From ab8347496235cc4e3ae8ddcc4deb7900b1eec891 Mon Sep 17 00:00:00 2001 From: Piotr Przybylski Date: Thu, 4 Sep 2008 12:37:13 +0000 Subject: [PATCH] Setup script: warn about root without password --- setup/lang/english-utf-8.inc.php | 4 +++- setup/lib/index.lib.php | 31 +++++++++++++++++++++++-------- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/setup/lang/english-utf-8.inc.php b/setup/lang/english-utf-8.inc.php index da8a25960..0d114c831 100644 --- a/setup/lang/english-utf-8.inc.php +++ b/setup/lang/english-utf-8.inc.php @@ -61,9 +61,11 @@ $str['Version_check_unparsable'] = 'Unparsable version string'; $str['Version_check_new_available'] = 'New version of phpMyAdmin is available, you should consider upgrade. New version is %s, released on %s.'; $str['Version_check_new_available_svn'] = 'You are using subversion version, run [kbd]svn update[/kbd] :-).[br]The latest stable version is %s, released on %s.'; $str['Version_check_none'] = 'No newer stable version is available'; +$str['Server_security_info_msg'] = 'If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.'; $str['Server_ssl_msg'] = 'You should use SSL connections if your web server supports it'; $str['Server_extension_msg'] = 'You should use mysqli for performance reasons'; -$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd]. If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.'; +$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd].'; +$str['Server_no_password_root_msg'] = 'You allow for connecting to the server as root without a passowrd.'; $str['blowfish_secret_msg'] = 'You didn\'t have blowfish secret set and enabled cookie authentication so the key was generated for you. It is used to encrypt cookies.'; $str['blowfish_secret_length_msg'] = 'Key is too short, it should have at least 8 characters'; $str['blowfish_secret_chars_msg'] = 'Key should contain alphanumerics, letters [em]and[/em] special characters'; diff --git a/setup/lib/index.lib.php b/setup/lib/index.lib.php index f5971adfb..2fd2b0d15 100644 --- a/setup/lib/index.lib.php +++ b/setup/lib/index.lib.php @@ -278,7 +278,22 @@ function perform_config_checks() && $cf->getValue("Servers/$i/user") != '' && $cf->getValue("Servers/$i/password") != '') { $title = PMA_lang_name('Servers/1/auth_type') . " ($server_name)"; - messages_set('warning', "Servers/$i/auth_type", $title, PMA_lang('Server_auth_config_msg', $i)); + messages_set('warning', "Servers/$i/auth_type", $title, + PMA_lang('Server_auth_config_msg', $i) . ' ' . + PMA_lang('Server_security_info_msg', $i)); + } + + // + // $cfg['Servers'][$i]['AllowRoot'] + // $cfg['Servers'][$i]['AllowNoPasswordRoot'] + // serious security flaw + // + if ($cf->getValue("Servers/$i/AllowRoot") + && $cf->getValue("Servers/$i/AllowNoPasswordRoot")) { + $title = PMA_lang_name('Servers/1/AllowNoPasswordRoot') . " ($server_name)"; + messages_set('warning', "Servers/$i/AllowNoPasswordRoot", $title, + PMA_lang('Server_no_password_root_msg') . ' ' . + PMA_lang('Server_security_info_msg', $i)); } } @@ -292,7 +307,7 @@ function perform_config_checks() messages_set('notice', 'blowfish_secret_created', 'blowfish_secret_name', PMA_lang('blowfish_secret_msg')); } else { - $blowfish_warnings = array(); + $blowfish_warnings = array(); // check length if (strlen($blowfish_secret) < 8) { // too short key @@ -303,11 +318,11 @@ function perform_config_checks() $has_chars = (bool) preg_match('/\S/', $blowfish_secret); $has_nonword = (bool) preg_match('/\W/', $blowfish_secret); if (!$has_digits || !$has_chars || !$has_nonword) { - $blowfish_warnings[] = PMA_lang('blowfish_secret_chars_msg'); + $blowfish_warnings[] = PMA_lang('blowfish_secret_chars_msg'); } if (!empty($blowfish_warnings)) { - messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings), - 'blowfish_secret_name', implode("
", $blowfish_warnings)); + messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings), + 'blowfish_secret_name', implode("
", $blowfish_warnings)); } } } @@ -326,7 +341,7 @@ function perform_config_checks() // if ($cf->getValue('AllowArbitraryServer')) { messages_set('warning', 'AllowArbitraryServer', 'AllowArbitraryServer_name', - PMA_lang('AllowArbitraryServer_msg')); + PMA_lang('AllowArbitraryServer_msg')); } // @@ -335,7 +350,7 @@ function perform_config_checks() // if ($cf->getValue('LoginCookieValidity') > 1800) { messages_set('warning', 'LoginCookieValidity', 'LoginCookieValidity_name', - PMA_lang('LoginCookieValidity_msg')); + PMA_lang('LoginCookieValidity_msg')); } // @@ -344,7 +359,7 @@ function perform_config_checks() // if ($cf->getValue('SaveDir') != '') { messages_set('notice', 'SaveDir', 'SaveDir_name', - PMA_lang('Directory_notice')); + PMA_lang('Directory_notice')); } //