bug #3308072 [auth] Version disclosure to anonymous visitors

ChangeLog

@@ -12,6 +12,7 @@
 - bug #3276001 [core] Avoid caching of index.php.
 - bug #3306958 [interface] Unnecessary Details slider
 - bug #3308476 [interface] "Show all" not persistent after a sort
+- bug #3308072 [auth] Version disclosure to anonymous visitors
 
 3.4.1.0 (2011-05-20)
 - bug #3301108 [interface] Synchronize and already configured host

libraries/auth/cookie.auth.lib.php

@@ -169,6 +169,7 @@ function PMA_auth()
     /* HTML header; do not show here the PMA version to improve security */
     $page_title = 'phpMyAdmin ';
     require './libraries/header_meta_style.inc.php';
+    // if $page_title is set, this script uses it as the title:
     require './libraries/header_scripts.inc.php';
     ?>
 <script type="text/javascript">

libraries/header_scripts.inc.php

@@ -18,13 +18,17 @@ require_once './libraries/common.inc.php';
 if ( false === $GLOBALS['cfg']['AllowThirdPartyFraming']) {
     echo PMA_includeJS('cross_framing_protection.js');
 }
-// generate title
+// generate title (unless we already have $page_title, from cookie auth)
+if (! isset($page_title)) {
     $title = PMA_expandUserString(
             !empty($GLOBALS['table']) ? $GLOBALS['cfg']['TitleTable'] :
             (!empty($GLOBALS['db']) ? $GLOBALS['cfg']['TitleDatabase'] :
             (!empty($GLOBALS['cfg']['Server']['host']) ? $GLOBALS['cfg']['TitleServer'] :
             $GLOBALS['cfg']['TitleDefault']))
         );
+} else {
+    $title = $page_title;
+}
 // here, the function does not exist with this configuration: $cfg['ServerDefault'] = 0;
 $is_superuser    = function_exists('PMA_isSuperuser') && PMA_isSuperuser();