diff --git a/setup/lang/english-utf-8.inc.php b/setup/lang/english-utf-8.inc.php
index da8a25960..0d114c831 100644
--- a/setup/lang/english-utf-8.inc.php
+++ b/setup/lang/english-utf-8.inc.php
@@ -61,9 +61,11 @@ $str['Version_check_unparsable'] = 'Unparsable version string';
$str['Version_check_new_available'] = 'New version of phpMyAdmin is available, you should consider upgrade. New version is %s, released on %s.';
$str['Version_check_new_available_svn'] = 'You are using subversion version, run [kbd]svn update[/kbd] :-).[br]The latest stable version is %s, released on %s.';
$str['Version_check_none'] = 'No newer stable version is available';
+$str['Server_security_info_msg'] = 'If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.';
$str['Server_ssl_msg'] = 'You should use SSL connections if your web server supports it';
$str['Server_extension_msg'] = 'You should use mysqli for performance reasons';
-$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd]. If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.';
+$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd].';
+$str['Server_no_password_root_msg'] = 'You allow for connecting to the server as root without a passowrd.';
$str['blowfish_secret_msg'] = 'You didn\'t have blowfish secret set and enabled cookie authentication so the key was generated for you. It is used to encrypt cookies.';
$str['blowfish_secret_length_msg'] = 'Key is too short, it should have at least 8 characters';
$str['blowfish_secret_chars_msg'] = 'Key should contain alphanumerics, letters [em]and[/em] special characters';
diff --git a/setup/lib/index.lib.php b/setup/lib/index.lib.php
index f5971adfb..2fd2b0d15 100644
--- a/setup/lib/index.lib.php
+++ b/setup/lib/index.lib.php
@@ -278,7 +278,22 @@ function perform_config_checks()
&& $cf->getValue("Servers/$i/user") != ''
&& $cf->getValue("Servers/$i/password") != '') {
$title = PMA_lang_name('Servers/1/auth_type') . " ($server_name)";
- messages_set('warning', "Servers/$i/auth_type", $title, PMA_lang('Server_auth_config_msg', $i));
+ messages_set('warning', "Servers/$i/auth_type", $title,
+ PMA_lang('Server_auth_config_msg', $i) . ' ' .
+ PMA_lang('Server_security_info_msg', $i));
+ }
+
+ //
+ // $cfg['Servers'][$i]['AllowRoot']
+ // $cfg['Servers'][$i]['AllowNoPasswordRoot']
+ // serious security flaw
+ //
+ if ($cf->getValue("Servers/$i/AllowRoot")
+ && $cf->getValue("Servers/$i/AllowNoPasswordRoot")) {
+ $title = PMA_lang_name('Servers/1/AllowNoPasswordRoot') . " ($server_name)";
+ messages_set('warning', "Servers/$i/AllowNoPasswordRoot", $title,
+ PMA_lang('Server_no_password_root_msg') . ' ' .
+ PMA_lang('Server_security_info_msg', $i));
}
}
@@ -292,7 +307,7 @@ function perform_config_checks()
messages_set('notice', 'blowfish_secret_created', 'blowfish_secret_name',
PMA_lang('blowfish_secret_msg'));
} else {
- $blowfish_warnings = array();
+ $blowfish_warnings = array();
// check length
if (strlen($blowfish_secret) < 8) {
// too short key
@@ -303,11 +318,11 @@ function perform_config_checks()
$has_chars = (bool) preg_match('/\S/', $blowfish_secret);
$has_nonword = (bool) preg_match('/\W/', $blowfish_secret);
if (!$has_digits || !$has_chars || !$has_nonword) {
- $blowfish_warnings[] = PMA_lang('blowfish_secret_chars_msg');
+ $blowfish_warnings[] = PMA_lang('blowfish_secret_chars_msg');
}
if (!empty($blowfish_warnings)) {
- messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings),
- 'blowfish_secret_name', implode("
", $blowfish_warnings));
+ messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings),
+ 'blowfish_secret_name', implode("
", $blowfish_warnings));
}
}
}
@@ -326,7 +341,7 @@ function perform_config_checks()
//
if ($cf->getValue('AllowArbitraryServer')) {
messages_set('warning', 'AllowArbitraryServer', 'AllowArbitraryServer_name',
- PMA_lang('AllowArbitraryServer_msg'));
+ PMA_lang('AllowArbitraryServer_msg'));
}
//
@@ -335,7 +350,7 @@ function perform_config_checks()
//
if ($cf->getValue('LoginCookieValidity') > 1800) {
messages_set('warning', 'LoginCookieValidity', 'LoginCookieValidity_name',
- PMA_lang('LoginCookieValidity_msg'));
+ PMA_lang('LoginCookieValidity_msg'));
}
//
@@ -344,7 +359,7 @@ function perform_config_checks()
//
if ($cf->getValue('SaveDir') != '') {
messages_set('notice', 'SaveDir', 'SaveDir_name',
- PMA_lang('Directory_notice'));
+ PMA_lang('Directory_notice'));
}
//