예제 #1
0
/**
 * Gets advanced authentication settings
 *
 * this function DOES NOT check authentication - it just checks/provides
 * authentication credentials required to connect to the MySQL server
 * usually with PMA_DBI_connect()
 *
 * it returns false if something is missing - which usually leads to
 * PMA_auth() which displays login form
 *
 * it returns true if all seems ok which usually leads to PMA_auth_set_user()
 *
 * it directly switches to PMA_auth_fails() if user inactivity timout is reached
 *
 * @todo    AllowArbitraryServer on does not imply that the user wants an
 *          arbitrary server, or? so we should also check if this is filled and
 *          not only if allowed
 *
 * @return boolean   whether we get authentication settings or not
 *
 * @access  public
 */
function PMA_auth_check()
{
    // Initialization
    /**
     * @global $GLOBALS['pma_auth_server'] the user provided server to connect to
     */
    $GLOBALS['pma_auth_server'] = '';
    $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
    $GLOBALS['from_cookie'] = false;
    // BEGIN Swekey Integration
    if (!Swekey_auth_check()) {
        return false;
    }
    // END Swekey Integration
    if (defined('PMA_CLEAR_COOKIES')) {
        foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
            $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
            $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key);
            $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key);
        }
        return false;
    }
    if (!empty($_REQUEST['old_usr'])) {
        // The user wants to be logged out
        // -> delete his choices that were stored in session
        // according to the PHP manual we should do this before the destroy:
        //$_SESSION = array();
        // but we still need some parts of the session information
        // in libraries/header_meta_style.inc.php
        session_destroy();
        // -> delete password cookie(s)
        if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
            foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
                $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
                if (isset($_COOKIE['pmaPass-' . $key])) {
                    unset($_COOKIE['pmaPass-' . $key]);
                }
            }
        } else {
            $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
            if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
                unset($_COOKIE['pmaPass-' . $GLOBALS['server']]);
            }
        }
    }
    if (!empty($_REQUEST['pma_username'])) {
        // The user just logged in
        $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
        $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
        if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
            $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
        }
        return true;
    }
    // At the end, try to set the $GLOBALS['PHP_AUTH_USER']
    // and $GLOBALS['PHP_AUTH_PW'] variables from cookies
    // servername
    if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) {
        $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']];
    }
    // username
    if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
        return false;
    }
    $GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], PMA_get_blowfish_secret());
    // user was never logged in since session start
    if (empty($_SESSION['last_access_time'])) {
        return false;
    }
    // User inactive too long
    if ($_SESSION['last_access_time'] < time() - $GLOBALS['cfg']['LoginCookieValidity']) {
        PMA_cacheUnset('is_create_db_priv', true);
        PMA_cacheUnset('is_process_priv', true);
        PMA_cacheUnset('is_reload_priv', true);
        PMA_cacheUnset('db_to_create', true);
        PMA_cacheUnset('dbs_where_create_table_allowed', true);
        $GLOBALS['no_activity'] = true;
        PMA_auth_fails();
        exit;
    }
    // password
    if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
        return false;
    }
    $GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], PMA_get_blowfish_secret());
    if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") {
        $GLOBALS['PHP_AUTH_PW'] = '';
    }
    $GLOBALS['from_cookie'] = true;
    return true;
}
 /**
  * Gets advanced authentication settings
  *
  * this function DOES NOT check authentication - it just checks/provides
  * authentication credentials required to connect to the MySQL server
  * usually with $GLOBALS['dbi']->connect()
  *
  * it returns false if something is missing - which usually leads to
  * auth() which displays login form
  *
  * it returns true if all seems ok which usually leads to auth_set_user()
  *
  * it directly switches to authFails() if user inactivity timout is reached
  *
  * @todo    AllowArbitraryServer on does not imply that the user wants an
  *          arbitrary server, or? so we should also check if this is filled
  *          and not only if allowed
  *
  * @return boolean   whether we get authentication settings or not
  */
 public function authCheck()
 {
     global $conn_error;
     // Initialization
     /**
      * @global $GLOBALS['pma_auth_server'] the user provided server to
      * connect to
      */
     $GLOBALS['pma_auth_server'] = '';
     $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
     $GLOBALS['from_cookie'] = false;
     // BEGIN Swekey Integration
     if (!Swekey_auth_check()) {
         return false;
     }
     // END Swekey Integration
     if (defined('PMA_CLEAR_COOKIES')) {
         foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
             $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
             $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key);
             $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key);
         }
         return false;
     }
     // We already have one correct captcha.
