search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Upgraded phpmyadmin to 4.0.4 (All Languages) - No modifications yet
[openemr.git] / phpmyadmin / libraries / plugins / auth / AuthenticationHttp.class.php
blobf81ab92a5510d63959ce43a894bebccaee0c1505
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * HTTP Authentication plugin for phpMyAdmin.
5 * NOTE: Requires PHP loaded as a Apache module.
6 *
7 * @package PhpMyAdmin-Authentication
8 * @subpackage HTTP
9 */
10 if (! defined('PHPMYADMIN')) {
11 exit;
12 }
13
14 /* Get the authentication interface */
15 require_once 'libraries/plugins/AuthenticationPlugin.class.php';
16
17 /**
18 * Handles the HTTP authentication methods
19 *
20 * @package PhpMyAdmin-Authentication
21 */
22 class AuthenticationHttp extends AuthenticationPlugin
23 {
24 /**
25 * Displays authentication form
26 *
27 * @global string the font face to use in case of failure
28 * @global string the default font size to use in case of failure
29 * @global string the big font size to use in case of failure
30 *
31 * @return boolean always true (no return indeed)
32 */
33 public function auth()
34 {
35 /* Perform logout to custom URL */
36 if (! empty($_REQUEST['old_usr'])
37 && ! empty($GLOBALS['cfg']['Server']['LogoutURL'])
38 ) {
39 PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['LogoutURL']);
40 exit;
41 }
42
43 if (empty($GLOBALS['cfg']['Server']['auth_http_realm'])) {
44 if (empty($GLOBALS['cfg']['Server']['verbose'])) {
45 $server_message = $GLOBALS['cfg']['Server']['host'];
46 } else {
47 $server_message = $GLOBALS['cfg']['Server']['verbose'];
48 }
49 $realm_message = 'phpMyAdmin ' . $server_message;
50 } else {
51 $realm_message = $GLOBALS['cfg']['Server']['auth_http_realm'];
52 }
53 // remove non US-ASCII to respect RFC2616
54 $realm_message = preg_replace('/[^\x20-\x7e]/i', '', $realm_message);
55 header('WWW-Authenticate: Basic realm="' . $realm_message . '"');
56 header('HTTP/1.0 401 Unauthorized');
57 if (php_sapi_name() !== 'cgi-fcgi') {
58 header('status: 401 Unauthorized');
59 }
60
61 /* HTML header */
62 $response = PMA_Response::getInstance();
63 $response->getFooter()->setMinimal();
64 $header = $response->getHeader();
65 $header->setTitle(__('Access denied'));
66 $header->disableMenu();
67 $header->setBodyId('loginform');
68
69 $response->addHTML('<h1>');
70 $response->addHTML(sprintf(__('Welcome to %s'), ' phpMyAdmin'));
71 $response->addHTML('</h1>');
72 $response->addHTML('<h3>');
73 $response->addHTML(
74 PMA_Message::error(
75 __('Wrong username/password. Access denied.')
76 )
77 );
78 $response->addHTML('</h3>');
79
80 if (file_exists(CUSTOM_FOOTER_FILE)) {
81 include CUSTOM_FOOTER_FILE;
82 }
83
84 exit;
85 }
86
87 /**
88 * Gets advanced authentication settings
89 *
90 * @global string the username if register_globals is on
91 * @global string the password if register_globals is on
92 * @global array the array of server variables if register_globals is
93 * off
94 * @global array the array of environment variables if register_globals
95 * is off
96 * @global string the username for the ? server
97 * @global string the password for the ? server
98 * @global string the username for the WebSite Professional server
99 * @global string the password for the WebSite Professional server
100 * @global string the username of the user who logs out
101 *
102 * @return boolean whether we get authentication settings or not
103 */
104 public function authCheck()
105 {
106 global $PHP_AUTH_USER, $PHP_AUTH_PW;
107
108 // Grabs the $PHP_AUTH_USER variable whatever are the values of the
109 // 'register_globals' and the 'variables_order' directives
110 if (empty($PHP_AUTH_USER)) {
111 if (PMA_getenv('PHP_AUTH_USER')) {
112 $PHP_AUTH_USER = PMA_getenv('PHP_AUTH_USER');
113 } elseif (PMA_getenv('REMOTE_USER')) {
114 // CGI, might be encoded, see below
115 $PHP_AUTH_USER = PMA_getenv('REMOTE_USER');
116 } elseif (PMA_getenv('REDIRECT_REMOTE_USER')) {
117 // CGI, might be encoded, see below
118 $PHP_AUTH_USER = PMA_getenv('REDIRECT_REMOTE_USER');
