do not allow root user without password unless explicitly enabled by AllowEmptyRoot

ChangeLog

@@ -15,6 +15,8 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 + [auth] cookie auth now autogenerates blowfish_secret, but it has some
   limitations and you still should set it in config file
 + [auth] cookie authentication is now default
++ [auth] do not allow root user without password unless explicitly enabled by
+  AllowEmptyRoot
 
 3.0.0.0 (not yet released)
 + [export] properly handle line breaks for YAML, thanks to Dan Barry -

Documentation.html

@@ -1032,6 +1032,11 @@ ALTER TABLE `pma_column_comments`
         boolean</dt>
     <dd>Whether to allow root access. This is just simplification of rules below.
     </dd>
+    <dt><span id="cfg_Servers_AllowNoPasswordRoot">$cfg['Servers'][$i]['AllowNoPassowdRoot']</span>
+        boolean</dt>
+    <dd>Whether to allow acces to root user without password. This is to 
+        protect against access to not configured MySQL server.
+    </dd>
     <dt id="servers_allowdeny_order">
         <span id="cfg_Servers_AllowDeny_order">$cfg['Servers'][$i]['AllowDeny']['order']</span> string
     </dt>

libraries/common.inc.php

@@ -870,6 +870,13 @@ if (! defined('PMA_MINIMUM_COMMON')) {
             unset($allowDeny_forbidden); //Clean up after you!
         }
 
+        // is root without password allowed?
+        if (!$cfg['Server']['AllowNoPasswordRoot'] && $cfg['Server']['user'] == 'root' && $cfg['Server']['password'] == '') {
+            $allowDeny_forbidden = true;
+            PMA_auth_fails();
+            unset($allowDeny_forbidden); //Clean up after you!
+        }
+
         // Try to connect MySQL with the control user profile (will be used to
         // get the privileges list for the current user but the true user link
         // must be open after this one so it would be default one for all the

libraries/config.default.php

@@ -337,6 +337,13 @@ $cfg['Servers'][$i]['verbose_check'] = true;
  */
 $cfg['Servers'][$i]['AllowRoot'] = true;
 
+/**
+ * whether to allow login of root user with no password (MySQL default)
+ *
+ * @global boolean $cfg['Servers'][$i]['AllowNoPasswordRoot']
+ */
+$cfg['Servers'][$i]['AllowNoPasswordRoot'] = false;
+
 /**
  * Host authentication order, leave blank to not use
  *

setup/lang/english-utf-8.inc.php

@@ -174,6 +174,7 @@ $str['Servers/1/only_db_desc'] = 'You can use MySQL wildcard characters (% and _
 $str['Servers/1/hide_db_name'] = 'Hide databases';
 $str['Servers/1/hide_db_desc'] = 'Hide databases matching regular expression (PCRE)';
 $str['Servers/1/AllowRoot_name'] = 'Allow root login';
+$str['Servers/1/AllowNoPasswordRoot_name'] = 'Allow root without password';
 $str['Servers/1/DisableIS_name'] = 'Disable use of INFORMATION_SCHEMA';
 $str['Servers/1/DisableIS_desc'] = 'More information on [a@http://sf.net/support/tracker.php?aid=1849494]PMA bug tracker[/a] and [a@http://bugs.mysql.com/19588]MySQL Bugs[/a]';
 $str['Servers/1/AllowDeny/order_name'] = 'Host authentication order';
@@ -421,4 +422,4 @@ $str['Export/remember_file_template_name'] = 'Remember file name template';
 $str['Export/file_template_table_name'] = 'Table name template';
 $str['Export/file_template_database_name'] = 'Database name template';
 $str['Export/file_template_server_name'] = 'Server name template';
-?>
+?>

setup/lib/forms.inc.php

@@ -44,6 +44,7 @@ $forms['Server_config'] = array('Servers' => array(1 => array(
     'only_db',
     'hide_db',
     'AllowRoot',
+    'AllowNoPasswordRoot',
     'DisableIS',
     'AllowDeny/order',
     'AllowDeny/rules',
@@ -188,4 +189,4 @@ $forms['Export_defaults'] = array('Export' => array(
     'file_template_table',
     'file_template_database',
     'file_template_server'));
-?>
+?>