/**
* Test for PMA_fatalError
*
* @return void
*/
public function testFatalErrorMessageWithArgs()
{
$message = "Fatal error #%d in file %s.";
$params = array(1, 'error_file.php');
$this->expectOutputRegex("/Fatal error #1 in file error_file.php./", "Not EQ");
PMA_fatalError($message, $params);
$message = "Fatal error in file %s.";
$params = 'error_file.php';
$this->expectOutputRegex("/Fatal error in file error_file.php./");
PMA_fatalError($message, $params);
}
/**
* Displays authentication form
*
* @global string the font face to use in case of failure
* @global string the default font size to use in case of failure
* @global string the big font size to use in case of failure
*
* @return boolean always true (no return indeed)
*
* @access public
*/
function PMA_auth()
{
unset($_SESSION['LAST_SIGNON_URL']);
if (empty($GLOBALS['cfg']['Server']['SignonURL'])) {
PMA_fatalError('You must set SignonURL!');
} elseif (!empty($_REQUEST['old_usr']) && !empty($GLOBALS['cfg']['Server']['LogoutURL'])) {
/* Perform logout to custom URL */
PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['LogoutURL']);
} else {
PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['SignonURL']);
}
exit;
}
/**
* Generates PMA_token session variable.
*
* @return void
*/
function PMA_generateToken()
{
if (class_exists('phpseclib\\Crypt\\Random')) {
$_SESSION[' PMA_token '] = bin2hex(phpseclib\Crypt\Random::string(16));
} else {
$_SESSION[' PMA_token '] = bin2hex(openssl_random_pseudo_bytes(16));
}
/**
* Check if token is properly generated (the genration can fail, for example
* due to missing /dev/random for openssl).
*/
if (empty($_SESSION[' PMA_token '])) {
PMA_fatalError('Failed to generate random CSRF token!');
}
}
/**
* get all the export options and verify
* call and include the appropriate Schema Class depending on $export_type
*
* @param string $export_type format of the export
*
* @return void
*/
function PMA_processExportSchema($export_type)
{
/**
* default is PDF, otherwise validate it's only letters a-z
*/
if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) {
$export_type = 'pdf';
}
// sanitize this parameter which will be used below in a file inclusion
$export_type = PMA_securePath($export_type);
// get the specific plugin
$export_plugin = PMA_getPlugin("schema", $export_type, 'libraries/plugins/schema/');
// Check schema export type
if (!isset($export_plugin)) {
PMA_fatalError(__('Bad type!'));
}
$GLOBALS['dbi']->selectDb($GLOBALS['db']);
$export_plugin->exportSchema($GLOBALS['db']);
}
function PMA_sessionFailed($errors)
{
$messages = array();
foreach ($errors as $error) {
/*
* Remove path from open() in error message to avoid path disclossure
*
* This can happen with PHP 5 when nonexisting session ID is provided,
* since PHP 7, session existence is checked first.
*
* This error can also happen in case of session backed error (eg.
* read only filesystem) on any PHP version.
*
* The message string is currently hardcoded in PHP, so hopefully it
* will not change in future.
*/
$messages[] = preg_replace('/open\\(.*, O_RDWR\\)/', 'open(SESSION_FILE, O_RDWR)', htmlspecialchars($error->getMessage()));
}
/*
* Session initialization is done before selecting language, so we
* can not use translations here.
