From 6147b3565e8a6adb345e2fb9e44bc99f61294947 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Wed, 18 Jul 2007 15:32:08 +0000 Subject: [PATCH] Support password hashing on the Edit Privileges interface --- ChangeLog | 1 + libraries/display_change_password.lib.php | 78 +++++++++++++++++++++++ server_privileges.php | 65 +++++++------------ user_password.php | 70 +------------------- 4 files changed, 104 insertions(+), 110 deletions(-) create mode 100644 libraries/display_change_password.lib.php diff --git a/ChangeLog b/ChangeLog index 449e33ad2..866f772c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -81,6 +81,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA - bug #1751172 Do not export data when exporting a single VIEW + [lang] Swedish update, thanks to Björn T. Hallberg + [lang] Russian update, thanks to Victor Volkov and the php-myadmin.ru users ++ [privileges] Support password hashing on the Edit Privileges interface 2.10.3.0 (not yet released) diff --git a/libraries/display_change_password.lib.php b/libraries/display_change_password.lib.php new file mode 100644 index 000000000..20186af3e --- /dev/null +++ b/libraries/display_change_password.lib.php @@ -0,0 +1,78 @@ += 5) + ? 'onpropertychange' + : 'onchange'; + +$calling_script = PMA_getenv('PHP_SELF'); + +// Displays the form +?> +
+ ' . "\n" + . '' . "\n"; + }?> +
+ + + + + + + + + + = 40102) { + ?> + + + + + + + + + +
+ + +
+ + :  + + ="nopass[1].checked = true" /> +    + :  + ="nopass[1].checked = true" /> +
+ : + + + +
  + + +
+
+ +
diff --git a/server_privileges.php b/server_privileges.php index 9efd8f1d2..d806a4413 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -1092,22 +1092,28 @@ if (!empty($revokeall)) { * Updates the password */ if (!empty($change_pw)) { - if ($nopass == 1) { - $sql_query = 'SET PASSWORD FOR \'' . $username . '\'@\'' . $hostname . '\' = \'\';'; - PMA_DBI_query($sql_query); - $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . $username . '\'@\'' . $hostname . '\''); - } elseif (empty($pma_pw) || empty($pma_pw2)) { - $message = $GLOBALS['strPasswordEmpty']; - } elseif ($pma_pw != $pma_pw2) { - $message = $GLOBALS['strPasswordNotSame']; - } else { - $hidden_pw = ''; - for ($i = 0; $i < strlen($pma_pw); $i++) { - $hidden_pw .= '*'; + // similar logic in user_password.php + $message = ''; + + if ($nopass == 0 && isset($pma_pw) && isset($pma_pw2)) { + if ($pma_pw != $pma_pw2) { + $message = $strPasswordNotSame; } - $local_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = PASSWORD(\'' . PMA_sqlAddslashes($pma_pw) . '\')'; - $sql_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = PASSWORD(\'' . $hidden_pw . '\')'; - PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query); + if (empty($pma_pw) || empty($pma_pw2)) { + $message = $strPasswordEmpty; + } + } // end if + + // here $nopass could be == 1 + if (empty($message)) { + + $hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '') + . 'PASSWORD'; + + // in $sql_query which will be displayed, hide the password + $sql_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')'); + $local_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); + PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); $message = sprintf($GLOBALS['strPasswordChanged'], '\'' . $username . '\'@\'' . $hostname . '\''); } } @@ -1911,34 +1917,9 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) { } if ((! isset($dbname) || ! strlen($dbname)) && ! $user_does_not_exists) { + require_once './libraries/display_change_password.lib.php'; + echo '
' . "\n" - . PMA_generate_common_hidden_inputs('', '', 3) - . '' . "\n" - . '' . "\n" - . '
' . "\n" - . ' ' . $GLOBALS['strChangePassword'] . '' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . ' ' . "\n" - . '
' . "\n" - . '
' . "\n" - . '' . "\n" - . '
' . "\n" - . '
' . "\n" . PMA_generate_common_hidden_inputs('', '', 3) . '' . "\n" . '' . "\n" diff --git a/user_password.php b/user_password.php index ed625936e..4091ffb15 100644 --- a/user_password.php +++ b/user_password.php @@ -30,6 +30,7 @@ if ($cfg['Server']['auth_type'] == 'config' || !$cfg['ShowChgPassword']) { * and submit the query or logout */ if (isset($nopass)) { + // similar logic in server_privileges.php $error_msg = ''; if ($nopass == 0 && isset($pma_pw) && isset($pma_pw2)) { @@ -96,75 +97,8 @@ if (!empty($error_msg)) { echo '

' . $strError . ': ' . $error_msg . '

' . "\n"; } -// loic1: autocomplete feature of IE kills the "onchange" event handler and it -// must be replaced by the "onpropertychange" one in this case -$chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5) - ? 'onpropertychange' - : 'onchange'; +require_once './libraries/display_change_password.lib.php'; -// Displays the form -?> - - - - - - - - - - - = 40102) { - ?> - - - - - - - - - - - - - - - -
- - -
- - :  - - ="nopass[1].checked = true" /> -    - :  - ="nopass[1].checked = true" /> -
- : - - - -
  - - -
 
- -
-
- -