Exemplo n.º 1
0
function PMA_DBI_connect($user, $password, $is_controluser = FALSE)
{
    global $cfg, $php_errormsg;
    $server_port = empty($cfg['Server']['port']) ? '' : ':' . $cfg['Server']['port'];
    if (strtolower($cfg['Server']['connect_type']) == 'tcp') {
        $cfg['Server']['socket'] = '';
    }
    $server_socket = empty($cfg['Server']['socket']) ? '' : ':' . $cfg['Server']['socket'];
    if (PMA_PHP_INT_VERSION >= 40300 && PMA_MYSQL_CLIENT_API >= 32349) {
        $client_flags = $cfg['Server']['compress'] && defined('MYSQL_CLIENT_COMPRESS') ? MYSQL_CLIENT_COMPRESS : 0;
        // always use CLIENT_LOCAL_FILES as defined in mysql_com.h
        // for the case where the client library was not compiled
        // with --enable-local-infile
        $client_flags |= 128;
    }
    $link = PMA_DBI_real_connect($cfg['Server']['host'] . $server_port . $server_socket, $user, $password, empty($client_flags) ? NULL : $client_flags);
    // Retry with empty password if we're allowed to
    if (empty($link) && $cfg['Server']['nopassword'] && !$is_controluser) {
        $link = PMA_DBI_real_connect($cfg['Server']['host'] . $server_port . $server_socket, $user, '', empty($client_flags) ? NULL : $client_flags);
    }
    if (empty($link)) {
        PMA_auth_fails();
    }
    // end if
    PMA_DBI_postConnect($link, $is_controluser);
    return $link;
}
Exemplo n.º 2
0
function PMA_DBI_connect($user, $password)
{
    global $cfg, $php_errormsg;
    $server_port = empty($cfg['Server']['port']) ? '' : ':' . $cfg['Server']['port'];
    if (strtolower($cfg['Server']['connect_type']) == 'tcp') {
        $cfg['Server']['socket'] = '';
    }
    $server_socket = empty($cfg['Server']['socket']) ? '' : ':' . $cfg['Server']['socket'];
    if (PMA_PHP_INT_VERSION >= 40300 && PMA_MYSQL_CLIENT_API >= 32349) {
        $client_flags = $cfg['Server']['compress'] && defined('MYSQL_CLIENT_COMPRESS') ? MYSQL_CLIENT_COMPRESS : 0;
        // always use CLIENT_LOCAL_FILES as defined in mysql_com.h
        // for the case where the client library was not compiled
        // with --enable-local-infile
        $client_flags |= 128;
    }
    if (empty($client_flags)) {
        $connect_func = 'mysql_' . ($cfg['PersistentConnections'] ? 'p' : '') . 'connect';
        $link = @$connect_func($cfg['Server']['host'] . $server_port . $server_socket, $user, $password);
    } else {
        if ($cfg['PersistentConnections']) {
            $link = @mysql_pconnect($cfg['Server']['host'] . $server_port . $server_socket, $user, $password, $client_flags);
        } else {
            $link = @mysql_connect($cfg['Server']['host'] . $server_port . $server_socket, $user, $password, FALSE, $client_flags);
        }
    }
    if (empty($link)) {
        PMA_auth_fails();
    }
    // end if
    PMA_DBI_postConnect($link);
    return $link;
}
/**
 * connects to the database server
 *
 * @uses    $GLOBALS['cfg']['Server']
 * @uses    PMA_auth_fails()
 * @uses    PMA_DBI_postConnect()
 * @uses    MYSQLI_CLIENT_COMPRESS
 * @uses    MYSQLI_OPT_LOCAL_INFILE
 * @uses    strtolower()
 * @uses    mysqli_init()
 * @uses    mysqli_options()
 * @uses    mysqli_real_connect()
 * @uses    defined()
 * @param   string  $user           mysql user name
 * @param   string  $password       mysql user password
 * @param   boolean $is_controluser
 * @return  mixed   false on error or a mysqli object on success
 */
function PMA_DBI_connect($user, $password, $is_controluser = false)
{
    $server_port = empty($GLOBALS['cfg']['Server']['port']) ? false : (int) $GLOBALS['cfg']['Server']['port'];
    if (strtolower($GLOBALS['cfg']['Server']['connect_type']) == 'tcp') {
        $GLOBALS['cfg']['Server']['socket'] = '';
    }
    // NULL enables connection to the default socket
