed stored procedure execution
+- issue #12826 Honor user configured connection collation
+- issue #12293 Correctly report OpenSSL errors from cookie encryption
+- issue #12814 DateTime won't allow to input length in Routine editor
+- issue #12840 Fix Notice regarding 'Undefined index: row_format' when altering table options
+- issue #12841 Fixed moving of columns with whitespace in name
+- issue #12847 Fixed editing of virtual columns
+- issue #12859 Changed WHERE condition to 0 instead of 1 for SQL query window to avoid accidents
+- issue #12872 Use same query for display and execution when dropping index
+- issue #12868 Fix check for user groups freatures being enabled
+- issue #12876 Fix notices and warning related to dbs_to_test global
+- issue #12831 Fix table formatting on Insert tab, which mostly affected row highlighting
+- issue #12495 Reintroduced phpinfo page with limited capabilities
+- issue #12861 Fix renaming tables with lower_case_table_names=2
+- issue #12876 Fix possible PHP error in navigation
+- issue #12881 Fix database search with newer php-gettext
+- issue #12894 Fix linter error on unterminated variable name
+- issue #12732 Fixed filtering for active processes
+- issue        [security] Multiple vulnerabilities in setup script, see PMASA-2016-44.
+- issue        [security] Open redirect, see PMASA-2017-1.
+- issue        [security] php-gettext code execution, see PMASA-2017-2.
+- issue        [security] DOS vulnerabiltiy in table editing, see PMASA-2017-3.
+- issue        [security] CSS injection in themes, see PMASA-2017-4.
+- issue        [security] Cookie attribute injection attack, see PMASA-2017-5.
+- issue        [security] SSRF in replication, see PMASA-2017-6.
+- issue        [security] DOS in replication status, see PMASA-2017-7.
+
 4.6.5.2 (2016-12-05)
 - issue #12765 Fixed SQL export with newlines
 
@@ -138,7 +185,6 @@ phpMyAdmin - ChangeLog
 - issue        [security] Verify data before unserializing, see PMASA-2016-43
 - issue        [security] Use HTTPS for wiki links
 - issue        Remove Swekey support
-- issue        [security] SSRF in setup script, see PMASA-2016-44
 - issue        [security] Denial-of-service attack with $cfg['AllowArbitraryServer'] = true and persistent connections, see PMASA-2016-45
 - issue        [security] Improve SSL certificate handling
 - issue        [security] Fix full path disclosure in debugging code

README

@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 4.6.5.2
+Version 4.6.6
 
 A web interface for MySQL and MariaDB.
 

RELEASE-DATE-4.6.5.2

@@ -0,0 +1 @@
+Mon Jan 23 19:19:54 UTC 2017

RELEASE-DATE-4.6.6

@@ -21,7 +21,21 @@
     },
     "non-feature-branches": ["RELEASE_.*"],
     "require": {
-        "php": ">=5.5.0"
+        "php": ">=5.5.0",
+        "ext-mbstring": "*",
+        "ext-mysqli": "*",
+        "ext-xml": "*",
+        "ext-pcre": "*",
+        "ext-json": "*"
+    },
+    "suggest": {
+        "ext-openssl": "Cookie encryption",
+        "ext-curl": "Updates checking",
+        "ext-opcache": "Better performance",
+        "ext-zlib": "For gz import and export",
+        "ext-bz2": "For bzip2 import and export",
+        "ext-zip": "For zip import and export",
+        "ext-gd2": "For image transformations"
     },
     "require-dev": {
         "satooshi/php-coveralls": "~0.6",

composer.json

@@ -51,7 +51,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = '4.6.5.2'
+version = '4.6.6'
 # The full version, including alpha/beta/rc tags.
 release = version
 

doc/conf.py

@@ -692,7 +692,7 @@ Server connection settings
         For auto-upgrade functionality to work, your
         ``$cfg['Servers'][$i]['controluser']`` must have ALTER privilege on
         ``phpmyadmin`` database. See the `MySQL documentation for GRANT
-        <https://dev.mysql.com/doc/mysql/en/grant.html>`_ on how to
+        <https://dev.mysql.com/doc/refman/5.7/en/grant.html>`_ on how to
         ``GRANT`` privileges to a user.
 
 .. _history:
@@ -1577,7 +1577,7 @@ Cookie authentication options
     :default: ``''``
 
     The public key for the reCaptcha service that can be obtained from
-    https://www.google.com/recaptcha.
+    https://www.google.com/recaptcha/intro/.
 
     reCaptcha will be then used in :ref:`cookie`.
 
@@ -1587,7 +1587,7 @@ Cookie authentication options
     :default: ``''``
 
     The private key for the reCaptcha service that can be obtain from
-    https://www.google.com/recaptcha.
+    https://www.google.com/recaptcha/intro/.
 
     reCaptcha will be then used in :ref:`cookie`.
 
@@ -1850,6 +1850,11 @@ Main panel
     You can additionally hide more information by using
     :config:option:`$cfg['Servers'][$i]['verbose']`.
 
