From: William Desportes <williamdes@wdes.fr>
Date: Sun, 22 Mar 2020 18:02:05 +0100
Subject: Patch for PMASA-2020-4, CVE-2020-10803
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Fix CVE-2020-10803
Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/

Author: Maurício Meneghini Fauth <mauricio@fauth.dev>
Origin: https://github.com/phpmyadmin/phpmyadmin/commit/46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5
Last-Update: 2020-03-22
---
 test/classes/DisplayResultsTest.php | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/test/classes/DisplayResultsTest.php b/test/classes/DisplayResultsTest.php
index 26a0184..3821826 100644
--- a/test/classes/DisplayResultsTest.php
+++ b/test/classes/DisplayResultsTest.php
@@ -43,6 +43,7 @@ class DisplayResultsTest extends PMATestCase
         $GLOBALS['PMA_Config']->enableBc();
         $GLOBALS['text_dir'] = 'ltr';
         $GLOBALS['collation_connection'] = 'utf-8';
+        $_SESSION[' HMAC_secret '] = 'test';
 
         $dbi = $this->getMockBuilder('PMA\libraries\DatabaseInterface')
             ->disableOriginalConstructor()
@@ -1326,7 +1327,7 @@ class DisplayResultsTest extends PMATestCase
         $meta = new StdClass();
         $meta->type = 'BLOB';
         $meta->orgtable = 'bar';
-        $url_params = array('db' => 'foo', 'table' => 'bar');
+        $url_params = array('db' => 'foo', 'table' => 'bar', 'where_clause' => 'where_clause');
 
         return array(
             array(
@@ -1340,9 +1341,7 @@ class DisplayResultsTest extends PMATestCase
                 $meta,
                 $url_params,
                 null,
-                '<a href="tbl_get_field.php?db=foo&amp;table=bar&amp;server=0'
-                . '&amp;lang=en&amp;collation_connection=utf-8'
-                . '&amp;token=token" class="disableAjax">1001</a>'
+                'class="disableAjax">1001</a>'
             ),
             array(
                 true,
@@ -1355,9 +1354,7 @@ class DisplayResultsTest extends PMATestCase
                 $meta,
                 $url_params,
                 null,
-                '<a href="tbl_get_field.php?db=foo&amp;table=bar&amp;server=0'
-                . '&amp;lang=en&amp;collation_connection=utf-8'
-                . '&amp;token=token" class="disableAjax">0x123456</a>'
+                'class="disableAjax">0x123456</a>'
             ),
             array(
                 true,
@@ -1370,9 +1367,7 @@ class DisplayResultsTest extends PMATestCase
                 $meta,
                 $url_params,
                 null,
-                '<a href="tbl_get_field.php?db=foo&amp;table=bar&amp;server=0'
-                . '&amp;lang=en&amp;collation_connection=utf-8'
-                . '&amp;token=token" class="disableAjax">[BLOB - 4 B]</a>'
+                'class="disableAjax">[BLOB - 4 B]</a>'
             ),
             array(
                 false,
@@ -1434,7 +1429,7 @@ class DisplayResultsTest extends PMATestCase
         $_SESSION['tmpval']['display_binary'] = $display_binary;
         $_SESSION['tmpval']['display_blob'] = $display_blob;
         $GLOBALS['cfg']['LimitChars'] = 50;
-        $this->assertEquals(
+        $this->assertContains(
             $output,
             $this->_callPrivateFunction(
                 '_handleNonPrintableContents',
@@ -1474,7 +1469,7 @@ class DisplayResultsTest extends PMATestCase
         $meta2->decimals = 0;
         $meta2->name = 'varchar';
         $meta2->orgname = 'varchar';
-        $url_params = array('db' => 'foo', 'table' => 'tbl');
+        $url_params = array('db' => 'foo', 'table' => 'tbl', 'where_clause' => 'where_clause');
 
         return array(
             array(
@@ -1492,11 +1487,7 @@ class DisplayResultsTest extends PMATestCase
                 array(),
                 0,
                 'binary',
-                '<td class="left   hex"><a href="tbl_get_field.php?'
-                . 'db=foo&amp;table=tbl&amp;server=0&amp;lang=en'
-                . '&amp;collation_connection=utf-8'
-                . '&amp;token=token" '
-                . 'class="disableAjax">[BLOB - 4 B]</a></td>'
+                'class="disableAjax">[BLOB - 4 B]</a>'
             ),
             array(
                 'noblob',
@@ -1593,7 +1584,7 @@ class DisplayResultsTest extends PMATestCase
         $_SESSION['tmpval']['relational_display'] = false;
         $GLOBALS['cfg']['LimitChars'] = 50;
         $GLOBALS['cfg']['ProtectBinary'] = $protectBinary;
-        $this->assertEquals(
+        $this->assertContains(
             $output,
             $this->_callPrivateFunction(
                 '_getDataCellForNonNumericColumns',