    $server_socket = empty($GLOBALS['cfg']['Server']['socket']) ? null : $GLOBALS['cfg']['Server']['socket'];
    $link = mysqli_init();
    mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true);
    $client_flags = 0;
    /* Optionally compress connection */
    if ($GLOBALS['cfg']['Server']['compress'] && defined('MYSQLI_CLIENT_COMPRESS')) {
        $client_flags |= MYSQLI_CLIENT_COMPRESS;
    }
    /* Optionally enable SSL */
    if ($GLOBALS['cfg']['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
        $client_flags |= MYSQLI_CLIENT_SSL;
    }
    $return_value = mysqli_real_connect($link, $GLOBALS['cfg']['Server']['host'], $user, $password, false, $server_port, $server_socket, $client_flags);
    // Retry with empty password if we're allowed to
    if ($return_value == false && isset($cfg['Server']['nopassword']) && $cfg['Server']['nopassword'] && !$is_controluser) {
        $return_value = mysqli_real_connect($link, $GLOBALS['cfg']['Server']['host'], $user, '', false, $server_port, $server_socket, $client_flags);
    }
    if ($return_value == false) {
        if ($is_controluser) {
            trigger_error($GLOBALS['strControluserFailed'], E_USER_WARNING);
            return false;
        }
        PMA_auth_fails();
    }
    // end if
    PMA_DBI_postConnect($link, $is_controluser);
    return $link;
}
Exemplo n.º 4
0
function PMA_DBI_connect($user, $password, $is_controluser = FALSE)
{
    global $cfg, $php_errormsg;
    $server_port = empty($cfg['Server']['port']) ? FALSE : (int) $cfg['Server']['port'];
    if (strtolower($cfg['Server']['connect_type']) == 'tcp') {
        $cfg['Server']['socket'] = '';
    }
    // NULL enables connection to the default socket
    $server_socket = empty($cfg['Server']['socket']) ? null : $cfg['Server']['socket'];
    $link = mysqli_init();
    mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, TRUE);
    $client_flags = $cfg['Server']['compress'] && defined('MYSQLI_CLIENT_COMPRESS') ? MYSQLI_CLIENT_COMPRESS : 0;
    $return_value = @mysqli_real_connect($link, $cfg['Server']['host'], $user, $password, FALSE, $server_port, $server_socket, $client_flags);
    if ($return_value == FALSE) {
        PMA_auth_fails();
    }
    // end if
    PMA_DBI_postConnect($link, $is_controluser);
    return $link;
}
Exemplo n.º 5
0
function PMA_DBI_connect($user, $password, $is_controluser = false)
{
    global $cfg, $php_errormsg;
    $server_port = empty($cfg['Server']['port']) ? '' : ':' . $cfg['Server']['port'];
    if (strtolower($cfg['Server']['connect_type']) == 'tcp') {
        $cfg['Server']['socket'] = '';
    }
    $server_socket = empty($cfg['Server']['socket']) ? '' : ':' . $cfg['Server']['socket'];
    $client_flags = 0;
    // always use CLIENT_LOCAL_FILES as defined in mysql_com.h
    // for the case where the client library was not compiled
    // with --enable-local-infile
    $client_flags |= 128;
    /* Optionally compress connection */
    if (defined('MYSQL_CLIENT_COMPRESS') && $cfg['Server']['compress']) {
        $client_flags |= MYSQL_CLIENT_COMPRESS;
    }
    /* Optionally enable SSL */
    if (defined('MYSQL_CLIENT_SSL') && $cfg['Server']['ssl']) {
        $client_flags |= MYSQL_CLIENT_SSL;
    }
    $link = PMA_DBI_real_connect($cfg['Server']['host'] . $server_port . $server_socket, $user, $password, empty($client_flags) ? NULL : $client_flags);
    // Retry with empty password if we're allowed to
    if (empty($link) && $cfg['Server']['nopassword'] && !$is_controluser) {
        $link = PMA_DBI_real_connect($cfg['Server']['host'] . $server_port . $server_socket, $user, '', empty($client_flags) ? NULL : $client_flags);
    }
    if (empty($link)) {
        if ($is_controluser) {
            trigger_error($GLOBALS['strControluserFailed'], E_USER_WARNING);