+.. config:option:: $cfg['ShowPhpInfo']
+
+    :type: boolean
+    :default: false
+
 .. config:option:: $cfg['ShowChgPassword']
 
     :type: boolean
@@ -1860,11 +1865,26 @@ Main panel
     :type: boolean
     :default: true
 
-    Defines whether to display the 
+    Defines whether to display the :guilabel:`PHP information` and
     :guilabel:`Change password` links and form for creating database or not at
     the starting main (right) frame. This setting does not check MySQL commands
     entered directly.
 
+    Please note that to block the usage of ``phpinfo()`` in scripts, you have to
+    put this in your :file:`php.ini`:
+
+    .. code-block:: ini
+
+        disable_functions = phpinfo()
+
+    .. warning::
+
+        Enabling phpinfo page will leak quite a lot of information about server
+        setup. Is it not recommended to enable this on shared installations.
+
+        This might also make easier some remote attacks on your installations,
+        so enable this only when needed.
+
     Also note that enabling the :guilabel:`Change password` link has no effect
     with config authentication mode: because of the hard coded password value
     in the configuration file, end users can't be allowed to change their
@@ -2224,11 +2244,11 @@ Languages
 .. config:option:: $cfg['DefaultConnectionCollation']
 
     :type: string
-    :default: ``'utf8_general_ci'``
+    :default: ``'utf8mb4_general_ci'``
 
     Defines the default connection collation to use, if not user-defined.
     See the `MySQL documentation for charsets
-    <https://dev.mysql.com/doc/mysql/en/charset-charsets.html>`_
+    <https://dev.mysql.com/doc/refman/5.7/en/charset-charsets.html>`_
     for list of possible values.
 
 .. config:option:: $cfg['Lang']
@@ -2927,7 +2947,7 @@ Developer
     :default: false
 
     Enable to let server present itself as demo server.
-    This is used for <https://demo.phpmyadmin.net/>.
+    This is used for `phpMyAdmin demo server <https://www.phpmyadmin.net/try/>`_.
 
 
 Examples

doc/config.rst

@@ -182,8 +182,8 @@ Credits, in chronological order
 
   * :term:`PDF` schema output, thanks also to
     Olivier Plathey for the "FPDF" library (see <http://www.fpdf.org/>), Steven
-    Wittens for the "UFPDF" library and
-    Nicola Asuni for the "TCPDF" library (see <https://tcpdf.org/>).
+    Wittens for the "UFPDF" library (see <https://acko.net/blog/ufpdf-unicode-utf-8-extension-for-fpdf/>) and
+    Nicola Asuni for the "TCPDF" library (see <https://www.tcpdf.org/>).
 
 * Olof Edlund <olof.edlund\_at\_upright.se>
 

doc/credits.rst

@@ -129,7 +129,7 @@ and after execution of your :term:`SQL` commands, removed.
 -------------------------------------------------------
 
 The MySQL manual explains how to `reset the permissions
-<https://dev.mysql.com/doc/mysql/en/resetting-permissions.html>`_.
+<https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html>`_.
 
 .. _faq1_13:
 
@@ -146,7 +146,7 @@ The MySQL manual explains how to `reset the permissions
 1.15 I have problems with *mysql.user* column names.
 ----------------------------------------------------
 
-In previous MySQL versions, the ``User`` and ``Password``columns were
+In previous MySQL versions, the ``User`` and ``Password`` columns were
 named ``user`` and ``password``. Please modify your column names to
 align with current standards.
 
@@ -210,7 +210,7 @@ The proper solution is to use the `mysqli extension
 <https://www.php.net/mysqli>`_ with the proper client library to match
 your MySQL installation. More
 information (and several workarounds) are located in the `MySQL
-Documentation <https://dev.mysql.com/doc/mysql/en/old-client.html>`_.
+Documentation <https://dev.mysql.com/doc/refman/5.7/en/old-client.html>`_.
 
 .. _faq1_18:
 
@@ -316,7 +316,7 @@ should work.
 1.27 I get empty page when I want to view huge page (eg. db\_structure.php with plenty of tables).
 --------------------------------------------------------------------------------------------------
 
-This was caused by a `PHP bug <https://bugs.php.net/21079>`_ that occur when
+This was caused by a `PHP bug <https://bugs.php.net/bug.php?id=21079>`_ that occur when
 GZIP output buffering is enabled. If you turn off it (by
 :config:option:`$cfg['OBGzip']` in :file:`config.inc.php`), it should work.
 This bug will has been fixed in PHP 5.0.0.
@@ -493,34 +493,42 @@ The default values for most Suhosin configuration options will work in
 most scenarios, however you might want to adjust at least following
 parameters:
 
