Cookie auth now autogenerates blowfish_secret, but it has some limitations and you still should set it in config file
This commit is contained in:
Michal Čihař
@@ -12,6 +12,8 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
|
||||
thanks to Thijs Kinkhorst - kink
|
||||
+ new setup script, thanks to Piotr Przybylski (work in progress)
|
||||
- rfe #1892243 [export] more links to documentation
|
||||
+ [auth] cookie auth now autogenerates blowfish_secret, but it has some
|
||||
limitations and you still should set it in config file
|
||||
|
||||
3.0.0.0 (not yet released)
|
||||
+ [export] properly handle line breaks for YAML, thanks to Dan Barry -
|
||||
|
||||
@@ -597,7 +597,12 @@ since this link provides funding for phpMyAdmin.
|
||||
If you are using the "cookie" auth_type, enter here a random
|
||||
passphrase of your choice. It will be used internally by the blowfish
|
||||
algorithm: you won’t be prompted for this passphrase. The maximum
|
||||
number of characters for this parameter seems to be 46.</dd>
|
||||
number of characters for this parameter seems to be 46.<br /><br />
|
||||
|
||||
Since version 3.1.0 phpMyAdmin can generate this on the fly, but it
|
||||
makes a bit weaker security as this generated secret is stored in
|
||||
session and furthermore it makes impossible to recall user name from
|
||||
cookie.</dd>
|
||||
|
||||
<dt id="cfg_Servers">$cfg['Servers'] array</dt>
|
||||
<dd>Since version 1.4.2, phpMyAdmin supports the administration of multiple
|
||||
@@ -1180,7 +1185,11 @@ ALTER TABLE `pma_column_comments`
|
||||
|
||||
<dt id="cfg_LoginCookieRecall">$cfg['LoginCookieRecall'] boolean</dt>
|
||||
<dd>Define whether the previous login should be recalled or not in cookie
|
||||
authentication mode.</dd>
|
||||
authentication mode.<br /><br />
|
||||
|
||||
This is automatically diabled if you do not have configured
|
||||
<tt><a href="#cfg_blowfish_secret">$cfg['blowfish_secret']</a></tt>.
|
||||
</dd>
|
||||
|
||||
<dt id="cfg_LoginCookieValidity">$cfg['LoginCookieValidity'] integer [number of seconds]</dt>
|
||||
<dd>Define how long is login cookie valid.</dd>
|
||||
|
||||
@@ -75,6 +75,24 @@ if (function_exists('mcrypt_encrypt')) {
|
||||
trigger_error(PMA_sanitize(sprintf($strCantLoad, 'mcrypt')), E_USER_WARNING);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns blowfish secret or generates one if needed.
|
||||
* @uses $cfg['blowfish_secret']
|
||||
* @uses $_SESSION['auto_blowfish_secret']
|
||||
*
|
||||
* @access public
|
||||
*/
|
||||
function PMA_get_blowfish_secret() {
|
||||
if (empty($GLOBALS['cfg']['blowfish_secret'])) {
|
||||
if (empty($_SESSION['auto_blowfish_secret'])) {
|
||||
$_SESSION['auto_blowfish_secret'] = uniqid('', true);
|
||||
}
|
||||
return $_SESSION['auto_blowfish_secret'];
|
||||
} else {
|
||||
return $GLOBALS['cfg']['blowfish_secret'];
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Displays authentication form
|
||||
*
|
||||
@@ -133,7 +151,8 @@ function PMA_auth()
|
||||
exit;
|
||||
}
|
||||
|
||||
if ($GLOBALS['cfg']['LoginCookieRecall']) {
|
||||
/* No recall if blowfish secret is not configured as it would produce garbage */
|
||||
if ($GLOBALS['cfg']['LoginCookieRecall'] && !empty($GLOBALS['cfg']['blowfish_secret'])) {
|
||||
$default_user = $GLOBALS['PHP_AUTH_USER'];
|
||||
$default_server = $GLOBALS['pma_auth_server'];
|
||||
$autocomplete = '';
|
||||
@@ -203,22 +222,6 @@ if (top != self) {
|
||||
PMA_select_language(true, false);
|
||||
}
|
||||
|
||||
// Displays the warning message and the login form
|
||||
if (empty($GLOBALS['cfg']['blowfish_secret'])) {
|
||||
