protect binary contents in cookies

2003-07-04 14:35:04 +00:00
parent 68d346035a
commit d248de79f0
3 changed files with 10 additions and 4 deletions
--- a/2
+++ b/2
@@ -7,6 +7,8 @@ $Source$

 2003-07-04 Marc Delisle  <lem9@users.sourceforge.net>
    * libraries/auth/cookie.auth.lib.php3: PHP3 compatibility
+    * libraries/auth/cookie.auth.lib.php3: sometimes, binary contents in
+      cookies is not retrieved properly, so protect it with base64_encode()

 2003-07-03 Marc Delisle  <lem9@users.sourceforge.net>
    * lang/romanian update, thanks to Valics Lehel
--- a/libraries/auth/cookie.auth.lib.php3
+++ b/libraries/auth/cookie.auth.lib.php3
@@ -396,7 +396,7 @@ if (uname.value == '') {

        // The user wants to be logged out -> delete password cookie
        if (!empty($old_usr)) {
-            setcookie('pma_cookie_password', '', 0, $GLOBALS['cookie_path'], '' , $GLOBALS['is_https']);
+            setcookie('pma_cookie_password', base64_encode(''), 0, $GLOBALS['cookie_path'], '' , $GLOBALS['is_https']);
        }

        // The user just logged in
@@ -434,6 +434,7 @@ if (uname.value == '') {
            else {
                $from_cookie   = FALSE;
            }
+            $PHP_AUTH_PW = base64_decode($PHP_AUTH_PW);
            $PHP_AUTH_PW = PMA_blowfish_decrypt($PHP_AUTH_PW,$GLOBALS['cfg']['Server']['blowfish_secret']);

            if ($PHP_AUTH_PW == "\xff(blank)") {
@@ -501,9 +502,12 @@ if (uname.value == '') {
                time() + (60 * 60 * 24 * 30),
                $GLOBALS['cookie_path'], '',
                $GLOBALS['is_https']);
+
            // Duration = till the browser is closed for password
+            // Some binary contents are now retrieved properly when stored
+            // as a cookie, so we base64_encode()
            setcookie('pma_cookie_password',
-                PMA_blowfish_encrypt(((!empty($cfg['Server']['password'])) ? $cfg['Server']['password'] : "\xff(blank)"), $GLOBALS['cfg']['Server']['blowfish_secret']),
+                base64_encode(PMA_blowfish_encrypt(((!empty($cfg['Server']['password'])) ? $cfg['Server']['password'] : "\xff(blank)"), $GLOBALS['cfg']['Server']['blowfish_secret'])),
                0,
                $GLOBALS['cookie_path'], '',
                $GLOBALS['is_https']);
@@ -541,7 +545,7 @@ if (uname.value == '') {
 	global $conn_error;

        // Deletes password cookie and displays the login form
-        setcookie('pma_cookie_password', '', 0, $GLOBALS['cookie_path'], '' , $GLOBALS['is_https']);
+        setcookie('pma_cookie_password', base64_encode(''), 0, $GLOBALS['cookie_path'], '' , $GLOBALS['is_https']);

        if (PMA_mysql_error()) {
            $conn_error = PMA_mysql_error();
--- a/user_password.php3
+++ b/user_password.php3
@@ -55,7 +55,7 @@ if (isset($nopass)) {

        // Changes password cookie if required
        if ($cfg['Server']['auth_type'] == 'cookie') {
-            setcookie('pma_cookie_password', PMA_blowfish_encrypt($pma_pw,$GLOBALS['cfg']['Server']['blowfish_secret']), 0, $cookie_path, '', $is_https);
+            setcookie('pma_cookie_password', base64_encode(PMA_blowfish_encrypt($pma_pw,$GLOBALS['cfg']['Server']['blowfish_secret'])), 0, $cookie_path, '', $is_https);
        } // end if
        // For http auth. mode, the "back" link will also enforce new
        // authentication