/** * Test clearing cached values * * @return void */ public function testCacheUnSet() { $GLOBALS['server'] = 'server'; PMA_Util::cacheSet('test_data', 25, true); PMA_Util::cacheSet('test_data_2', 25, true); PMA_Util::cacheUnset('test_data', true); $this->assertArrayNotHasKey('test_data', $_SESSION['cache']['server_server']); PMA_Util::cacheUnset('test_data_2', true); $this->assertArrayNotHasKey('test_data_2', $_SESSION['cache']['server_server']); }
/** * Gets advanced authentication settings * * this function DOES NOT check authentication - it just checks/provides * authentication credentials required to connect to the MySQL server * usually with $GLOBALS['dbi']->connect() * * it returns false if something is missing - which usually leads to * auth() which displays login form * * it returns true if all seems ok which usually leads to auth_set_user() * * it directly switches to authFails() if user inactivity timout is reached * * @todo AllowArbitraryServer on does not imply that the user wants an * arbitrary server, or? so we should also check if this is filled * and not only if allowed * * @return boolean whether we get authentication settings or not */ public function authCheck() { global $conn_error; // Initialization /** * @global $GLOBALS['pma_auth_server'] the user provided server to * connect to */ $GLOBALS['pma_auth_server'] = ''; $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = ''; $GLOBALS['from_cookie'] = false; // BEGIN Swekey Integration if (!Swekey_Auth_check()) { return false; } // END Swekey Integration if (defined('PMA_CLEAR_COOKIES')) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key); } return false; } // We already have one correct captcha. $skip = false; if (isset($_SESSION['last_valid_captcha']) && $_SESSION['last_valid_captcha']) { $skip = true; } // Verify Captcha if it is required. if (!empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) && !$skip) { if (!empty($_POST["recaptcha_challenge_field"]) && !empty($_POST["recaptcha_response_field"])) { include_once 'libraries/plugins/auth/recaptchalib.php'; // Use private key to verify captcha status. $resp = recaptcha_check_answer($GLOBALS['cfg']['CaptchaLoginPrivateKey'], $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); // Check if the captcha entered is valid, if not stop the login. if (!$resp->is_valid) { $conn_error = __('Entered captcha is wrong, try again!'); $_SESSION['last_valid_captcha'] = false; return false; } else { $_SESSION['last_valid_captcha'] = true; } } elseif (!empty($_POST["recaptcha_challenge_field"]) && empty($_POST["recaptcha_response_field"])) { $conn_error = __('Please enter correct captcha!'); return false; } else { if (!isset($_SESSION['last_valid_captcha']) || !$_SESSION['last_valid_captcha']) { return false; } } } if (!empty($_REQUEST['old_usr'])) { // The user wants to be logged out // -> delete his choices that were stored in session // according to the PHP manual we should do this before the destroy: //$_SESSION = array(); if (!defined('TESTSUITE')) { session_destroy(); // $_SESSION array is not immediately emptied $_SESSION['last_valid_captcha'] = false; } // -> delete password cookie(s) if ($GLOBALS['cfg']['LoginCookieDeleteAll']) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); if (isset($_COOKIE['pmaPass-' . $key])) { unset($_COOKIE['pmaPass-' . $key]); } } } else { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']); if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) { unset($_COOKIE['pmaPass-' . $GLOBALS['server']]); } } } if (!empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) { $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername']; } return true; } // At the end, try to set the $GLOBALS['PHP_AUTH_USER'] // and $GLOBALS['PHP_AUTH_PW'] variables from cookies // servername if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) { $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']]; } // check cookies if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']]) || empty($_COOKIE['pma_mcrypt_iv'])) { return false; } $GLOBALS['PHP_AUTH_USER'] = $this->blowfishDecrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], $this->_getBlowfishSecret()); // user was never logged in since session start if (empty($_SESSION['last_access_time'])) { return false; } // User inactive too long $last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity']; if ($_SESSION['last_access_time'] < $last_access_time) { PMA_Util::cacheUnset('is_create_db_priv', null); PMA_Util::cacheUnset('is_process_priv', null); PMA_Util::cacheUnset('is_reload_priv', null); PMA_Util::cacheUnset('db_to_create', null); PMA_Util::cacheUnset('dbs_where_create_table_allowed', null); $GLOBALS['no_activity'] = true; $this->authFails(); if (!defined('TESTSUITE')) { exit; } else { return false; } } // check password cookie if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_PW'] = $this->blowfishDecrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], $this->_getBlowfishSecret()); if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") { $GLOBALS['PHP_AUTH_PW'] = ''; } $GLOBALS['from_cookie'] = true; return true; }
/** * Gets advanced authentication settings * * this function DOES NOT check authentication - it just checks/provides * authentication credentials required to connect to the MySQL server * usually with $GLOBALS['dbi']->connect() * * it returns false if something is missing - which usually leads to * auth() which displays login form * * it returns true if all seems ok which usually leads to auth_set_user() * * it directly switches to authFails() if user inactivity timeout is reached * * @return boolean whether we get authentication settings or not */ public function authCheck() { global $conn_error; // Initialization /** * @global $GLOBALS['pma_auth_server'] the user provided server to * connect to */ $GLOBALS['pma_auth_server'] = ''; $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = ''; $GLOBALS['from_cookie'] = false; // BEGIN Swekey Integration if (!Swekey_Auth_check()) { return false; } // END Swekey Integration if (defined('PMA_CLEAR_COOKIES')) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key); } return false; } if (!empty($_REQUEST['old_usr'])) { // The user wants to be logged out // -> delete his choices that were stored in session // according to the PHP manual we should do this before the destroy: //$_SESSION = array(); if (!defined('TESTSUITE')) { session_destroy(); } // -> delete password cookie(s) if ($GLOBALS['cfg']['LoginCookieDeleteAll']) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); if (isset($_COOKIE['pmaPass-' . $key])) { unset($_COOKIE['pmaPass-' . $key]); } } } else { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']); if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) { unset($_COOKIE['pmaPass-' . $GLOBALS['server']]); } } } if (!empty($_REQUEST['pma_username'])) { // Verify Captcha if it is required. if (!empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])) { if (!empty($_POST["g-recaptcha-response"])) { include_once 'libraries/plugins/auth/recaptcha/autoload.php'; $reCaptcha = new \ReCaptcha\ReCaptcha($GLOBALS['cfg']['CaptchaLoginPrivateKey']); // verify captcha status. $resp = $reCaptcha->verify($_POST["g-recaptcha-response"], $_SERVER["REMOTE_ADDR"]); // Check if the captcha entered is valid, if not stop the login. if ($resp == null || !$resp->isSuccess()) { $conn_error = __('Entered captcha is wrong, try again!'); return false; } } else { $conn_error = __('Please enter correct captcha!'); return false; } } // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) { if ($GLOBALS['cfg']['ArbitraryServerRegexp']) { $parts = explode(' ', $_REQUEST['pma_servername']); if (count($parts) == 2) { $tmp_host = $parts[0]; } else { $tmp_host = $_REQUEST['pma_servername']; } $match = preg_match($GLOBALS['cfg']['ArbitraryServerRegexp'], $tmp_host); if (!$match) { $conn_error = __('You are not allowed to log in to this MySQL server!'); return false; } } $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername']; } return true; } // At the end, try to set the $GLOBALS['PHP_AUTH_USER'] // and $GLOBALS['PHP_AUTH_PW'] variables from cookies // servername if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) { $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']]; } // check cookies if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']]) || empty($_COOKIE['pma_iv-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_USER'] = $this->cookieDecrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], $this->_getEncryptionSecret()); // user was never logged in since session start if (empty($_SESSION['last_access_time'])) { return false; } // User inactive too long $last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity']; if ($_SESSION['last_access_time'] < $last_access_time) { PMA_Util::cacheUnset('is_create_db_priv'); PMA_Util::cacheUnset('is_reload_priv'); PMA_Util::cacheUnset('db_to_create'); PMA_Util::cacheUnset('dbs_where_create_table_allowed'); PMA_Util::cacheUnset('dbs_to_test'); $GLOBALS['no_activity'] = true; $this->authFails(); if (!defined('TESTSUITE')) { exit; } else { return false; } } // check password cookie if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_PW'] = $this->cookieDecrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], $this->_getSessionEncryptionSecret()); if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") { $GLOBALS['PHP_AUTH_PW'] = ''; } $GLOBALS['from_cookie'] = true; return true; }
/** * Gets advanced authentication settings * * this function DOES NOT check authentication - it just checks/provides * authentication credentials required to connect to the MySQL server * usually with PMA_DBI_connect() * * it returns false if something is missing - which usually leads to * auth() which displays login form * * it returns true if all seems ok which usually leads to auth_set_user() * * it directly switches to authFails() if user inactivity timout is reached * * @todo AllowArbitraryServer on does not imply that the user wants an * arbitrary server, or? so we should also check if this is filled * and not only if allowed * * @return boolean whether we get authentication settings or not */ public function authCheck() { // Initialization /** * @global $GLOBALS['pma_auth_server'] the user provided server to * connect to */ $GLOBALS['pma_auth_server'] = ''; $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = ''; $GLOBALS['from_cookie'] = false; // BEGIN Swekey Integration if (!Swekey_auth_check()) { return false; } // END Swekey Integration if (defined('PMA_CLEAR_COOKIES')) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key); } return false; } if (!empty($_REQUEST['old_usr'])) { // The user wants to be logged out // -> delete his choices that were stored in session // according to the PHP manual we should do this before the destroy: //$_SESSION = array(); session_destroy(); // -> delete password cookie(s) if ($GLOBALS['cfg']['LoginCookieDeleteAll']) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); if (isset($_COOKIE['pmaPass-' . $key])) { unset($_COOKIE['pmaPass-' . $key]); } } } else { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']); if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) { unset($_COOKIE['pmaPass-' . $GLOBALS['server']]); } } } if (!empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) { $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername']; } return true; } // At the end, try to set the $GLOBALS['PHP_AUTH_USER'] // and $GLOBALS['PHP_AUTH_PW'] variables from cookies // servername if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) { $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']]; } // username if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_USER'] = $this->blowfishDecrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], $this->_getBlowfishSecret()); // user was never logged in since session start if (empty($_SESSION['last_access_time'])) { return false; } // User inactive too long $last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity']; if ($_SESSION['last_access_time'] < $last_access_time) { PMA_Util::cacheUnset('is_create_db_priv', true); PMA_Util::cacheUnset('is_process_priv', true); PMA_Util::cacheUnset('is_reload_priv', true); PMA_Util::cacheUnset('db_to_create', true); PMA_Util::cacheUnset('dbs_where_create_table_allowed', true); $GLOBALS['no_activity'] = true; $this->authFails(); exit; } // password if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_PW'] = $this->blowfishDecrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], $this->_getBlowfishSecret()); if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") { $GLOBALS['PHP_AUTH_PW'] = ''; } $GLOBALS['from_cookie'] = true; return true; }