            return false;
        }
        PMA_log_user($user, 'mysql-denied');
        PMA_auth_fails();
    }
    // end if
    PMA_DBI_postConnect($link, $is_controluser);
    return $link;
}
Exemplo n.º 6
0
/**
 * @param   string  $user           mysql user name
 * @param   string  $password       mysql user password
 * @param   boolean $is_controluser
 * @param   array   $server host/port/socket/persistant
 * @param   boolean $auxiliary_connection (when true, don't go back to login if connection fails)
 * @return  mixed   false on error or a mysqli object on success
 */
function PMA_DBI_connect($user, $password, $is_controluser = false, $server = null, $auxiliary_connection = false)
{
    global $cfg, $php_errormsg;
    if ($server) {
        $server_port = empty($server['port']) ? '' : ':' . (int) $server['port'];
        $server_socket = empty($server['socket']) ? '' : ':' . $server['socket'];
        $server_persistant = empty($server['persistant']) ? false : true;
    } else {
        $server_port = empty($cfg['Server']['port']) ? '' : ':' . (int) $cfg['Server']['port'];
        $server_socket = empty($cfg['Server']['socket']) ? '' : ':' . $cfg['Server']['socket'];
    }
    if (strtolower($cfg['Server']['connect_type']) == 'tcp') {
        $cfg['Server']['socket'] = '';
    }
    $client_flags = 0;
    // always use CLIENT_LOCAL_FILES as defined in mysql_com.h
    // for the case where the client library was not compiled
    // with --enable-local-infile
    $client_flags |= 128;
    /* Optionally compress connection */
    if (defined('MYSQL_CLIENT_COMPRESS') && $cfg['Server']['compress']) {
        $client_flags |= MYSQL_CLIENT_COMPRESS;
    }
    /* Optionally enable SSL */
    if (defined('MYSQL_CLIENT_SSL') && $cfg['Server']['ssl']) {
        $client_flags |= MYSQL_CLIENT_SSL;
    }
    if (!$server) {
        $link = PMA_DBI_real_connect($cfg['Server']['host'] . $server_port . $server_socket, $user, $password, empty($client_flags) ? NULL : $client_flags);
        // Retry with empty password if we're allowed to
        if (empty($link) && $cfg['Server']['nopassword'] && !$is_controluser) {
            $link = PMA_DBI_real_connect($cfg['Server']['host'] . $server_port . $server_socket, $user, '', empty($client_flags) ? NULL : $client_flags);
        }
    } else {
        if (!isset($server['host'])) {
            $link = PMA_DBI_real_connect($server_socket, $user, $password, NULL, $server_persistant);
        } else {
            $link = PMA_DBI_real_connect($server['host'] . $server_port . $server_socket, $user, $password, NULL, $server_persistant);
        }
    }
    if (empty($link)) {
        if ($is_controluser) {
            trigger_error($GLOBALS['strControluserFailed'], E_USER_WARNING);
            return false;
        }
        // we could be calling PMA_DBI_connect() to connect to another
        // server, for example in the Synchronize feature, so do not
        // go back to main login if it fails
        if (!$auxiliary_connection) {
            PMA_log_user($user, 'mysql-denied');
            PMA_auth_fails();
        } else {
            return false;
        }
    }
    // end if
    if (!$server) {
        PMA_DBI_postConnect($link, $is_controluser);
    }
    return $link;
}
Exemplo n.º 7
0
             }
         }
     }
     // end if... else if... else if
     // Ejects the user if banished
     if ($allowDeny_forbidden) {
         PMA_auth_fails();
     }
     unset($allowDeny_forbidden);
     //Clean up after you!
 }
 // end if
 // is root allowed?
 if (!$cfg['Server']['AllowRoot'] && $cfg['Server']['user'] == 'root') {
     $allowDeny_forbidden = TRUE;
     PMA_auth_fails();
     unset($allowDeny_forbidden);
     //Clean up after you!
