nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support password hashing on the Edit Privileges interface

Browse Source
This commit is contained in:
Marc Delisle
2007-07-18 15:32:08 +00:00
parent 05b3e94cff
commit 6147b3565e
4 changed files with 104 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@@ -81,6 +81,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1751172 Do not export data when exporting a single VIEW
+ [lang] Swedish update, thanks to Björn T. Hallberg
+ [lang] Russian update, thanks to Victor Volkov and the php-myadmin.ru users
+ [privileges] Support password hashing on the Edit Privileges interface
2.10.3.0 (not yet released)

78
libraries/display_change_password.lib.php Normal file
View File

@@ -0,0 +1,78 @@
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Displays form for password change
*
* @version $Id$
*/
// loic1: autocomplete feature of IE kills the "onchange" event handler and it
// must be replaced by the "onpropertychange" one in this case
$chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5)
? 'onpropertychange'
: 'onchange';
$calling_script = PMA_getenv('PHP_SELF');
// Displays the form
?>
<form method="post" action="<?php echo $calling_script; ?>" name="chgPassword" onsubmit="return checkPassword(this)">
<?php echo PMA_generate_common_hidden_inputs();
if (strpos($calling_script, 'server_privileges') !== false) {
echo '<input type="hidden" name="username" value="' . htmlspecialchars($username) . '" />' . "\n"
. '<input type="hidden" name="hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n";
}?>
<fieldset id="fieldset_change_password">
<legend><?php echo $GLOBALS['strChangePassword']; ?></legend>
<table class="data">
<tr class="odd noclick">
<td colspan="2">
<input type="radio" name="nopass" value="1" onclick="pma_pw.value = ''; pma_pw2.value = ''; this.checked = true" />
<?php echo $GLOBALS['strNoPassword'] . "\n"; ?>
</td>
</tr>
<tr class="even noclick">
<td>
<input type="radio" name="nopass" value="0" onclick="document.getElementById('pw_pma_pw').focus();" checked="checked " />
<?php echo $GLOBALS['strPassword']; ?>:&nbsp;
</td>
<td>
<input type="password" name="pma_pw" id="pw_pma_pw" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
&nbsp;&nbsp;
<?php echo $GLOBALS['strReType']; ?>:&nbsp;
<input type="password" name="pma_pw2" id="pw_pma_pw2" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
</td>
</tr>
<?php
if (PMA_MYSQL_INT_VERSION >= 40102) {
?>
<tr>
<td>
<?php echo $strPasswordHashing; ?>:
</td>
<td>
<input type="radio" name="pw_hash" id="radio_pw_hash_new" value="new" checked="checked" />
<label for="radio_pw_hash_new">
MySQL&nbsp;4.1+
</label>
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>
<input type="radio" name="pw_hash" id="radio_pw_hash_old" value="old" />
<label for="radio_pw_hash_old">
<?php echo $strCompatibleHashing; ?>
</label>
</td>
</tr>
<?php
}
?>
</table>
</fieldset>
<fieldset id="fieldset_change_password_footer" class="tblFooters">
<input type="submit" name="change_pw" value="<?php echo($strGo); ?>" />
</fieldset>
</form>

