Setup script: warn about root without password

setup/lang/english-utf-8.inc.php

@@ -61,9 +61,11 @@ $str['Version_check_unparsable'] = 'Unparsable version string';
 $str['Version_check_new_available'] = 'New version of phpMyAdmin is available, you should consider upgrade. New version is %s, released on %s.';
 $str['Version_check_new_available_svn'] = 'You are using subversion version, run [kbd]svn update[/kbd] :-).[br]The latest stable version is %s, released on %s.';
 $str['Version_check_none'] = 'No newer stable version is available';
+$str['Server_security_info_msg'] = 'If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.';
 $str['Server_ssl_msg'] = 'You should use SSL connections if your web server supports it';
 $str['Server_extension_msg'] = 'You should use mysqli for performance reasons';
-$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd]. If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.';
+$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd].';
+$str['Server_no_password_root_msg'] = 'You allow for connecting to the server as root without a passowrd.';
 $str['blowfish_secret_msg'] = 'You didn\'t have blowfish secret set and enabled cookie authentication so the key was generated for you. It is used to encrypt cookies.';
 $str['blowfish_secret_length_msg'] = 'Key is too short, it should have at least 8 characters';
 $str['blowfish_secret_chars_msg'] = 'Key should contain alphanumerics, letters [em]and[/em] special characters';

setup/lib/index.lib.php

@@ -278,7 +278,22 @@ function perform_config_checks()
             && $cf->getValue("Servers/$i/user") != ''
             && $cf->getValue("Servers/$i/password") != '') {
             $title = PMA_lang_name('Servers/1/auth_type') . " ($server_name)";
-            messages_set('warning', "Servers/$i/auth_type", $title, PMA_lang('Server_auth_config_msg', $i));
+            messages_set('warning', "Servers/$i/auth_type", $title,
+            	PMA_lang('Server_auth_config_msg', $i) . ' ' .
+            	PMA_lang('Server_security_info_msg', $i));
+        }
+
+        //
+        // $cfg['Servers'][$i]['AllowRoot']
+        // $cfg['Servers'][$i]['AllowNoPasswordRoot']
+        // serious security flaw
+        //
+        if ($cf->getValue("Servers/$i/AllowRoot")
+            && $cf->getValue("Servers/$i/AllowNoPasswordRoot")) {
+			$title = PMA_lang_name('Servers/1/AllowNoPasswordRoot') . " ($server_name)";
+			messages_set('warning', "Servers/$i/AllowNoPasswordRoot", $title,
+				PMA_lang('Server_no_password_root_msg') . ' ' .
+            	PMA_lang('Server_security_info_msg', $i));
         }
     }
 
@@ -292,7 +307,7 @@ function perform_config_checks()
             messages_set('notice', 'blowfish_secret_created', 'blowfish_secret_name',
                  PMA_lang('blowfish_secret_msg'));
         } else {
-        	$blowfish_warnings = array();
+            $blowfish_warnings = array();
             // check length
             if (strlen($blowfish_secret) < 8) {
                 // too short key
@@ -303,11 +318,11 @@ function perform_config_checks()
             $has_chars = (bool) preg_match('/\S/', $blowfish_secret);
             $has_nonword = (bool) preg_match('/\W/', $blowfish_secret);
             if (!$has_digits || !$has_chars || !$has_nonword) {
-            	$blowfish_warnings[] = PMA_lang('blowfish_secret_chars_msg');
+                $blowfish_warnings[] = PMA_lang('blowfish_secret_chars_msg');
             }
             if (!empty($blowfish_warnings)) {
-            	messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings),
-            		'blowfish_secret_name', implode("<br />", $blowfish_warnings));
+                messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings),
+                    'blowfish_secret_name', implode("<br />", $blowfish_warnings));
             }
         }
     }
@@ -326,7 +341,7 @@ function perform_config_checks()
     //
     if ($cf->getValue('AllowArbitraryServer')) {
         messages_set('warning', 'AllowArbitraryServer', 'AllowArbitraryServer_name',
-        	PMA_lang('AllowArbitraryServer_msg'));
+            PMA_lang('AllowArbitraryServer_msg'));
     }
 
     //
@@ -335,7 +350,7 @@ function perform_config_checks()
     //
     if ($cf->getValue('LoginCookieValidity') > 1800) {
         messages_set('warning', 'LoginCookieValidity', 'LoginCookieValidity_name',
-        	PMA_lang('LoginCookieValidity_msg'));
+            PMA_lang('LoginCookieValidity_msg'));
     }
 
     //
@@ -344,7 +359,7 @@ function perform_config_checks()
     //
     if ($cf->getValue('SaveDir') != '') {
         messages_set('notice', 'SaveDir', 'SaveDir_name',
-        	PMA_lang('Directory_notice'));
+            PMA_lang('Directory_notice'));
     }
 
     //