/**
* Logs user information to webserver logs.
*
* @param string $user user name
* @param string $status status message
*
* @return void
*/
public static function logUser($user, $status = 'ok')
{
if (function_exists('apache_note')) {
apache_note('userID', $user);
apache_note('userStatus', $status);
}
if (function_exists('syslog') && $status != 'ok') {
@openlog('phpMyAdmin', LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
@syslog(LOG_WARNING, 'user denied: ' . $user . ' (' . $status . ') from ' . PMA_getIp());
}
}
/**
* Test for PMA_getIp
*
* @return void
*/
public function testPMA_getIp()
{
//$_SERVER['REMOTE_ADDR'] is empty
$this->assertEquals(false, PMA_getIp());
$_SERVER['REMOTE_ADDR'] = "101.0.0.25";
$this->assertEquals("101.0.0.25", PMA_getIp());
//proxy
$var_name = "direct_ip";
$direct_ip = $_SERVER['REMOTE_ADDR'];
$GLOBALS['cfg']['TrustedProxies'][$direct_ip] = $var_name;
$_SERVER[$var_name] = "192.168.0.1";
$this->assertEquals("192.168.0.1", PMA_getIp());
unset($_SERVER[$var_name]);
unset($GLOBALS['cfg']['TrustedProxies'][$direct_ip]);
}
/**
* Test for PMA_getIp
*
* @return void
*
* @dataProvider proxyIPs
*/
public function testGetIp($remote, $header, $expected, $proxyip = null)
{
unset($_SERVER['REMOTE_ADDR']);
unset($_SERVER['TEST_FORWARDED_HEADER']);
$GLOBALS['cfg']['TrustedProxies'] = array();
if (!is_null($remote)) {
$_SERVER['REMOTE_ADDR'] = $remote;
}
if (!is_null($header)) {
if (is_null($proxyip)) {
$proxyip = $remote;
}
$GLOBALS['cfg']['TrustedProxies'][$proxyip] = 'TEST_FORWARDED_HEADER';
$_SERVER['TEST_FORWARDED_HEADER'] = $header;
}
$this->assertEquals($expected, PMA_getIp());
unset($_SERVER['REMOTE_ADDR']);
unset($_SERVER['TEST_FORWARDED_HEADER']);
$GLOBALS['cfg']['TrustedProxies'] = array();
}
/**
* Runs through IP Allow/Deny rules the use of it below for more information
*
* @param string $type 'allow' | 'deny' type of rule to match
*
* @return bool Matched a rule ?
*
* @access public
*
* @see PMA_getIp()
*/
function PMA_allowDeny($type)
{
global $cfg;
// Grabs true IP of the user and returns if it can't be found
$remote_ip = PMA_getIp();
if (empty($remote_ip)) {
return false;
}
// copy username
$username = $cfg['Server']['user'];
// copy rule database
$rules = $cfg['Server']['AllowDeny']['rules'];
// lookup table for some name shortcuts
$shortcuts = array('all' => '0.0.0.0/0', 'localhost' => '127.0.0.1/8');
// Provide some useful shortcuts if server gives us address:
if (PMA_getenv('SERVER_ADDR')) {
$shortcuts['localnetA'] = PMA_getenv('SERVER_ADDR') . '/8';
$shortcuts['localnetB'] = PMA_getenv('SERVER_ADDR') . '/16';
$shortcuts['localnetC'] = PMA_getenv('SERVER_ADDR') . '/24';
}
foreach ($rules as $rule) {
// extract rule data
$rule_data = explode(' ', $rule);
// check for rule type
if ($rule_data[0] != $type) {
continue;
}
// check for username
if ($rule_data[1] != '%' && $rule_data[1] != $username) {
continue;
}
// check if the config file has the full string with an extra
// 'from' in it and if it does, just discard it
if ($rule_data[2] == 'from') {
$rule_data[2] = $rule_data[3];
}
// Handle shortcuts with above array
if (isset($shortcuts[$rule_data[2]])) {
$rule_data[2] = $shortcuts[$rule_data[2]];
}
// Add code for host lookups here
// Excluded for the moment
// Do the actual matching now
if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
return true;
}
}
// end while
return false;
}
/**
* Runs through IP Allow/Deny rules the use of it below for more information
*
* @param string 'allow' | 'deny' type of rule to match
*
* @return bool Matched a rule ?
*
* @access public
*
* @see PMA_getIp()
*/
function PMA_allowDeny($type)
{
global $cfg;
// Grabs true IP of the user and returns if it can't be found
$remote_ip = PMA_getIp();
if (empty($remote_ip)) {
return FALSE;
}
// copy username
$username = $cfg['Server']['user'];
// copy rule database
$rules = $cfg['Server']['AllowDeny']['rules'];
// lookup table for some name shortcuts
$shortcuts = array('all' => '0.0.0.0/0', 'localhost' => '127.0.0.1/8');
foreach ($rules as $rule) {
// extract rule data
$rule_data = explode(' ', $rule);
// check for rule type
if ($rule_data[0] != $type) {
continue;
}
// check for username
if ($rule_data[1] != '%' && $rule_data[1] != $username) {
continue;
}
// check if the config file has the full string with an extra
// 'from' in it and if it does, just discard it
if ($rule_data[2] == 'from') {
$rule_data[2] = $rule_data[3];
}
// Handle shortcuts with above array
// DON'T use "array_key_exists" as it's only PHP 4.1 and newer.
