diff --git a/ChangeLog b/ChangeLog
index e33a98161..d2db946a5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- patch #2903400 [bookmarks] Status of bookmark table,
thanks to Virsacer - virsacer
- bug [history] QueryHistoryDB is not respected
+- bug #2905629 [auth] Blowfish secret is not hashed
3.2.4.0 (not yet released)
- bug [engines] Innodb_buffer_pool_pages_latched no longer returned in status
diff --git a/Documentation.html b/Documentation.html
index 192294e5f..495391719 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -626,8 +626,8 @@ since this link provides funding for phpMyAdmin.
algorithm to encrypt the password.
If you are using the "cookie" auth_type, enter here a random
passphrase of your choice. It will be used internally by the blowfish
- algorithm: you won’t be prompted for this passphrase. The maximum
- number of characters for this parameter seems to be 46.
+ algorithm: you won’t be prompted for this passphrase. There is
+ no maximum length for this secret.
Since version 3.1.0 phpMyAdmin can generate this on the fly, but it
makes a bit weaker security as this generated secret is stored in
diff --git a/libraries/auth/cookie.auth.lib.php b/libraries/auth/cookie.auth.lib.php
index b5b63082b..f81710e05 100644
--- a/libraries/auth/cookie.auth.lib.php
+++ b/libraries/auth/cookie.auth.lib.php
@@ -95,11 +95,13 @@ if (function_exists('mcrypt_encrypt')) {
function PMA_get_blowfish_secret() {
if (empty($GLOBALS['cfg']['blowfish_secret'])) {
if (empty($_SESSION['auto_blowfish_secret'])) {
+ // this returns 23 characters
$_SESSION['auto_blowfish_secret'] = uniqid('', true);
}
return $_SESSION['auto_blowfish_secret'];
} else {
- return $GLOBALS['cfg']['blowfish_secret'];
+ // apply md5() to work around too long secrets (returns 32 characters)
+ return md5($GLOBALS['cfg']['blowfish_secret']);
}
}