 }
 // The user can work with only some databases
 if (isset($cfg['Server']['only_db']) && $cfg['Server']['only_db'] != '') {
     if (is_array($cfg['Server']['only_db'])) {
         $dblist = $cfg['Server']['only_db'];
     } else {
         $dblist[] = $cfg['Server']['only_db'];
     }
 }
 // end if
 $bkp_track_err = @ini_set('track_errors', 1);
 // Try to connect MySQL with the control user profile (will be used to
 // get the privileges list for the current user but the true user link
Exemplo n.º 8
0
/**
 * Gets advanced authentication settings
 *
 * this function DOES NOT check authentication - it just checks/provides
 * authentication credentials required to connect to the MySQL server
 * usually with PMA_DBI_connect()
 *
 * it returns false if something is missing - which usually leads to
 * PMA_auth() which displays login form
 *
 * it returns true if all seems ok which usually leads to PMA_auth_set_user()
 *
 * it directly switches to PMA_auth_fails() if user inactivity timout is reached
 *
 * @todo    AllowArbitraryServer on does not imply that the user wants an
 *          arbitrary server, or? so we should also check if this is filled and
 *          not only if allowed
 *
 * @return boolean   whether we get authentication settings or not
 *
 * @access  public
 */
function PMA_auth_check()
{
    // Initialization
    /**
     * @global $GLOBALS['pma_auth_server'] the user provided server to connect to
     */
    $GLOBALS['pma_auth_server'] = '';
    $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
    $GLOBALS['from_cookie'] = false;
    // BEGIN Swekey Integration
    if (!Swekey_auth_check()) {
        return false;
    }
    // END Swekey Integration
    if (defined('PMA_CLEAR_COOKIES')) {
        foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
            $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
            $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key);
            $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key);
        }
        return false;
    }
    if (!empty($_REQUEST['old_usr'])) {
        // The user wants to be logged out
        // -> delete his choices that were stored in session
        // according to the PHP manual we should do this before the destroy:
        //$_SESSION = array();
        // but we still need some parts of the session information
        // in libraries/header_meta_style.inc.php
        session_destroy();
        // -> delete password cookie(s)
        if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
            foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
                $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
                if (isset($_COOKIE['pmaPass-' . $key])) {
                    unset($_COOKIE['pmaPass-' . $key]);
                }
            }
        } else {
            $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
            if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
                unset($_COOKIE['pmaPass-' . $GLOBALS['server']]);
            }
        }
    }
    if (!empty($_REQUEST['pma_username'])) {
        // The user just logged in
        $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
        $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
        if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
            $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
        }
        return true;
    }
    // At the end, try to set the $GLOBALS['PHP_AUTH_USER']
    // and $GLOBALS['PHP_AUTH_PW'] variables from cookies
    // servername
    if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) {
        $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']];
    }
    // username
    if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
        return false;
    }
    $GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], PMA_get_blowfish_secret());
    // user was never logged in since session start
    if (empty($_SESSION['last_access_time'])) {
        return false;
    }
    // User inactive too long
    if ($_SESSION['last_access_time'] < time() - $GLOBALS['cfg']['LoginCookieValidity']) {
        PMA_cacheUnset('is_create_db_priv', true);
        PMA_cacheUnset('is_process_priv', true);
        PMA_cacheUnset('is_reload_priv', true);
        PMA_cacheUnset('db_to_create', true);
        PMA_cacheUnset('dbs_where_create_table_allowed', true);
        $GLOBALS['no_activity'] = true;
        PMA_auth_fails();
        exit;
    }
    // password
    if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