if (isset($shortcuts[$rule_data[2]])) {
$rule_data[2] = $shortcuts[$rule_data[2]];
}
// Add code for host lookups here
// Excluded for the moment
// Do the actual matching now
if (PMA_ipMaskTest($rule_data[2], $remote_ip)) {
return TRUE;
}
}
// end while
return FALSE;
}
/**
* Gets advanced authentication settings
*
* this function DOES NOT check authentication - it just checks/provides
* authentication credentials required to connect to the MySQL server
* usually with $GLOBALS['dbi']->connect()
*
* it returns false if something is missing - which usually leads to
* auth() which displays login form
*
* it returns true if all seems ok which usually leads to auth_set_user()
*
* it directly switches to authFails() if user inactivity timeout is reached
*
* @return boolean whether we get authentication settings or not
*/
public function authCheck()
{
global $conn_error;
// Initialization
/**
* @global $GLOBALS['pma_auth_server'] the user provided server to
* connect to
*/
$GLOBALS['pma_auth_server'] = '';
$GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
$GLOBALS['from_cookie'] = false;
if (!empty($_REQUEST['pma_username'])) {
// Verify Captcha if it is required.
if (!empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])) {
if (!empty($_POST["g-recaptcha-response"])) {
if (function_exists('curl_init')) {
$reCaptcha = new ReCaptcha\ReCaptcha($GLOBALS['cfg']['CaptchaLoginPrivateKey'], new ReCaptcha\RequestMethod\CurlPost());
} else {
if (ini_get('allow_url_fopen')) {
$reCaptcha = new ReCaptcha\ReCaptcha($GLOBALS['cfg']['CaptchaLoginPrivateKey'], new ReCaptcha\RequestMethod\Post());
} else {
$reCaptcha = new ReCaptcha\ReCaptcha($GLOBALS['cfg']['CaptchaLoginPrivateKey'], new ReCaptcha\RequestMethod\SocketPost());
}
}
// verify captcha status.
$resp = $reCaptcha->verify($_POST["g-recaptcha-response"], PMA_getIp());
// Check if the captcha entered is valid, if not stop the login.
if ($resp == null || !$resp->isSuccess()) {
$conn_error = __('Entered captcha is wrong, try again!');
return false;
}
} else {
$conn_error = __('Please enter correct captcha!');
return false;
}
}
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = PMA_sanitizeMySQLUser($_REQUEST['pma_username']);
$GLOBALS['PHP_AUTH_PW'] = $_REQUEST['pma_password'];
if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
if ($GLOBALS['cfg']['ArbitraryServerRegexp']) {
$parts = explode(' ', $_REQUEST['pma_servername']);
if (count($parts) == 2) {
$tmp_host = $parts[0];
} else {
$tmp_host = $_REQUEST['pma_servername'];
}
$match = preg_match($GLOBALS['cfg']['ArbitraryServerRegexp'], $tmp_host);
if (!$match) {
$conn_error = __('You are not allowed to log in to this MySQL server!');
return false;
}
}
$GLOBALS['pma_auth_server'] = PMA_sanitizeMySQLHost($_REQUEST['pma_servername']);
}
PMA_secureSession();
return true;
}
// At the end, try to set the $GLOBALS['PHP_AUTH_USER']
// and $GLOBALS['PHP_AUTH_PW'] variables from cookies
// check cookies
if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
return false;
}
$GLOBALS['PHP_AUTH_USER'] = $this->cookieDecrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], $this->_getEncryptionSecret());
// user was never logged in since session start
if (empty($_SESSION['last_access_time'])) {
return false;
}
// User inactive too long
$last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity'];
if ($_SESSION['last_access_time'] < $last_access_time) {
Util::cacheUnset('is_create_db_priv');
Util::cacheUnset('is_reload_priv');
Util::cacheUnset('db_to_create');
Util::cacheUnset('dbs_where_create_table_allowed');
Util::cacheUnset('dbs_to_test');
Util::cacheUnset('db_priv');
Util::cacheUnset('col_priv');
Util::cacheUnset('table_priv');
Util::cacheUnset('proc_priv');
$GLOBALS['no_activity'] = true;
$this->authFails();
if (!defined('TESTSUITE')) {
exit;
} else {
return false;
}
}
// check password cookie
if (empty($_COOKIE['pmaAuth-' . $GLOBALS['server']])) {
return false;
}
$auth_data = json_decode($this->cookieDecrypt($_COOKIE['pmaAuth-' . $GLOBALS['server']], $this->_getSessionEncryptionSecret()), true);
if (!is_array($auth_data) || !isset($auth_data['password'])) {
return false;
}
$GLOBALS['PHP_AUTH_PW'] = $auth_data['password'];
if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($auth_data['server'])) {
$GLOBALS['pma_auth_server'] = $auth_data['server'];
}
$GLOBALS['from_cookie'] = true;
return true;
}