     $skip = false;
     if (isset($_SESSION['last_valid_captcha']) && $_SESSION['last_valid_captcha']) {
         $skip = true;
     }
     // Verify Captcha if it is required.
     if (!empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) && !$skip) {
         if (!empty($_POST["recaptcha_challenge_field"]) && !empty($_POST["recaptcha_response_field"])) {
             include_once 'libraries/plugins/auth/recaptchalib.php';
             // Use private key to verify captcha status.
             $resp = recaptcha_check_answer($GLOBALS['cfg']['CaptchaLoginPrivateKey'], $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]);
             // Check if the captcha entered is valid, if not stop the login.
             if (!$resp->is_valid) {
                 $conn_error = __('Entered captcha is wrong, try again!');
                 $_SESSION['last_valid_captcha'] = false;
                 return false;
             } else {
                 $_SESSION['last_valid_captcha'] = true;
             }
         } elseif (!empty($_POST["recaptcha_challenge_field"]) && empty($_POST["recaptcha_response_field"])) {
             $conn_error = __('Please enter correct captcha!');
             return false;
         } else {
             if (!isset($_SESSION['last_valid_captcha']) || !$_SESSION['last_valid_captcha']) {
                 return false;
             }
         }
     }
     if (!empty($_REQUEST['old_usr'])) {
         // The user wants to be logged out
         // -> delete his choices that were stored in session
         // according to the PHP manual we should do this before the destroy:
         //$_SESSION = array();
         if (!defined('TESTSUITE')) {
             session_destroy();
         }
         // -> delete password cookie(s)
         if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
             foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
                 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
                 if (isset($_COOKIE['pmaPass-' . $key])) {
                     unset($_COOKIE['pmaPass-' . $key]);
                 }
             }
         } else {
             $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
             if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
                 unset($_COOKIE['pmaPass-' . $GLOBALS['server']]);
             }
         }
     }
     if (!empty($_REQUEST['pma_username'])) {
         // The user just logged in
         $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
         $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
         if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
             $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
         }
         return true;
     }
     // At the end, try to set the $GLOBALS['PHP_AUTH_USER']
     // and $GLOBALS['PHP_AUTH_PW'] variables from cookies
     // servername
     if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) {
         $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']];
     }
     // username
     if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
         return false;
     }
     $GLOBALS['PHP_AUTH_USER'] = $this->blowfishDecrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], $this->_getBlowfishSecret());
     // user was never logged in since session start
     if (empty($_SESSION['last_access_time'])) {
         return false;
     }
     // User inactive too long
     $last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity'];
     if ($_SESSION['last_access_time'] < $last_access_time) {
         PMA_Util::cacheUnset('is_create_db_priv', true);
         PMA_Util::cacheUnset('is_process_priv', true);
         PMA_Util::cacheUnset('is_reload_priv', true);
         PMA_Util::cacheUnset('db_to_create', true);
         PMA_Util::cacheUnset('dbs_where_create_table_allowed', true);
         $GLOBALS['no_activity'] = true;
         $this->authFails();
         if (!defined('TESTSUITE')) {
             exit;
         } else {
             return false;
         }
     }
     // password
     if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
         return false;
     }
     $GLOBALS['PHP_AUTH_PW'] = $this->blowfishDecrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], $this->_getBlowfishSecret());
     if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") {
         $GLOBALS['PHP_AUTH_PW'] = '';
     }
     $GLOBALS['from_cookie'] = true;
     return true;
 }