*/
PMA_fatalError('Error during session start; please check your PHP and/or ' . 'webserver log file and configure your PHP ' . 'installation properly. Also ensure that cookies are enabled ' . 'in your browser.' . '<br /><br />' . implode('<br /><br />', $messages));
}
$message->addParam('[/doc]');
// so we can obtain the message
$_SESSION['Import_message']['message'] = $message->getDisplay();
$_SESSION['Import_message']['go_back_url'] = $goto;
$message->display();
exit;
// the footer is displayed automatically
}
/**
* Sets globals from $_POST patterns, for import plugins
* We only need to load the selected plugin
*/
if (!in_array($format, array('csv', 'ldi', 'mediawiki', 'ods', 'shp', 'sql', 'xml'))) {
// this should not happen for a normal user
// but only during an attack
PMA_fatalError('Incorrect format parameter');
}
$post_patterns = array('/^force_file_/', '/^' . $format . '_/');
foreach (array_keys($_POST) as $post_key) {
foreach ($post_patterns as $one_post_pattern) {
if (preg_match($one_post_pattern, $post_key)) {
$GLOBALS[$post_key] = $_POST[$post_key];
}
}
}
// Check needed parameters
PMA_Util::checkParameters(array('import_type', 'format'));
// We don't want anything special in format
$format = PMA_securePath($format);
// Import functions
require_once 'libraries/import.lib.php';
/**
* Error handler to catch fatal errors when loading configuration
* file
*
*
* PMA_Config_fatalErrorHandler
* @return void
*/
public static function fatalErrorHandler()
{
if (!isset($GLOBALS['pma_config_loading']) || !$GLOBALS['pma_config_loading']) {
return;
}
$error = error_get_last();
if ($error === null) {
return;
}
PMA_fatalError(sprintf('Failed to load phpMyAdmin configuration (%s:%s): %s', Error::relPath($error['file']), $error['line'], $error['message']));
}
if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
PMA_fatalError(__("GLOBALS overwrite attempt"));
}
/**
* protect against possible exploits - there is no need to have so much variables
*/
if (count($_REQUEST) > 1000) {
PMA_fatalError(__('possible exploit'));
}
/**
* Check for numeric keys
* (if register_globals is on, numeric key can be found in $GLOBALS)
*/
foreach ($GLOBALS as $key => $dummy) {
if (is_numeric($key)) {
PMA_fatalError(__('numeric key detected'));
}
}
unset($dummy);
// here, the function does not exist with this configuration:
// $cfg['ServerDefault'] = 0;
$GLOBALS['is_superuser'] = isset($GLOBALS['dbi']) && $GLOBALS['dbi']->isSuperuser();
if (!empty($__redirect) && in_array($__redirect, $goto_whitelist)) {
/**
* include subform target page
*/
include $__redirect;
exit;
}
// If Zero configuration mode enabled, check PMA tables in current db.
if (!defined('PMA_MINIMUM_COMMON') && !empty($GLOBALS['server']) && isset($GLOBALS['cfg']['ZeroConf']) && $GLOBALS['cfg']['ZeroConf'] == true) {
}
}
// Set locale
_setlocale(LC_MESSAGES, $GLOBALS['lang']);
_bindtextdomain('phpmyadmin', $GLOBALS['lang_path']);
_bind_textdomain_codeset('phpmyadmin', 'UTF-8');
_textdomain('phpmyadmin');
/**
* Messages for phpMyAdmin.
*
* These messages are here for easy transition to Gettext.
* You should not add any messages here, use instead gettext directly
* in your template/PHP file.
*/
if (!function_exists('__')) {
PMA_fatalError('Bad invocation!');
}
/* Text direction for language */
if (in_array($GLOBALS['lang'], array('ar', 'fa', 'he', 'ur'))) {
$GLOBALS['text_dir'] = 'rtl';
} else {
$GLOBALS['text_dir'] = 'ltr';
}
/* TCPDF */
$GLOBALS['l'] = array();
/* TCPDF settings */
$GLOBALS['l']['a_meta_charset'] = 'UTF-8';
$GLOBALS['l']['a_meta_dir'] = $GLOBALS['text_dir'];
$GLOBALS['l']['a_meta_language'] = $GLOBALS['lang'];
/* TCPDF translations */
$GLOBALS['l']['w_page'] = __('Page number:');
/**
* verifies the permissions on config file (if asked by configuration)
* (must be called after config.inc.php has been merged)
*
* @return void
*/
function checkPermissions()
{
// Check for permissions (on platforms that support it):
if ($this->get('CheckConfigurationPermissions')) {
$perms = @fileperms($this->getSource());
if (!($perms === false) && $perms & 2) {
// This check is normally done after loading configuration
$this->checkWebServerOs();
if ($this->get('PMA_IS_WINDOWS') == 0) {
$this->source_mtime = 0;
/* Gettext is possibly still not loaded */
if (function_exists('__')) {
$msg = __('Wrong permissions on configuration file, should not be world writable!');
} else {
$msg = 'Wrong permissions on configuration file, should not be world writable!';
}
PMA_fatalError($msg);
}
}
}
}
* @license http://www.gnu.org/licenses/gpl.html GNU GPL 2.0
*/
/**
* Core libraries.
