New plugin: Verify new versions from GitHub

Thanks to @adrianbj in 441e7f0.

CHANGELOG.md

@@ -17,6 +17,7 @@
 - Plugins: configure plugins with adminer-plugins.php
 - Plugins: Display loaded plugins in server overview
 - New plugin: AI prompt in SQL command generating the queries with Google Gemini
+- New plugin: Verify new versions from GitHub
 - New plugin: IMAP driver created for fun
 - New plugin: Display links to tables referencing current row
 - New plugin: Allow switching light and dark mode (bug #926)

adminer/static/functions.js

@@ -613,7 +613,7 @@ function ajax(url, callback, data, message) {
 			if (request.readyState == 4) {
 				if (/^2/.test(request.status)) {
 					callback(request);
-				} else {
+				} else if (message !== null) {
 					ajaxStatus.innerHTML = (request.status ? request.responseText : '<div class="error">' + offlineMessage + '</div>');
 					alterClass(ajaxStatus, 'hidden');
 				}

developing.md

@@ -160,7 +160,7 @@ Translations used to occupy a large portion of the compiled file. In the source
 
 ## Version Check
 
-Adminer checks for new versions via [adminer.org/version/](https://www.adminer.org/version/), using a signed response to prevent MitM attacks. However, this means `adminer.org` logs the IP addresses of Adminer installations. I do not review these logs, and no one else has access to the server. A [plugin](/plugins/version-noverify.php) disables version checks, but users should verify versions by other means to ensure security updates. It should be considered to get the version info from some independent entity, e.g. GitHub.
+Adminer checks for new versions via [adminer.org/version/](https://www.adminer.org/version/), using a signed response to prevent tampering with the version file on the server where an instance of Adminer runs. However, this means that adminer.org has access to the IP addresses of Adminer installations. I do not review logs with this information, and no one else has access to the server. A [plugin](/plugins/version-noverify.php) disables version checks, but users should verify versions by other means to ensure security updates. There's also a [plugin](/plugins/version-github.php) checking for new versions [from GitHub](https://github.com/vrana/adminer/releases).
 
 ## Translations
 

plugins/version-github.php

@@ -0,0 +1,34 @@
+<?php
+
+/** Verify new versions from GitHub
+* @link https://www.adminer.org/plugins/#use
+* @author Jakub Vrana, https://www.vrana.cz/
+* @license https://www.apache.org/licenses/LICENSE-2.0 Apache License, Version 2.0
+* @license https://www.gnu.org/licenses/gpl-2.0.html GNU General Public License, version 2 (one or other)
+*/
+class AdminerVersionGithub {
+
+	function head($dark = null) {
+		?>
+<script <?php echo Adminer\nonce(); ?>>
+verifyVersion = (current, url, token) => {
+	// dummy value to prevent repeated verifications after AJAX failure
+	cookie('adminer_version=0', 1);
+	ajax('https://api.github.com/repos/vrana/adminer/releases/latest', request => {
+		const response = JSON.parse(request.responseText);
+		const version = response.tag_name.replace(/^v/, '');
+		// we don't save to adminer.version because the response is not signed; also GitHub can handle our volume of requests
+		// we don't display the version here because we don't have version_compare(); design.inc.php will display it on the next load
+		cookie('adminer_version=' + version, 1);
+	}, null, null);
+};
+</script>
+<?php
+	}
+
+	function csp() {
+		$csp = Adminer\csp();
+		$csp[0]["connect-src"] .= " https://api.github.com/repos/vrana/adminer/releases/latest";
+		return $csp;
+	}
+}