nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Setup script: warn about root without password

Browse Source
This commit is contained in:
Piotr Przybylski
2008-09-04 12:37:13 +00:00
parent 296bd5679e
commit ab83474962
2 changed files with 26 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
setup/lang/english-utf-8.inc.php
View File

@@ -61,9 +61,11 @@ $str['Version_check_unparsable'] = 'Unparsable version string';
$str['Version_check_new_available'] = 'New version of phpMyAdmin is available, you should consider upgrade. New version is %s, released on %s.';
$str['Version_check_new_available_svn'] = 'You are using subversion version, run [kbd]svn update[/kbd] :-).[br]The latest stable version is %s, released on %s.';
$str['Version_check_none'] = 'No newer stable version is available';
$str['Server_security_info_msg'] = 'If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.';
$str['Server_ssl_msg'] = 'You should use SSL connections if your web server supports it';
$str['Server_extension_msg'] = 'You should use mysqli for performance reasons';
$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd]. If you feel this is necessary, use additional protection settings - [a@?page=servers&mode=edit&id=%1$d#tab_Server_config]host authentication[/a] settings and [a@?page=form&formset=features#tab_Security]trusted proxies list[/a]. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.';
$str['Server_auth_config_msg'] = 'You set [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows phpMyAdmin URL can directly access your phpMyAdmin panel. Set [a@?page=servers&mode=edit&id=%1$d#tab_Server]authentication type[/a] to [kbd]cookie[/kbd] or [kbd]http[/kbd].';
$str['Server_no_password_root_msg'] = 'You allow for connecting to the server as root without a passowrd.';
$str['blowfish_secret_msg'] = 'You didn\'t have blowfish secret set and enabled cookie authentication so the key was generated for you. It is used to encrypt cookies.';
$str['blowfish_secret_length_msg'] = 'Key is too short, it should have at least 8 characters';
$str['blowfish_secret_chars_msg'] = 'Key should contain alphanumerics, letters [em]and[/em] special characters';

17
setup/lib/index.lib.php
View File

@@ -278,7 +278,22 @@ function perform_config_checks()
&& $cf->getValue("Servers/$i/user") != ''
&& $cf->getValue("Servers/$i/password") != '') {
$title = PMA_lang_name('Servers/1/auth_type') . " ($server_name)";
messages_set('warning', "Servers/$i/auth_type", $title, PMA_lang('Server_auth_config_msg', $i));
messages_set('warning', "Servers/$i/auth_type", $title,
PMA_lang('Server_auth_config_msg', $i) . ' ' .
PMA_lang('Server_security_info_msg', $i));
}
//
// $cfg['Servers'][$i]['AllowRoot']
// $cfg['Servers'][$i]['AllowNoPasswordRoot']
// serious security flaw
//
if ($cf->getValue("Servers/$i/AllowRoot")
&& $cf->getValue("Servers/$i/AllowNoPasswordRoot")) {
$title = PMA_lang_name('Servers/1/AllowNoPasswordRoot') . " ($server_name)";
messages_set('warning', "Servers/$i/AllowNoPasswordRoot", $title,
PMA_lang('Server_no_password_root_msg') . ' ' .
PMA_lang('Server_security_info_msg', $i));
}
}