*/
require './lib/common.inc.php';
$page = filter_input(INPUT_GET, 'page');
$page = preg_replace('/[^a-z]/', '', $page);
if ($page === '') {
$page = 'index';
}
if (!file_exists("./setup/frames/$page.inc.php")) {
// it will happen only when enterung URL by hand, we don't care for these cases
PMA_fatalError(__('Wrong GET file attribute value'));
}
// Handle done action info
$action_done = filter_input(INPUT_GET, 'action_done');
$action_done = preg_replace('/[^a-z_]/', '', $action_done);
// send no-cache headers
require './libraries/header_http.inc.php';
?>
<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title>phpMyAdmin setup</title>
<link href="../favicon.ico" rel="icon" type="image/x-icon" />
/**
* check config source
*
* @return boolean whether source is valid or not
*/
function checkConfigSource()
{
if (!$this->getSource()) {
// no configuration file set at all
return false;
}
if (!file_exists($this->getSource())) {
$this->source_mtime = 0;
return false;
}
if (!is_readable($this->getSource())) {
// manually check if file is readable
// might be bug #3059806 Supporting running from CIFS/Samba shares
$contents = false;
$handle = @fopen($this->getSource(), 'r');
if ($handle !== false) {
$contents = @fread($handle, 1);
// reading 1 byte is enough to test
@fclose($handle);
}
if ($contents === false) {
$this->source_mtime = 0;
PMA_fatalError(sprintf(function_exists('__') ? __('Existing configuration file (%s) is not readable.') : 'Existing configuration file (%s) is not readable.', $this->getSource()));
return false;
}
}
return true;
}
/**
* verifies the permissions on config file (if asked by configuration)
* (must be called after config.inc.php has been merged)
*
* @return void
*/
function checkPermissions()
{
// Check for permissions (on platforms that support it):
if ($this->get('CheckConfigurationPermissions')) {
$perms = @fileperms($this->getSource());
if (!($perms === false) && $perms & 2) {
// This check is normally done after loading configuration
$this->checkWebServerOs();
if ($this->get('PMA_IS_WINDOWS') == 0) {
$this->source_mtime = 0;
PMA_fatalError(__('Wrong permissions on configuration file, ' . 'should not be world writable!'));
}
}
}
}
/**
* @global array MySQL charsets map
*/
$GLOBALS['mysql_charset_map'] = array('big5' => 'big5', 'cp-866' => 'cp866', 'euc-jp' => 'ujis', 'euc-kr' => 'euckr', 'gb2312' => 'gb2312', 'gbk' => 'gbk', 'iso-8859-1' => 'latin1', 'iso-8859-2' => 'latin2', 'iso-8859-7' => 'greek', 'iso-8859-8' => 'hebrew', 'iso-8859-8-i' => 'hebrew', 'iso-8859-9' => 'latin5', 'iso-8859-13' => 'latin7', 'iso-8859-15' => 'latin1', 'koi8-r' => 'koi8r', 'shift_jis' => 'sjis', 'tis-620' => 'tis620', 'utf-8' => 'utf8', 'windows-1250' => 'cp1250', 'windows-1251' => 'cp1251', 'windows-1252' => 'latin1', 'windows-1256' => 'cp1256', 'windows-1257' => 'cp1257');
/*
* Do the work!