PMA_Message::error('strSecretRequired')->display();
|
||||
if ($GLOBALS['error_handler']->hasDisplayErrors()) {
|
||||
echo '<div>';
|
||||
$GLOBALS['error_handler']->dispErrors();
|
||||
echo '</div>';
|
||||
}
|
||||
echo '</div>' . "\n";
|
||||
if (file_exists('./config.footer.inc.php')) {
|
||||
require './config.footer.inc.php';
|
||||
}
|
||||
echo '</body></html>';
|
||||
exit;
|
||||
}
|
||||
|
||||
// BEGIN Swekey Integration
|
||||
$swekeyErr = Swekey_auth_error();
|
||||
if ($swekeyErr != null) {
|
||||
@@ -376,7 +379,6 @@ window.setTimeout('PMA_focusInput()', 500);
|
||||
* @uses $GLOBALS['server']
|
||||
* @uses $GLOBALS['from_cookie']
|
||||
* @uses $GLOBALS['pma_auth_server']
|
||||
* @uses $cfg['blowfish_secret']
|
||||
* @uses $cfg['AllowArbitraryServer']
|
||||
* @uses $cfg['LoginCookieValidity']
|
||||
* @uses $cfg['Servers']
|
||||
@@ -406,11 +408,6 @@ function PMA_auth_check()
|
||||
$GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
|
||||
$GLOBALS['from_cookie'] = false;
|
||||
|
||||
// avoid an error in mcrypt
|
||||
if (empty($GLOBALS['cfg']['blowfish_secret'])) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// BEGIN Swekey Integration
|
||||
if (! Swekey_auth_check()) {
|
||||
return false;
|
||||
@@ -472,7 +469,7 @@ function PMA_auth_check()
|
||||
|
||||
$GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt(
|
||||
$_COOKIE['pmaUser-' . $GLOBALS['server']],
|
||||
$GLOBALS['cfg']['blowfish_secret']);
|
||||
PMA_get_blowfish_secret());
|
||||
|
||||
// user was never logged in since session start
|
||||
if (empty($_SESSION['last_access_time'])) {
|
||||
@@ -493,7 +490,7 @@ function PMA_auth_check()
|
||||
|
||||
$GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt(
|
||||
$_COOKIE['pmaPass-' . $GLOBALS['server']],
|
||||
$GLOBALS['cfg']['blowfish_secret'] /* . $_SESSION['last_access_time'] */);
|
||||
PMA_get_blowfish_secret());
|
||||
|
||||
if ($GLOBALS['PHP_AUTH_PW'] == "\xff(blank)") {
|
||||
$GLOBALS['PHP_AUTH_PW'] = '';
|
||||
@@ -515,7 +512,6 @@ function PMA_auth_check()
|
||||
* @uses $GLOBALS['pma_auth_server']
|
||||
* @uses $cfg['Server']
|
||||
* @uses $cfg['AllowArbitraryServer']
|
||||
* @uses $cfg['blowfish_secret']
|
||||
* @uses $cfg['LoginCookieStore']
|
||||
* @uses $cfg['PmaAbsoluteUri']
|
||||
* @uses $_SESSION['last_access_time']
|
||||
@@ -567,12 +563,12 @@ function PMA_auth_set_user()
|
||||
// Duration = one month for username
|
||||
PMA_setCookie('pmaUser-' . $GLOBALS['server'],
|
||||
PMA_blowfish_encrypt($cfg['Server']['user'],
|
||||
$GLOBALS['cfg']['blowfish_secret']));
|
||||
PMA_get_blowfish_secret()));
|
||||
|
||||
// Duration = as configured
|
||||
PMA_setCookie('pmaPass-' . $GLOBALS['server'],
|
||||
PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "\xff(blank)",
|
||||
$GLOBALS['cfg']['blowfish_secret'] /* . $_SESSION['last_access_time'] */),
|
||||
PMA_get_blowfish_secret()),
|
||||
null,
|
||||
$GLOBALS['cfg']['LoginCookieStore']);
|
||||
|
||||
|
||||
8
main.php
8
main.php
@@ -283,6 +283,14 @@ if (! @extension_loaded('mbstring')) {
|
||||
trigger_error($strMbExtensionMissing, E_USER_WARNING);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if user does not have defined blowfish secret and it is being used.
|
||||
*/
|
||||
if (!empty($_SESSION['auto_blowfish_secret']) &&
|
||||
empty($GLOBALS['cfg']['blowfish_secret'])) {
|
||||
trigger_error($strSecretRequired, E_USER_WARNING);
|
||||
}
|
||||
|
||||
/**
|
||||
* Warning about different MySQL library and server version
|
||||
* (a difference on the third digit does not count).
|
||||
|
||||
Reference in New Issue
Block a user