From 99eb0cde320b136264e2360b07b83c9fdef7e265 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Mon, 30 May 2011 16:32:29 -0400
Subject: [PATCH] bug #3308072 [auth] Version disclosure to anonymous visitors

---
 ChangeLog                          |  1 +
 libraries/auth/cookie.auth.lib.php |  1 +
 libraries/header_scripts.inc.php   | 10 +++++++---
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ae9e1d7d9..03877e624 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,7 @@
 - bug #3276001 [core] Avoid caching of index.php.
 - bug #3306958 [interface] Unnecessary Details slider
 - bug #3308476 [interface] "Show all" not persistent after a sort
+- bug #3308072 [auth] Version disclosure to anonymous visitors
 
 3.4.1.0 (2011-05-20)
 - bug #3301108 [interface] Synchronize and already configured host
diff --git a/libraries/auth/cookie.auth.lib.php b/libraries/auth/cookie.auth.lib.php
index 84bfa80ad..c04d5a2b6 100644
--- a/libraries/auth/cookie.auth.lib.php
+++ b/libraries/auth/cookie.auth.lib.php
@@ -169,6 +169,7 @@ function PMA_auth()
     /* HTML header; do not show here the PMA version to improve security */
     $page_title = 'phpMyAdmin ';
     require './libraries/header_meta_style.inc.php';
+    // if $page_title is set, this script uses it as the title:
     require './libraries/header_scripts.inc.php';
     ?>
 <script type="text/javascript">
diff --git a/libraries/header_scripts.inc.php b/libraries/header_scripts.inc.php
index 6bd87f6b3..c25aa990e 100644
--- a/libraries/header_scripts.inc.php
+++ b/libraries/header_scripts.inc.php
@@ -18,13 +18,17 @@ require_once './libraries/common.inc.php';
 if ( false === $GLOBALS['cfg']['AllowThirdPartyFraming']) {
     echo PMA_includeJS('cross_framing_protection.js');
 }
-// generate title
-$title = PMA_expandUserString(
+// generate title (unless we already have $page_title, from cookie auth)
+if (! isset($page_title)) {
+    $title = PMA_expandUserString(
             !empty($GLOBALS['table']) ? $GLOBALS['cfg']['TitleTable'] :
             (!empty($GLOBALS['db']) ? $GLOBALS['cfg']['TitleDatabase'] :
             (!empty($GLOBALS['cfg']['Server']['host']) ? $GLOBALS['cfg']['TitleServer'] :
             $GLOBALS['cfg']['TitleDefault']))
-            );
+        );
+} else {
+    $title = $page_title;
+}
 // here, the function does not exist with this configuration: $cfg['ServerDefault'] = 0;
 $is_superuser    = function_exists('PMA_isSuperuser') && PMA_isSuperuser();