From d4dcc674951e2299cb54609ecd44c441d36aac31 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Fri, 23 Jun 2006 11:14:15 +0000
Subject: [PATCH] bug #1501027, possible user/password disclosure

---
 ChangeLog                  | 4 ++++
 libraries/Config.class.php | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 432be934f..c748ae35c 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,10 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$
 
+2006-06-23 Marc Delisle  <lem9@users.sourceforge.net>
+   * libraries/Config.class.php: bug #1501027, possible user/password
+     disclosure when switching from http to https
+
 2006-06-22 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/database_interface.lib.php, /export/sql.php, lang/*:
     export of procedures and functions. Note: this needs improvement
diff --git a/libraries/Config.class.php b/libraries/Config.class.php
index d68473ca5..d70b370e6 100644
--- a/libraries/Config.class.php
+++ b/libraries/Config.class.php
@@ -509,7 +509,9 @@ class PMA_Config
         // Setup a default value to let the people and lazy syadmins work anyway,
         // they'll get an error if the autodetect code doesn't work
         $pma_absolute_uri = $this->get('PmaAbsoluteUri');
-        if (strlen($pma_absolute_uri) < 1) {
+        // by recomputing $pma_absolute_uri when is_https, we ensure
+        // that a user switching from http to https stays in https
+        if (strlen($pma_absolute_uri) < 1 || $this->get('is_https')) {
             $url = array();
 
             // At first we try to parse REQUEST_URI, it might contain full URL