*/
if (!PMA_langCheck()) {
// fallback language
$fall_back_lang = 'en';
$line = __LINE__;
if (!PMA_langSet($fall_back_lang)) {
trigger_error('phpMyAdmin-ERROR: invalid lang code: ' . __FILE__ . '#' . $line . ', check hard coded fall back language.', E_USER_WARNING);
// stop execution
// and tell the user that his chosen language is invalid
PMA_fatalError('Could not load any language, please check your language settings and folder.');
}
}
// Set locale
_setlocale(LC_MESSAGES, $GLOBALS['lang']);
_bindtextdomain('phpmyadmin', $GLOBALS['lang_path']);
_bind_textdomain_codeset('phpmyadmin', 'UTF-8');
_textdomain('phpmyadmin');
/**
* Messages for phpMyAdmin.
*
* These messages are here for easy transition to Gettext.
* You should not add any messages here, use instead gettext directly
* in your template/PHP file.
*/
if (!function_exists('__')) {
// on the session data directory, so I add some "@"
// See bug #1538132. This would block normal behavior on a cluster
//ini_set('session.save_handler', 'files');
$session_name = 'phpMyAdmin';
@session_name($session_name);
if (! isset($_COOKIE[$session_name])) {
// on first start of session we check for errors
// f.e. session dir cannot be accessed - session file not created
$orig_error_count = $GLOBALS['error_handler']->countErrors();
$r = session_start();
if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
setcookie($session_name, '', 1);
PMA_fatalError('strSessionStartupErrorGeneral');
}
unset($orig_error_count);
} else {
@session_start();
}
/**
* Token which is used for authenticating access queries.
* (we use "space PMA_token space" to prevent overwriting)
*/
if (!isset($_SESSION[' PMA_token '])) {
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
}
/**
$controllink = PMA_DBI_connect($cfg['Server']['controluser'], $cfg['Server']['controlpass'], true);
}
// Connects to the server (validates user's login)
$userlink = PMA_DBI_connect($cfg['Server']['user'], $cfg['Server']['password'], false);
if (!$controllink) {
$controllink = $userlink;
}
/* Log success */
PMA_log_user($cfg['Server']['user']);
/**
* with phpMyAdmin 3 we support MySQL >=5
* but only production releases:
* - > 5.0.15
*/
if (PMA_MYSQL_INT_VERSION < 50015) {
PMA_fatalError('strUpgrade', array('MySQL', '5.0.15'));
}
/**
* SQL Parser code
*/
require_once './libraries/sqlparser.lib.php';
/**
* SQL Validator interface code
*/
require_once './libraries/sqlvalidator.lib.php';
/**
* the PMA_List_Database class
*/
require_once './libraries/PMA.php';
$pma = new PMA();
$pma->userlink = $userlink;
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Validation callback.
*
* @package PhpMyAdmin-Setup
*/
/**
* Core libraries.
*/
require './lib/common.inc.php';
$validators = array();
require './libraries/config/Validator.php';
header('Content-type: application/json');
$ids = isset($_POST['id']) ? $_POST['id'] : null;
$vids = explode(',', $ids);
$vals = isset($_POST['values']) ? $_POST['values'] : null;
$values = json_decode($vals);
if (!$values instanceof stdClass) {
PMA_fatalError(__('Wrong data'));
}
$values = (array) $values;
$result = PMA\libraries\config\Validator::validate($GLOBALS['ConfigFile'], $vids, $values, true);
if ($result === false) {
$result = 'Wrong data or no validation for ' . $vids;
}
echo $result !== true ? json_encode($result) : '';
/**
* Warn or fail on missing extension.
*
* @param string $extension Extension name
* @param bool $fatal Whether the error is fatal.
* @param string $extra Extra string to append to message.