65
server_privileges.php
View File

@@ -1092,22 +1092,28 @@ if (!empty($revokeall)) {
* Updates the password
*/
if (!empty($change_pw)) {
if ($nopass == 1) {
$sql_query = 'SET PASSWORD FOR \'' . $username . '\'@\'' . $hostname . '\' = \'\';';
PMA_DBI_query($sql_query);
$message = sprintf($GLOBALS['strPasswordChanged'], '\'' . $username . '\'@\'' . $hostname . '\'');
} elseif (empty($pma_pw) || empty($pma_pw2)) {
$message = $GLOBALS['strPasswordEmpty'];
} elseif ($pma_pw != $pma_pw2) {
$message = $GLOBALS['strPasswordNotSame'];
} else {
$hidden_pw = '';
for ($i = 0; $i < strlen($pma_pw); $i++) {
$hidden_pw .= '*';
// similar logic in user_password.php
$message = '';
if ($nopass == 0 && isset($pma_pw) && isset($pma_pw2)) {
if ($pma_pw != $pma_pw2) {
$message = $strPasswordNotSame;
}
$local_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = PASSWORD(\'' . PMA_sqlAddslashes($pma_pw) . '\')';
$sql_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = PASSWORD(\'' . $hidden_pw . '\')';
PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query);
if (empty($pma_pw) || empty($pma_pw2)) {
$message = $strPasswordEmpty;
}
} // end if
// here $nopass could be == 1
if (empty($message)) {
$hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '')
. 'PASSWORD';
// in $sql_query which will be displayed, hide the password
$sql_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET PASSWORD FOR \'' . PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
$message = sprintf($GLOBALS['strPasswordChanged'], '\'' . $username . '\'@\'' . $hostname . '\'');
}
}
@@ -1911,34 +1917,9 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) {
}
if ((! isset($dbname) || ! strlen($dbname)) && ! $user_does_not_exists) {
require_once './libraries/display_change_password.lib.php';
echo '<form action="server_privileges.php" method="post" onsubmit="return checkPassword(this);">' . "\n"
. PMA_generate_common_hidden_inputs('', '', 3)
. '<input type="hidden" name="username" value="' . htmlspecialchars($username) . '" />' . "\n"
. '<input type="hidden" name="hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n"
. '<fieldset id="fieldset_change_password">' . "\n"
. ' <legend>' . $GLOBALS['strChangePassword'] . '</legend>' . "\n"
. ' <table class="data">' . "\n"
. ' <tr class="odd noclick">' . "\n"
. ' <td><input type="radio" name="nopass" value="1" id="radio_nopass_1" onclick="pw_pma_pw.value=\'\'; pw_pma_pw2.value=\'\';" /></td>' . "\n"
. ' <td colspan="2"><label for="radio_nopass_1">' . $GLOBALS['strNoPassword'] . '</label></td>' . "\n"
. ' </tr>' . "\n"
. ' <tr class="even noclick">' . "\n"
. ' <td><input type="radio" name="nopass" value="0" id="radio_nopass_0" onclick="document.getElementById(\'pw_pma_pw\').focus();" /></td>' . "\n"
. ' <td><label for="radio_nopass_0">' . $GLOBALS['strPassword'] . ':</label></td>' . "\n"
. ' <td><input type="password" name="pma_pw" id="pw_pma_pw" onchange="nopass[1].checked = true;" /></td>' . "\n"
. ' </tr>' . "\n"
. ' <tr class="odd noclick">' . "\n"
. ' <td></td>' . "\n"
. ' <td><label for="pw_pma_pw2">' . $GLOBALS['strReType'] . ':</label></td>' . "\n"
. ' <td><input type="password" name="pma_pw2" id="pw_pma_pw2" onchange="nopass[1].checked = true;" /></td>' . "\n"
. ' </tr>' . "\n"
. ' </table>' . "\n"
. '</fieldset>' . "\n"
. '<fieldset id="fieldset_change_password_footer" class="tblFooters">' . "\n"
. ' <input type="submit" name="change_pw" value="' . $GLOBALS['strGo'] . '" />' . "\n"
. '</fieldset>' . "\n"
. '</form>' . "\n"
. '<form action="server_privileges.php" method="post" onsubmit="return checkPassword(this);">' . "\n"
. PMA_generate_common_hidden_inputs('', '', 3)
. '<input type="hidden" name="old_username" value="' . htmlspecialchars($username) . '" />' . "\n"
. '<input type="hidden" name="old_hostname" value="' . htmlspecialchars($hostname) . '" />' . "\n"

70
user_password.php
View File

@@ -30,6 +30,7 @@ if ($cfg['Server']['auth_type'] == 'config' || !$cfg['ShowChgPassword']) {
* and submit the query or logout
*/
if (isset($nopass)) {
// similar logic in server_privileges.php
$error_msg = '';
if ($nopass == 0 && isset($pma_pw) && isset($pma_pw2)) {
@@ -96,75 +97,8 @@ if (!empty($error_msg)) {
echo '<p><b>' . $strError . ':&nbsp;' . $error_msg . '</b></p>' . "\n";
}
// loic1: autocomplete feature of IE kills the "onchange" event handler and it
// must be replaced by the "onpropertychange" one in this case
$chg_evt_handler = (PMA_USR_BROWSER_AGENT == 'IE' && PMA_USR_BROWSER_VER >= 5)
? 'onpropertychange'
: 'onchange';
require_once './libraries/display_change_password.lib.php';
// Displays the form
?>
<form method="post" action="./user_password.php" name="chgPassword" onsubmit="return checkPassword(this)">
<?php echo PMA_generate_common_hidden_inputs(); ?>
<table border="0">
<tr>
<td colspan="2">
<input type="radio" name="nopass" value="1" onclick="pma_pw.value = ''; pma_pw2.value = ''; this.checked = true" />
<?php echo $GLOBALS['strNoPassword'] . "\n"; ?>
</td>
</tr>
<tr>
<td>
<input type="radio" name="nopass" value="0" checked="checked " />
<?php echo $GLOBALS['strPassword']; ?>:&nbsp;
</td>
<td>
<input type="password" name="pma_pw" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
&nbsp;&nbsp;
<?php echo $GLOBALS['strReType']; ?>:&nbsp;
<input type="password" name="pma_pw2" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
</td>
</tr>
<?php
if (PMA_MYSQL_INT_VERSION >= 40102) {
?>
<tr>
<td>
<?php echo $strPasswordHashing; ?>:
</td>
<td>
<input type="radio" name="pw_hash" id="radio_pw_hash_new" value="new" checked="checked" />
<label for="radio_pw_hash_new">
MySQL&nbsp;4.1
</label>
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td>
<input type="radio" name="pw_hash" id="radio_pw_hash_old" value="old" />
<label for="radio_pw_hash_old">
<?php echo $strCompatibleHashing; ?>
</label>
</td>
</tr>
<?php
}
?>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2">
<input type="submit" value="<?php echo($strChange); ?>" />
</td>
</tr>
</table>
</form>
<?php
/**
* Displays the footer
*/