-* `suhosin.request.max\_vars <http://www.hardened-
-  php.net/suhosin/configuration.html#suhosin.request.max_vars>`_ should
+* `suhosin.request.max\_vars <https://suhosin.org/stories/configuration.html#suhosin-request-max-vars>`_ should
   be increased (eg. 2048)
-* `suhosin.post.max\_vars <http://www.hardened-
-  php.net/suhosin/configuration.html#suhosin.post.max_vars>`_ should be
+* `suhosin.post.max\_vars <https://suhosin.org/stories/configuration.html#suhosin-post-max-vars>`_ should be
   increased (eg. 2048)
-* `suhosin.request.max\_array\_index\_length <http://www.hardened-php.ne
-  t/suhosin/configuration.html#suhosin.request.max_array_index_length>`_
+* `suhosin.request.max\_array\_index\_length <https://suhosin.org/stories/configuration.html#suhosin-request-max-array-index-length>`_
   should be increased (eg. 256)
-* `suhosin.post.max\_array\_index\_length <http://www.hardened-php.net/s
-  uhosin/configuration.html#suhosin.post.max_array_index_length>`_
+* `suhosin.post.max\_array\_index\_length <https://suhosin.org/stories/configuration.html#suhosin-post-max-array-index-length>`_
   should be increased (eg. 256)
-* `suhosin.request.max\_totalname\_length <http://www.hardened-php.net/s
-  uhosin/configuration.html#suhosin.request.max_totalname_length>`_
+* `suhosin.request.max\_totalname\_length <https://suhosin.org/stories/configuration.html#suhosin-request-max-totalname-length>`_
   should be increased (eg. 8192)
-* `suhosin.post.max\_totalname\_length <http://www.hardened-php.net/suho
-  sin/configuration.html#suhosin.post.max_totalname_length>`_ should be
+* `suhosin.post.max\_totalname\_length <https://suhosin.org/stories/configuration.html#suhosin-post-max-totalname-length>`_ should be
   increased (eg. 8192)
-* `suhosin.get.max\_value\_length <http://www.hardened-
-  php.net/suhosin/configuration.html#suhosin.get.max_value_length>`_
+* `suhosin.get.max\_value\_length <https://suhosin.org/stories/configuration.html#suhosin-get-max-value-length>`_
   should be increased (eg. 1024)
-* `suhosin.sql.bailout\_on\_error <http://www.hardened-
-  php.net/suhosin/configuration.html#suhosin.sql.bailout_on_error>`_
+* `suhosin.sql.bailout\_on\_error <https://suhosin.org/stories/configuration.html#suhosin-sql-bailout-on-error>`_
   needs to be disabled (the default)
-* `suhosin.log.\* <http://www.hardened-
-  php.net/suhosin/configuration.html#logging_configuration>`_ should not
+* `suhosin.log.\* <https://suhosin.org/stories/configuration.html#logging-configuration>`_ should not
   include :term:`SQL`, otherwise you get big
   slowdown
+* `suhosin.sql.union <https://suhosin.org/stories/configuration.html#suhosin-
+  sql-union>`_ must be disabled (which is the default).
+* `suhosin.sql.multiselect <https://suhosin.org/stories/configuration.html#
+  suhosin-sql-multiselect>`_ must be disabled (which is the default).
+* `suhosin.sql.comment <https://suhosin.org/stories/configuration.html#suhosin-
+  sql-comment>`_ must be disabled (which is the default).
+
+To further improve security, we also recommend these modifications:
+
+* `suhosin.executor.include.max\_traversal <https://suhosin.org/stories/
+  configuration.html#suhosin-executor-include-max-traversal>`_ should be
+  enabled as a mitigation against local file inclusion attacks. We suggest
+  setting this to 2 as ``../`` is used with the ReCaptcha library.
+* `suhosin.cookie.encrypt <https://suhosin.org/stories/configuration.html#
+  suhosin-cookie-encrypt>`_ should be enabled.
+* `suhosin.executor.disable_emodifier <https://suhosin.org/stories/config
+  uration.html#suhosin-executor-disable-emodifier>`_ should be enabled.
 
 You can also disable the warning using the :config:option:`$cfg['SuhosinDisableWarning']`.
 

doc/doctrees/config.doctree

@@ -319,7 +319,7 @@ From Wikipedia, the free encyclopedia
     socket
       a form of inter-process communication.	
 
-      .. seealso:: <https://www.wikipedia.org/wiki/Socket#Computer_sockets>
+      .. seealso:: <https://en.wikipedia.org/wiki/Unix_domain_socket>
 
     SSL
       Secure Sockets Layer is a cryptographic protocol which provides secure
@@ -369,6 +369,8 @@ From Wikipedia, the free encyclopedia
     UFPDF
       Unicode/UTF-8 extension for :term:`FPDF`
 
+      .. seealso:: <https://acko.net/blog/ufpdf-unicode-utf-8-extension-for-fpdf/>
+
     URL
       Uniform Resource Locator is a sequence of characters, conforming to a
       standardized format, that is used for referring to resources, such as

doc/doctrees/copyright.doctree

@@ -1,4 +1,4 @@
 # Sphinx build info version 1
 # This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
-config: 8141c5d2d73fe5923f589f1cf37a51a1
+config: 39e63ce8d4160ad1db1731034064819d
 tags: 645f666f9bcd5a90fca523b33c5a78b7