*
* @return void
*/
function PMA_warnMissingExtension($extension, $fatal = false, $extra = '')
{
/* Gettext does not have to be loaded yet here */
if (function_exists('__')) {
$message = __('The %s extension is missing. Please check your PHP configuration.');
} else {
$message = 'The %s extension is missing. Please check your PHP configuration.';
}
$doclink = PMA_getPHPDocLink('book.' . $extension . '.php');
$message = sprintf($message, '[a@' . $doclink . '@Documentation][em]' . $extension . '[/em][/a]');
if ($extra != '') {
$message .= ' ' . $extra;
}
if ($fatal) {
PMA_fatalError($message);
return;
}
$GLOBALS['error_handler']->addError($message, E_USER_WARNING, '', '', false);
}
}
}
// Connects to the server (validates user's login)
$userlink = PMA_DBI_connect($cfg['Server']['user'], $cfg['Server']['password'], false);
if (!$controllink) {
$controllink = $userlink;
}
/* Log success */
PMA_log_user($cfg['Server']['user']);
/**
* with phpMyAdmin 3 we support MySQL >=5
* but only production releases:
* - > 5.0.15
*/
if (PMA_MYSQL_INT_VERSION < 50015) {
PMA_fatalError(__('You should upgrade to %s %s or later.'), array('MySQL', '5.0.15'));
}
if (PMA_DRIZZLE) {
// DisableIS must be set to false for Drizzle, it maps SHOW commands
// to INFORMATION_SCHEMA queries anyway so it's fast on large servers
$cfg['Server']['DisableIS'] = false;
// SHOW OPEN TABLES is not supported by Drizzle
$cfg['SkipLockedTables'] = false;
}
/**
* SQL Parser code
*/
include_once './libraries/sqlparser.lib.php';
/**
* SQL Validator interface code
*/
// See bug #1538132. This would block normal behavior on a cluster
//ini_set('session.save_handler', 'files');
$session_name = 'phpMyAdmin';
@session_name($session_name);
if (!isset($_COOKIE[$session_name])) {
// on first start of session we check for errors
// f.e. session dir cannot be accessed - session file not created
$orig_error_count = $GLOBALS['error_handler']->countErrors();
$r = session_start();
if ($r !== true || $orig_error_count != $GLOBALS['error_handler']->countErrors()) {
setcookie($session_name, '', 1);
/*
* Session initialization is done before selecting language, so we
* can not use translations here.
*/
PMA_fatalError('Cannot start session without errors, please check errors given in your PHP and/or webserver log file and configure your PHP installation properly.');
}
unset($orig_error_count);
} else {
session_start();
}
/**
* Token which is used for authenticating access queries.
* (we use "space PMA_token space" to prevent overwriting)
*/
if (!isset($_SESSION[' PMA_token '])) {
$_SESSION[' PMA_token '] = md5(uniqid(rand(), true));
}
/**
* tries to secure session from hijacking and fixation
* should be called before login and after successfull login
// if it fails try alternative extension ...
// and display an error ...
/**
* @todo add different messages for alternative extension
* and complete fail (no alternative extension too)
*/
$error = sprintf(PMA_sanitize($GLOBALS['strCantLoad']), $GLOBALS['cfg']['Server']['extension']) . ' - <a href="./Documentation.html#faqmysql" target="documentation">' . $GLOBALS['strDocu'] . '</a>';
trigger_error($error, E_USER_ERROR);
if ($GLOBALS['cfg']['Server']['extension'] === 'mysql') {
$alternativ_extension = 'mysqli';
} else {
$alternativ_extension = 'mysql';
}
if (!PMA_DBI_checkMysqlExtension($alternativ_extension)) {
// if alternative fails too ...
PMA_fatalError(sprintf($GLOBALS['strCantLoad'], $GLOBALS['cfg']['Server']['extension']) . ' - [a@./Documentation.html#faqmysql@documentation]' . $GLOBALS['strDocu'] . '[/a]');
}
$GLOBALS['cfg']['Server']['extension'] = $alternativ_extension;
unset($alternativ_extension);
}
/**
* Including The DBI Plugin
*/
require_once './libraries/dbi/' . $GLOBALS['cfg']['Server']['extension'] . '.dbi.lib.php';
/**
* Common Functions
*/
function PMA_DBI_query($query, $link = null, $options = 0)
{
$res = PMA_DBI_try_query($query, $link, $options) or PMA_mysqlDie(PMA_DBI_getError($link), $query);
return $res;
/**
* Function added to avoid path disclosures.