119 } elseif (PMA_getenv('AUTH_USER')) {
120 // WebSite Professional
121 $PHP_AUTH_USER = PMA_getenv('AUTH_USER');
122 } elseif (PMA_getenv('HTTP_AUTHORIZATION')
123 && false === strpos(PMA_getenv('HTTP_AUTHORIZATION'), '<')
124 ) {
125 // IIS, might be encoded, see below; also prevent XSS
126 $PHP_AUTH_USER = PMA_getenv('HTTP_AUTHORIZATION');
127 } elseif (PMA_getenv('Authorization')) {
128 // FastCGI, might be encoded, see below
129 $PHP_AUTH_USER = PMA_getenv('Authorization');
130 }
131 }
132 // Grabs the $PHP_AUTH_PW variable whatever are the values of the
133 // 'register_globals' and the 'variables_order' directives
134 if (empty($PHP_AUTH_PW)) {
135 if (PMA_getenv('PHP_AUTH_PW')) {
136 $PHP_AUTH_PW = PMA_getenv('PHP_AUTH_PW');
137 } elseif (PMA_getenv('REMOTE_PASSWORD')) {
138 // Apache/CGI
139 $PHP_AUTH_PW = PMA_getenv('REMOTE_PASSWORD');
140 } elseif (PMA_getenv('AUTH_PASSWORD')) {
141 // WebSite Professional
142 $PHP_AUTH_PW = PMA_getenv('AUTH_PASSWORD');
143 }
144 }
145
146 // Decode possibly encoded information (used by IIS/CGI/FastCGI)
147 // (do not use explode() because a user might have a colon in his password
148 if (strcmp(substr($PHP_AUTH_USER, 0, 6), 'Basic ') == 0) {
149 $usr_pass = base64_decode(substr($PHP_AUTH_USER, 6));
150 if (! empty($usr_pass)) {
151 $colon = strpos($usr_pass, ':');
152 if ($colon) {
153 $PHP_AUTH_USER = substr($usr_pass, 0, $colon);
154 $PHP_AUTH_PW = substr($usr_pass, $colon + 1);
155 }
156 unset($colon);
157 }
158 unset($usr_pass);
159 }
160
161 // User logged out -> ensure the new username is not the same
162 $old_usr = isset($_REQUEST['old_usr']) ? $_REQUEST['old_usr'] : '';
163 if (! empty($old_usr)
164 && (isset($PHP_AUTH_USER) && $old_usr == $PHP_AUTH_USER)
165 ) {
166 $PHP_AUTH_USER = '';
167 // -> delete user's choices that were stored in session
168 session_destroy();
169 }
170
171 // Returns whether we get authentication settings or not
172 if (empty($PHP_AUTH_USER)) {
173 return false;
174 } else {
175 return true;
176 }
177 }
178
179 /**
180 * Set the user and password after last checkings if required
181 *
182 * @global array the valid servers settings
183 * @global integer the id of the current server
184 * @global array the current server settings
185 * @global string the current username
186 * @global string the current password
187 *
188 * @return boolean always true
189 */
190 public function authSetUser()
191 {
192 global $cfg, $server;
193 global $PHP_AUTH_USER, $PHP_AUTH_PW;
194
195 // Ensures valid authentication mode, 'only_db', bookmark database and
196 // table names and relation table name are used
197 if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
198 $servers_cnt = count($cfg['Servers']);
199 for ($i = 1; $i <= $servers_cnt; $i++) {
200 if (isset($cfg['Servers'][$i])
201 && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host']
202 && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)
203 ) {
204 $server = $i;
205 $cfg['Server'] = $cfg['Servers'][$i];
206 break;
207 }
208 } // end for
209 } // end if
210
211 $cfg['Server']['user'] = $PHP_AUTH_USER;
212 $cfg['Server']['password'] = $PHP_AUTH_PW;
213
214 // Avoid showing the password in phpinfo()'s output
215 unset($GLOBALS['PHP_AUTH_PW']);
216 unset($_SERVER['PHP_AUTH_PW']);
217
218 return true;
219 }
220
221 /**
222 * User is not allowed to login to MySQL -> authentication failed
223 *
224 * @return boolean always true (no return indeed)
225 */
226 public function authFails()
227 {
228 $error = PMA_DBI_getError();
229 if ($error && $GLOBALS['errno'] != 1045) {
230 PMA_fatalError($error);
231 } else {
232 $this->auth();
233 return true;
234 }
235 }
236
237 /**
238 * This method is called when any PluginManager to which the observer
239 * is attached calls PluginManager::notify()
240 *
241 * @param SplSubject $subject The PluginManager notifying the observer
242 * of an update.
243 *
244 * @return void
245 */
246 public function update (SplSubject $subject)
247 {
248 }
249 }
Mirror of official OpenEMR Sourceforge repository