        return false;
    }
    $GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], PMA_get_blowfish_secret());
    if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") {
        $GLOBALS['PHP_AUTH_PW'] = '';
    }
    $GLOBALS['from_cookie'] = true;
    return true;
}
Exemplo n.º 9
0
/**
 * connects to the database server
 *
 * @param   string  $user           mysql user name
 * @param   string  $password       mysql user password
 * @param   bool    $is_controluser
 * @param   array   $server host/port/socket
 * @param   bool    $auxiliary_connection (when true, don't go back to login if connection fails)
 * @return  mixed   false on error or a mysqli object on success
 */
function PMA_DBI_connect($user, $password, $is_controluser = false, $server = null, $auxiliary_connection = false)
{
    global $cfg;
    if ($server) {
        $server_port = empty($server['port']) ? false : (int) $server['port'];
        $server_socket = empty($server['socket']) ? '' : $server['socket'];
        $server['host'] = empty($server['host']) ? 'localhost' : $server['host'];
    } else {
        $server_port = empty($cfg['Server']['port']) ? false : (int) $cfg['Server']['port'];
        $server_socket = empty($cfg['Server']['socket']) ? null : $cfg['Server']['socket'];
    }
    // NULL enables connection to the default socket
    $link = mysqli_init();
    mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true);
    $client_flags = 0;
    /* Optionally compress connection */
    if ($cfg['Server']['compress'] && defined('MYSQLI_CLIENT_COMPRESS')) {
        $client_flags |= MYSQLI_CLIENT_COMPRESS;
    }
    /* Optionally enable SSL */
    if ($cfg['Server']['ssl'] && defined('MYSQLI_CLIENT_SSL')) {
        $client_flags |= MYSQLI_CLIENT_SSL;
    }
    if (!$server) {
        $return_value = @PMA_DBI_real_connect($link, $cfg['Server']['host'], $user, $password, false, $server_port, $server_socket, $client_flags);
        // Retry with empty password if we're allowed to
        if ($return_value == false && isset($cfg['Server']['nopassword']) && $cfg['Server']['nopassword'] && !$is_controluser) {
            $return_value = @PMA_DBI_real_connect($link, $cfg['Server']['host'], $user, '', false, $server_port, $server_socket, $client_flags);
        }
    } else {
        $return_value = @PMA_DBI_real_connect($link, $server['host'], $user, $password, false, $server_port, $server_socket);
    }
    if ($return_value == false) {
        if ($is_controluser) {
            trigger_error(__('Connection for controluser as defined in your configuration failed.'), E_USER_WARNING);
            return false;
        }
        // we could be calling PMA_DBI_connect() to connect to another
        // server, for example in the Synchronize feature, so do not
        // go back to main login if it fails
        if (!$auxiliary_connection) {
            PMA_log_user($user, 'mysql-denied');
            PMA_auth_fails();
        } else {
            return false;
        }
    } else {
        PMA_DBI_postConnect($link, $is_controluser);
    }
    return $link;
}
Exemplo n.º 10
0
/**
 * connects to the database server
 *
 * @param   string  $user           drizzle user name
 * @param   string  $password       drizzle user password
 * @param   bool    $is_controluser
 * @param   array   $server host/port/socket
 * @param   bool    $auxiliary_connection (when true, don't go back to login if connection fails)
 * @return  mixed   false on error or a mysqli object on success
 */
function PMA_DBI_connect($user, $password, $is_controluser = false, $server = null, $auxiliary_connection = false)
{
    global $cfg;
    if ($server) {
        $server_port = empty($server['port']) ? false : (int) $server['port'];
        $server_socket = empty($server['socket']) ? '' : $server['socket'];
        $server['host'] = empty($server['host']) ? 'localhost' : $server['host'];
    } else {
        $server_port = empty($cfg['Server']['port']) ? false : (int) $cfg['Server']['port'];
        $server_socket = empty($cfg['Server']['socket']) ? null : $cfg['Server']['socket'];
    }
    if (strtolower($GLOBALS['cfg']['Server']['connect_type']) == 'tcp') {
        $GLOBALS['cfg']['Server']['socket'] = '';
    }
    $drizzle = new PMA_Drizzle();
    $client_flags = 0;
    /* Optionally compress connection */
    if ($GLOBALS['cfg']['Server']['compress']) {
        $client_flags |= DRIZZLE_CAPABILITIES_COMPRESS;
    }
    /* Optionally enable SSL */
    if ($GLOBALS['cfg']['Server']['ssl']) {
        $client_flags |= DRIZZLE_CAPABILITIES_SSL;
    }