* Called by each script that needs parameters, it displays
* an error message and, by default, stops the execution.
*
* Not sure we could use a strMissingParameter message here,
* would have to check if the error message file is always available
*
* @param string[] $params The names of the parameters needed by the calling
* script
* @param bool $request Whether to include this list in checking for
* special params
*
* @return void
*
* @global boolean $checked_special flag whether any special variable
* was required
*
* @access public
*/
public static function checkParameters($params, $request = true)
{
global $checked_special;
if (!isset($checked_special)) {
$checked_special = false;
}
$reported_script_name = basename($GLOBALS['PMA_PHP_SELF']);
$found_error = false;
$error_message = '';
foreach ($params as $param) {
if ($request && $param != 'db' && $param != 'table') {
$checked_special = true;
}
if (!isset($GLOBALS[$param])) {
$error_message .= $reported_script_name . ': ' . __('Missing parameter:') . ' ' . $param . self::showDocu('faq', 'faqmissingparameters') . '<br />';
$found_error = true;
}
}
if ($found_error) {
PMA_fatalError($error_message, null, false);
}
}
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* "Echo" service to allow force downloading of exported charts (png or svg)
* and server status monitor settings
*
* @package PhpMyAdmin
*/
use PMA\libraries\PMA_String;
define('PMA_MINIMUM_COMMON', true);
require_once 'libraries/common.inc.php';
/* For chart exporting */
if (isset($_REQUEST['filename']) && isset($_REQUEST['image'])) {
$allowed = array('image/png' => 'png', 'image/svg+xml' => 'svg');
/* Check whether MIME type is allowed */
if (!isset($allowed[$_REQUEST['type']])) {
PMA_fatalError(__('Invalid export type'));
}
/*
* Check file name to match mime type and not contain new lines
* to prevent response splitting.
*/
$extension = $allowed[$_REQUEST['type']];
$valid_match = '/^[^\\n\\r]*\\.' . $extension . '$/';
if (!preg_match($valid_match, $_REQUEST['filename'])) {
if (!preg_match('/^[^\\n\\r]*$/', $_REQUEST['filename'])) {
/* Filename is unsafe, discard it */
$filename = 'download.' . $extension;
} else {
/* Add extension */
$filename = $_REQUEST['filename'] . '.' . $extension;
}
/**
* Uses faster mcrypt library if available
* (as this is not called from anywhere else, put the code in-line
* for faster execution)
*/
/**
* Initialization
* Store the initialization vector because it will be needed for
* further decryption. I don't think necessary to have one iv
* per server so I don't put the server number in the cookie name.
