diff --git a/ChangeLog b/ChangeLog
index d64df79aa..118abb1eb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,8 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
+ [auth] cookie auth now autogenerates blowfish_secret, but it has some
limitations and you still should set it in config file
+ [auth] cookie authentication is now default
++ [auth] do not allow root user without password unless explicitly enabled by
+ AllowEmptyRoot
3.0.0.0 (not yet released)
+ [export] properly handle line breaks for YAML, thanks to Dan Barry -
diff --git a/Documentation.html b/Documentation.html
index a0e69a717..9be7f2ceb 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -1032,6 +1032,11 @@ ALTER TABLE `pma_column_comments`
boolean
Whether to allow root access. This is just simplification of rules below.
+ $cfg['Servers'][$i]['AllowNoPassowdRoot']
+ boolean
+ Whether to allow acces to root user without password. This is to
+ protect against access to not configured MySQL server.
+
$cfg['Servers'][$i]['AllowDeny']['order'] string
diff --git a/libraries/common.inc.php b/libraries/common.inc.php
index 432b66bd0..8ae6ed383 100644
--- a/libraries/common.inc.php
+++ b/libraries/common.inc.php
@@ -870,6 +870,13 @@ if (! defined('PMA_MINIMUM_COMMON')) {
unset($allowDeny_forbidden); //Clean up after you!
}
+ // is root without password allowed?
+ if (!$cfg['Server']['AllowNoPasswordRoot'] && $cfg['Server']['user'] == 'root' && $cfg['Server']['password'] == '') {
+ $allowDeny_forbidden = true;
+ PMA_auth_fails();
+ unset($allowDeny_forbidden); //Clean up after you!
+ }
+
// Try to connect MySQL with the control user profile (will be used to
// get the privileges list for the current user but the true user link
// must be open after this one so it would be default one for all the
diff --git a/libraries/config.default.php b/libraries/config.default.php
index 96158f23b..0a8f7b2a5 100644
--- a/libraries/config.default.php
+++ b/libraries/config.default.php
@@ -337,6 +337,13 @@ $cfg['Servers'][$i]['verbose_check'] = true;
*/
$cfg['Servers'][$i]['AllowRoot'] = true;
+/**
+ * whether to allow login of root user with no password (MySQL default)
+ *
+ * @global boolean $cfg['Servers'][$i]['AllowNoPasswordRoot']
+ */
+$cfg['Servers'][$i]['AllowNoPasswordRoot'] = false;
+
/**
* Host authentication order, leave blank to not use
*
diff --git a/setup/lang/english-utf-8.inc.php b/setup/lang/english-utf-8.inc.php
index 663575a85..bb4b361af 100644
--- a/setup/lang/english-utf-8.inc.php
+++ b/setup/lang/english-utf-8.inc.php
@@ -174,6 +174,7 @@ $str['Servers/1/only_db_desc'] = 'You can use MySQL wildcard characters (% and _
$str['Servers/1/hide_db_name'] = 'Hide databases';
$str['Servers/1/hide_db_desc'] = 'Hide databases matching regular expression (PCRE)';
$str['Servers/1/AllowRoot_name'] = 'Allow root login';
+$str['Servers/1/AllowNoPasswordRoot_name'] = 'Allow root without password';
$str['Servers/1/DisableIS_name'] = 'Disable use of INFORMATION_SCHEMA';
$str['Servers/1/DisableIS_desc'] = 'More information on [a@http://sf.net/support/tracker.php?aid=1849494]PMA bug tracker[/a] and [a@http://bugs.mysql.com/19588]MySQL Bugs[/a]';
$str['Servers/1/AllowDeny/order_name'] = 'Host authentication order';
@@ -421,4 +422,4 @@ $str['Export/remember_file_template_name'] = 'Remember file name template';
$str['Export/file_template_table_name'] = 'Table name template';
$str['Export/file_template_database_name'] = 'Database name template';
$str['Export/file_template_server_name'] = 'Server name template';
-?>
\ No newline at end of file
+?>
diff --git a/setup/lib/forms.inc.php b/setup/lib/forms.inc.php
index 3261eaece..d1d5ca3cb 100644
--- a/setup/lib/forms.inc.php
+++ b/setup/lib/forms.inc.php
@@ -44,6 +44,7 @@ $forms['Server_config'] = array('Servers' => array(1 => array(
'only_db',
'hide_db',
'AllowRoot',
+ 'AllowNoPasswordRoot',
'DisableIS',
'AllowDeny/order',
'AllowDeny/rules',
@@ -188,4 +189,4 @@ $forms['Export_defaults'] = array('Export' => array(
'file_template_table',
'file_template_database',
'file_template_server'));
-?>
\ No newline at end of file
+?>