    if (!$server) {
        $link = @PMA_DBI_real_connect($drizzle, $cfg['Server']['host'], $server_port, $server_socket, $user, $password, false, $client_flags);
        // Retry with empty password if we're allowed to
        if ($link == false && isset($cfg['Server']['nopassword']) && $cfg['Server']['nopassword'] && !$is_controluser) {
            $link = @PMA_DBI_real_connect($drizzle, $cfg['Server']['host'], $server_port, $server_socket, $user, null, false, $client_flags);
        }
    } else {
        $link = @PMA_DBI_real_connect($drizzle, $server['host'], $server_port, $server_socket, $user, $password);
    }
    if ($link == false) {
        if ($is_controluser) {
            trigger_error(__('Connection for controluser as defined in your configuration failed.'), E_USER_WARNING);
            return false;
        }
        // we could be calling PMA_DBI_connect() to connect to another
        // server, for example in the Synchronize feature, so do not
        // go back to main login if it fails
        if (!$auxiliary_connection) {
            PMA_log_user($user, 'drizzle-denied');
            PMA_auth_fails();
        } else {
            return false;
        }
    } else {
        PMA_DBI_postConnect($link, $is_controluser);
    }
    return $link;
}
/**
 * Gets advanced authentication settings
 *
 * @global  string    the username if register_globals is on
 * @global  string    the password if register_globals is on
 * @global  array     the array of cookie variables if register_globals is
 *                    off
 * @global  string    the servername sent by the login form
 * @global  string    the username sent by the login form
 * @global  string    the password sent by the login form
 * @global  string    the username of the user who logs out
 * @global  boolean   whether the login/password pair is grabbed from a
 *                    cookie or not
 *
 * @return  boolean   whether we get authentication settings or not
 *
 * @access  public
 */
function PMA_auth_check()
{
    global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
    global $pma_servername, $pma_username, $pma_password, $old_usr, $server;
    global $from_cookie;
    // avoid an error in mcrypt
    if (empty($GLOBALS['cfg']['blowfish_secret'])) {
        return false;
    }
    // Initialization
    $PHP_AUTH_USER = $PHP_AUTH_PW = '';
    $from_cookie = false;
    $from_form = false;
    // The user wants to be logged out -> delete password cookie(s)
    if (!empty($old_usr)) {
        if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
            foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
                PMA_removeCookie('pma_cookie_password-' . $key);
            }
        } else {
            PMA_removeCookie('pma_cookie_password-' . $server);
        }
    } elseif (!empty($pma_username)) {
        $PHP_AUTH_USER = $pma_username;
        $PHP_AUTH_PW = empty($pma_password) ? '' : $pma_password;
        if ($GLOBALS['cfg']['AllowArbitraryServer']) {
            $pma_auth_server = $pma_servername;
        }
        $from_form = true;
    } else {
        if ($GLOBALS['cfg']['AllowArbitraryServer']) {
            // servername
            if (!empty($pma_cookie_servername)) {
                $pma_auth_server = $pma_cookie_servername;
                $from_cookie = true;
            } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_servername-' . $server])) {
                $pma_auth_server = $_COOKIE['pma_cookie_servername-' . $server];
                $from_cookie = true;
            }
        }
        // username
        if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_username-' . $server])) {
            $PHP_AUTH_USER = $_COOKIE['pma_cookie_username-' . $server];
            $from_cookie = true;
        }
        $decrypted_user = PMA_blowfish_decrypt($PHP_AUTH_USER, $GLOBALS['cfg']['blowfish_secret']);
        if (!empty($decrypted_user)) {
            $pos = strrpos($decrypted_user, ':');
            $PHP_AUTH_USER = substr($decrypted_user, 0, $pos);
            $decrypted_time = (int) substr($decrypted_user, $pos + 1);
        } else {
            $decrypted_time = 0;
        }
        // User inactive too long
        if ($decrypted_time > 0 && $decrypted_time < $GLOBALS['current_time'] - $GLOBALS['cfg']['LoginCookieValidity']) {
            // Display an error message only if the inactivity has lasted
            // less than 4 times the timeout value. This is to avoid
            // alerting users with a error after "much" time has passed,
            // for example next morning.