*/
if (empty($_COOKIE['pma_mcrypt_iv']) || false === ($iv = base64_decode($_COOKIE['pma_mcrypt_iv'], true))) {
srand((double) microtime() * 1000000);
$td = mcrypt_module_open(MCRYPT_BLOWFISH, '', MCRYPT_MODE_CBC, '');
if ($td === false) {
PMA_fatalError(__('Failed to use Blowfish from mcrypt!'));
}
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
$GLOBALS['PMA_Config']->setCookie('pma_mcrypt_iv', base64_encode($iv));
}
/**
* Encryption using blowfish algorithm (mcrypt)
*
* @param string $data original data
* @param string $secret the secret
*
* @return string the encrypted result
*
* @access public
*
*/
/**
* User is not allowed to login to MySQL -> authentication failed
*
* @return bool true
*/
public function authFails()
{
$error = $GLOBALS['dbi']->getError();
if ($error && $GLOBALS['errno'] != 1045) {
PMA_fatalError($error);
return true;
}
$this->authForm();
return true;
}
}
// Generate error url and check for needed variables
if ($export_type == 'server') {
$err_url = 'server_export.php?' . PMA_URL_getCommon();
} elseif ($export_type == 'database' && strlen($db)) {
$err_url = 'db_export.php?' . PMA_URL_getCommon($db);
// Check if we have something to export
if (isset($table_select)) {
$tables = $table_select;
} else {
$tables = array();
}
} elseif ($export_type == 'table' && strlen($db) && strlen($table)) {
$err_url = 'tbl_export.php?' . PMA_URL_getCommon($db, $table);
} else {
PMA_fatalError(__('Bad parameters!'));
}
/**
* Increase time limit for script execution and initializes some variables
*/
@set_time_limit($cfg['ExecTimeLimit']);
if (!empty($cfg['MemoryLimit'])) {
@ini_set('memory_limit', $cfg['MemoryLimit']);
}
register_shutdown_function('PMA_shutdownDuringExport');
// Start with empty buffer
$dump_buffer = '';
$dump_buffer_len = 0;
// We send fake headers to avoid browser timeout when buffering
$time_start = time();
}
/**
* User is not allowed to login to MySQL -> authentication failed
*
* @return boolean always true (no return indeed)
*
* @access public
*/
function PMA_auth_fails()
{
$error = PMA_DBI_getError();
if ($error && $GLOBALS['errno'] != 1045) {
PMA_fatalError($error);
} else {
PMA_auth();
return true;
}
}
/**
* Gets advanced authentication settings
*
* @global string $PHP_AUTH_USER the username
* @global string $PHP_AUTH_PW the password
*
* @return boolean whether we get authentication settings or not
*/
public function authCheck()
{
global $PHP_AUTH_USER, $PHP_AUTH_PW;
/* Check if we're using same signon server */
$signon_url = $GLOBALS['cfg']['Server']['SignonURL'];
if (isset($_SESSION['LAST_SIGNON_URL']) && $_SESSION['LAST_SIGNON_URL'] != $signon_url) {
return false;
}
/* Script name */
$script_name = $GLOBALS['cfg']['Server']['SignonScript'];
/* Session name */
$session_name = $GLOBALS['cfg']['Server']['SignonSession'];
/* Login URL */
$signon_url = $GLOBALS['cfg']['Server']['SignonURL'];
/* Current host */
$single_signon_host = $GLOBALS['cfg']['Server']['host'];
/* Current port */
$single_signon_port = $GLOBALS['cfg']['Server']['port'];
/* No configuration updates */
$single_signon_cfgupdate = array();
/* Are we requested to do logout? */
$do_logout = !empty($_REQUEST['old_usr']);
/* Handle script based auth */
if (!empty($script_name)) {
if (!file_exists($script_name)) {
PMA_fatalError(__('Can not find signon authentication script:') . ' ' . $script_name);
}
include $script_name;
list($PHP_AUTH_USER, $PHP_AUTH_PW) = get_login_credentials($GLOBALS['cfg']['Server']['user']);
} elseif (isset($_COOKIE[$session_name])) {
/* Does session exist? */
/* End current session */
$old_session = session_name();
$old_id = session_id();
if (!defined('TESTSUITE')) {
session_write_close();
}
/* Load single signon session */
session_name($session_name);
session_id($_COOKIE[$session_name]);
if (!defined('TESTSUITE')) {
session_start();
}
/* Clear error message */
unset($_SESSION['PMA_single_signon_error_message']);
/* Grab credentials if they exist */
if (isset($_SESSION['PMA_single_signon_user'])) {
if ($do_logout) {
