bug #2905629 [auth] Blowfish secret is not hashed

ChangeLog

@@ -9,6 +9,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 - patch #2903400 [bookmarks] Status of bookmark table, 
   thanks to Virsacer - virsacer
 - bug [history] QueryHistoryDB is not respected
+- bug #2905629 [auth] Blowfish secret is not hashed 
 
 3.2.4.0 (not yet released)
 - bug [engines] Innodb_buffer_pool_pages_latched no longer returned in status 

Documentation.html

@@ -626,8 +626,8 @@ since this link provides funding for phpMyAdmin.
         algorithm to encrypt the password.<br />
         If you are using the &quot;cookie&quot; auth_type, enter here a random
         passphrase of your choice. It will be used internally by the blowfish
-        algorithm: you won&#8217;t be prompted for this passphrase. The maximum
-        number of characters for this parameter seems to be 46.<br /><br />
+        algorithm: you won&#8217;t be prompted for this passphrase. There is
+        no maximum length for this secret.<br /><br />
         
         Since version 3.1.0 phpMyAdmin can generate this on the fly, but it
         makes a bit weaker security as this generated secret is stored in

libraries/auth/cookie.auth.lib.php

@@ -95,11 +95,13 @@ if (function_exists('mcrypt_encrypt')) {
 function PMA_get_blowfish_secret() {
     if (empty($GLOBALS['cfg']['blowfish_secret'])) {
         if (empty($_SESSION['auto_blowfish_secret'])) {
+            // this returns 23 characters 
             $_SESSION['auto_blowfish_secret'] = uniqid('', true);
         }
         return $_SESSION['auto_blowfish_secret'];
     } else {
-        return $GLOBALS['cfg']['blowfish_secret'];
+        // apply md5() to work around too long secrets (returns 32 characters)
+        return md5($GLOBALS['cfg']['blowfish_secret']);
     }
 }