nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

do not allow root user without password unless explicitly enabled by AllowEmptyRoot

Browse Source
This commit is contained in:
Michal Čihař
2008-09-03 13:45:12 +00:00
parent c2489bc131
commit e0987bfbc8
6 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@@ -15,6 +15,8 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
+ [auth] cookie auth now autogenerates blowfish_secret, but it has some
limitations and you still should set it in config file
+ [auth] cookie authentication is now default
+ [auth] do not allow root user without password unless explicitly enabled by
AllowEmptyRoot
3.0.0.0 (not yet released)
+ [export] properly handle line breaks for YAML, thanks to Dan Barry -

5
Documentation.html
View File

@@ -1032,6 +1032,11 @@ ALTER TABLE `pma_column_comments`
boolean</dt>
<dd>Whether to allow root access. This is just simplification of rules below.
</dd>
<dt><span id="cfg_Servers_AllowNoPasswordRoot">$cfg['Servers'][$i]['AllowNoPassowdRoot']</span>
boolean</dt>
<dd>Whether to allow acces to root user without password. This is to
protect against access to not configured MySQL server.
</dd>
<dt id="servers_allowdeny_order">
<span id="cfg_Servers_AllowDeny_order">$cfg['Servers'][$i]['AllowDeny']['order']</span> string
</dt>

7
libraries/common.inc.php
View File

@@ -870,6 +870,13 @@ if (! defined('PMA_MINIMUM_COMMON')) {
unset($allowDeny_forbidden); //Clean up after you!
}
// is root without password allowed?
if (!$cfg['Server']['AllowNoPasswordRoot'] && $cfg['Server']['user'] == 'root' && $cfg['Server']['password'] == '') {
$allowDeny_forbidden = true;
PMA_auth_fails();
unset($allowDeny_forbidden); //Clean up after you!
}
// Try to connect MySQL with the control user profile (will be used to
// get the privileges list for the current user but the true user link
// must be open after this one so it would be default one for all the

7
libraries/config.default.php
View File

@@ -337,6 +337,13 @@ $cfg['Servers'][$i]['verbose_check'] = true;
*/
$cfg['Servers'][$i]['AllowRoot'] = true;
/**
* whether to allow login of root user with no password (MySQL default)
*
* @global boolean $cfg['Servers'][$i]['AllowNoPasswordRoot']
*/
$cfg['Servers'][$i]['AllowNoPasswordRoot'] = false;
/**
* Host authentication order, leave blank to not use
*

1
setup/lang/english-utf-8.inc.php
View File

@@ -174,6 +174,7 @@ $str['Servers/1/only_db_desc'] = 'You can use MySQL wildcard characters (% and _
$str['Servers/1/hide_db_name'] = 'Hide databases';
$str['Servers/1/hide_db_desc'] = 'Hide databases matching regular expression (PCRE)';
$str['Servers/1/AllowRoot_name'] = 'Allow root login';
$str['Servers/1/AllowNoPasswordRoot_name'] = 'Allow root without password';
$str['Servers/1/DisableIS_name'] = 'Disable use of INFORMATION_SCHEMA';
$str['Servers/1/DisableIS_desc'] = 'More information on [a@http://sf.net/support/tracker.php?aid=1849494]PMA bug tracker[/a] and [a@http://bugs.mysql.com/19588]MySQL Bugs[/a]';
$str['Servers/1/AllowDeny/order_name'] = 'Host authentication order';

1
setup/lib/forms.inc.php
View File

@@ -44,6 +44,7 @@ $forms['Server_config'] = array('Servers' => array(1 => array(
'only_db',
'hide_db',
'AllowRoot',
'AllowNoPasswordRoot',
'DisableIS',
'AllowDeny/order',
'AllowDeny/rules',