$PHP_AUTH_USER = '';
} else {
$PHP_AUTH_USER = $_SESSION['PMA_single_signon_user'];
}
}
if (isset($_SESSION['PMA_single_signon_password'])) {
if ($do_logout) {
$PHP_AUTH_PW = '';
} else {
$PHP_AUTH_PW = $_SESSION['PMA_single_signon_password'];
}
}
if (isset($_SESSION['PMA_single_signon_host'])) {
$single_signon_host = $_SESSION['PMA_single_signon_host'];
}
if (isset($_SESSION['PMA_single_signon_port'])) {
$single_signon_port = $_SESSION['PMA_single_signon_port'];
}
if (isset($_SESSION['PMA_single_signon_cfgupdate'])) {
$single_signon_cfgupdate = $_SESSION['PMA_single_signon_cfgupdate'];
}
/* Also get token as it is needed to access subpages */
if (isset($_SESSION['PMA_single_signon_token'])) {
/* No need to care about token on logout */
$pma_token = $_SESSION['PMA_single_signon_token'];
}
/* End single signon session */
if (!defined('TESTSUITE')) {
session_write_close();
}
/* Restart phpMyAdmin session */
session_name($old_session);
if (!empty($old_id)) {
session_id($old_id);
}
if (!defined('TESTSUITE')) {
session_start();
}
/* Set the single signon host */
$GLOBALS['cfg']['Server']['host'] = $single_signon_host;
/* Set the single signon port */
$GLOBALS['cfg']['Server']['port'] = $single_signon_port;
/* Configuration update */
$GLOBALS['cfg']['Server'] = array_merge($GLOBALS['cfg']['Server'], $single_signon_cfgupdate);
/* Restore our token */
if (!empty($pma_token)) {
$_SESSION[' PMA_token '] = $pma_token;
}
/**
* Clear user cache.
*/
PMA\libraries\Util::clearUserCache();
}
// Returns whether we get authentication settings or not
if (empty($PHP_AUTH_USER)) {
unset($_SESSION['LAST_SIGNON_URL']);
return false;
} else {
$_SESSION['LAST_SIGNON_URL'] = $GLOBALS['cfg']['Server']['SignonURL'];
return true;
}
}
/**
* calls $function for every element in $array recursively
*
* this function is protected against deep recursion attack CVE-2006-1549,
* 1000 seems to be more than enough
*
* @param array &$array array to walk
* @param string $function function to call for every array element
* @param bool $apply_to_keys_also whether to call the function for the keys also
*
* @return void
*
* @see http://www.php-security.org/MOPB/MOPB-02-2007.html
* @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
*/
function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
{
static $recursive_counter = 0;
$walked_keys = array();
if (++$recursive_counter > 1000) {
PMA_fatalError(__('possible deep recursion attack'));
}
foreach ($array as $key => $value) {
if (isset($walked_keys[$key])) {
continue;
}
$walked_keys[$key] = true;
if (is_array($value)) {
PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also);
} else {
$array[$key] = $function($value);
}
if ($apply_to_keys_also && is_string($key)) {
$new_key = $function($key);
if ($new_key != $key) {
$array[$new_key] = $array[$key];
unset($array[$key]);
$walked_keys[$new_key] = true;
}
}
}
$recursive_counter--;
}
$GLOBALS['server'] = 0;
$cfg['Server'] = array();
}
}
$GLOBALS['url_params']['server'] = $GLOBALS['server'];
if (!empty($cfg['Server'])) {
/**
* Loads the proper database interface for this server
*/
require_once './libraries/database_interface.lib.php';
// Gets the authentication library that fits the $cfg['Server'] settings
// and run authentication
// to allow HTTP or http
$cfg['Server']['auth_type'] = strtolower($cfg['Server']['auth_type']);
if (!file_exists('./libraries/auth/' . $cfg['Server']['auth_type'] . '.auth.lib.php')) {
PMA_fatalError($strInvalidAuthMethod . ' ' . $cfg['Server']['auth_type']);
}
/**
* the required auth type plugin
*/
require_once './libraries/auth/' . $cfg['Server']['auth_type'] . '.auth.lib.php';
if (!PMA_auth_check()) {
PMA_auth();
} else {
PMA_auth_set_user();
}
// Check IP-based Allow/Deny rules as soon as possible to reject the
// user
// Based on mod_access in Apache:
// http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/aaa/mod_access.c?rev=1.37&content-type=text/vnd.viewcvs-markup
// Look at: "static int check_dir_access(request_rec *r)"