            if ($decrypted_time > $GLOBALS['current_time'] - $GLOBALS['cfg']['LoginCookieValidity'] * 4) {
                $GLOBALS['no_activity'] = true;
                PMA_auth_fails();
            }
            return false;
        }
        // password
        if (!empty($pma_cookie_password)) {
            $PHP_AUTH_PW = $pma_cookie_password;
        } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_password-' . $server])) {
            $PHP_AUTH_PW = $_COOKIE['pma_cookie_password-' . $server];
        } else {
            $from_cookie = false;
        }
        $PHP_AUTH_PW = PMA_blowfish_decrypt($PHP_AUTH_PW, $GLOBALS['cfg']['blowfish_secret'] . $decrypted_time);
        if ($PHP_AUTH_PW == "ÿ(blank)") {
            $PHP_AUTH_PW = '';
        }
    }
    // Returns whether we get authentication settings or not
    if (!$from_cookie && !$from_form) {
        return false;
    } elseif ($from_cookie) {
        return true;
    } else {
        // we don't need to strip here, it is done in grab_globals
        return true;
    }
}
Exemplo n.º 12
0
/**
 * Gets advanced authentication settings
 *
 * this function DOES NOT check authentication - it just checks/provides
 * authentication credentials required to connect to the MySQL server
 * usally with PMA_DBI_connect()
 *
 * it returns false if there is missing something - which usally leads to
 * PMA_auth() which displays login form
 *
 * it returns true if all seems ok which usally leads to PMA_auth_set_user()
 *
 * it directly switches to PMA_auth_fails() if user inactivity timout is reached
 *
 * @todo    AllowArbitraryServer on does not imply that the user wnats an
 *          arbitrary server, or? so we should also check if this is filled and
 *          not only if allowed
 * @uses    $GLOBALS['PHP_AUTH_USER']
 * @uses    $GLOBALS['PHP_AUTH_PW']
 * @uses    $GLOBALS['no_activity']
 * @uses    $GLOBALS['server']
 * @uses    $GLOBALS['from_cookie']
 * @uses    $GLOBALS['pma_auth_server']
 * @uses    $cfg['blowfish_secret']
 * @uses    $cfg['AllowArbitraryServer']
 * @uses    $cfg['LoginCookieValidity']
 * @uses    $cfg['Servers']
 * @uses    $_REQUEST['old_usr'] from logout link
 * @uses    $_REQUEST['pma_username'] from login form
 * @uses    $_REQUEST['pma_password'] from login form
 * @uses    $_REQUEST['pma_servername'] from login form
 * @uses    $_COOKIE
 * @uses    $_SESSION['last_access_time']
 * @uses    PMA_removeCookie()
 * @uses    PMA_blowfish_decrypt()
 * @uses    PMA_auth_fails()
 * @uses    time()
 *
 * @return  boolean   whether we get authentication settings or not
 *
 * @access  public
 */
function PMA_auth_check()
{
    // Initialization
    /**
     * @global $GLOBALS['pma_auth_server'] the user provided server to connect to
     */
    $GLOBALS['pma_auth_server'] = '';
    $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
    $GLOBALS['from_cookie'] = false;
    // avoid an error in mcrypt
    if (empty($GLOBALS['cfg']['blowfish_secret'])) {
        return false;
    }
    if (defined('PMA_CLEAR_COOKIES')) {
        foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
            PMA_removeCookie('pmaPass-' . $key);
            PMA_removeCookie('pmaServer-' . $key);
            PMA_removeCookie('pmaUser-' . $key);
        }
        return false;
    }
    if (!empty($_REQUEST['old_usr'])) {
        // The user wants to be logged out
        // -> delete his choices that were stored in session
        session_destroy();
        // -> delete password cookie(s)
        if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
            foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
                PMA_removeCookie('pmaPass-' . $key);
                if (isset($_COOKIE['pmaPass-' . $key])) {
                    unset($_COOKIE['pmaPass-' . $key]);
                }
            }
        } else {
            PMA_removeCookie('pmaPass-' . $GLOBALS['server']);
            if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
                unset($_COOKIE['pmaPass-' . $GLOBALS['server']]);
            }
        }
    }
    if (!empty($_REQUEST['pma_username'])) {
        // The user just logged in
        $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
        $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
        if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
            $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
        }
        return true;
    }
    // At the end, try to set the $GLOBALS['PHP_AUTH_USER']
    // and $GLOBALS['PHP_AUTH_PW'] variables from cookies
    // servername
    if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) {
        $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']];
    }
    // username
    if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
        return false;
    }
    $GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], $GLOBALS['cfg']['blowfish_secret']);
    // user was never logged in since session start
    if (empty($_SESSION['last_access_time'])) {
        return false;
    }
    // User inactive too long
    if ($_SESSION['last_access_time'] < time() - $GLOBALS['cfg']['LoginCookieValidity']) {
        $GLOBALS['no_activity'] = true;
        PMA_auth_fails();
        exit;
    }
    // password
    if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
        return false;
    }
    $GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], $GLOBALS['cfg']['blowfish_secret']);
    if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") {
        $GLOBALS['PHP_AUTH_PW'] = '';
    }
    $GLOBALS['from_cookie'] = true;
    return true;
}