search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
added japanese language
[openemr.git] / phpmyadmin / libraries / config / ServerConfigChecks.class.php
blob8872bf6ad5c64a26ab18349067baf6fbfc874d22
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * Server config checks management
5 *
6 * @package PhpMyAdmin
7 */
8
9 /**
10 * Performs various compatibility, security and consistency checks on current config
11 *
12 * Outputs results to message list, must be called between PMA_messagesBegin()
13 * and PMA_messagesEnd()
14 *
15 * @package PhpMyAdmin
16 */
17 class ServerConfigChecks
18 {
19 /**
20 * @var ConfigFile configurations being checked
21 */
22 protected $cfg;
23
24 /**
25 * Constructor.
26 *
27 * @param ConfigFile $cfg Configuration
28 */
29 public function __construct(ConfigFile $cfg)
30 {
31 $this->cfg = $cfg;
32 }
33
34 /**
35 * Perform config checks
36 *
37 * @return void
38 */
39 public function performConfigChecks()
40 {
41 $blowfishSecret = $this->cfg->get('blowfish_secret');
42 $blowfishSecretSet = false;
43 $cookieAuthUsed = false;
44
45 list(
46 $sAllowArbitraryServerWarn, $sBlowfishSecretMsg,
47 $sBZipDumpWarn, $sDirectoryNotice, $sForceSSLNotice,
48 $sGZipDumpWarn, $sLoginCookieValidityWarn,
49 $sLoginCookieValidityWarn2, $sLoginCookieValidityWarn3,
50 $sSecurityInfoMsg, $sSrvAuthCfgMsg, $sZipDumpExportWarn,
51 $sZipDumpImportWarn
52 ) = self::defineMessages();
53
54 list($cookieAuthUsed, $blowfishSecret, $blowfishSecretSet)
55 = $this->performConfigChecksServers(
56 $cookieAuthUsed, $blowfishSecret, $sSrvAuthCfgMsg,
57 $sSecurityInfoMsg, $blowfishSecretSet
58 );
59
60 $this->performConfigChecksCookieAuthUsed(
61 $cookieAuthUsed, $blowfishSecretSet, $sBlowfishSecretMsg,
62 $blowfishSecret
63 );
64
65 //
66 // $cfg['ForceSSL']
67 // should be enabled if possible
68 //
69 if (!$this->cfg->getValue('ForceSSL')) {
70 PMA_messagesSet(
71 'notice',
72 'ForceSSL',
73 PMA_lang(PMA_langName('ForceSSL')),
74 PMA_lang($sForceSSLNotice)
75 );
76 }
77
78 //
79 // $cfg['AllowArbitraryServer']
80 // should be disabled
81 //
82 if ($this->cfg->getValue('AllowArbitraryServer')) {
83 PMA_messagesSet(
84 'notice',
85 'AllowArbitraryServer',
86 PMA_lang(PMA_langName('AllowArbitraryServer')),
87 PMA_lang($sAllowArbitraryServerWarn)
88 );
89 }
90
91 $this->performConfigChecksLoginCookie(
92 $sLoginCookieValidityWarn, $sLoginCookieValidityWarn2,
93 $sLoginCookieValidityWarn3
94 );
95
96 //
97 // $cfg['SaveDir']
98 // should not be world-accessible
99 //
100 if ($this->cfg->getValue('SaveDir') != '') {
101 PMA_messagesSet(
102 'notice',
103 'SaveDir',
104 PMA_lang(PMA_langName('SaveDir')),
105 PMA_lang($sDirectoryNotice)
106 );
107 }
108
109 //
110 // $cfg['TempDir']
111 // should not be world-accessible
112 //
113 if ($this->cfg->getValue('TempDir') != '') {
114 PMA_messagesSet(
115 'notice',
116 'TempDir',
117 PMA_lang(PMA_langName('TempDir')),
118 PMA_lang($sDirectoryNotice)
119 );
120 }
121
122 $this->performConfigChecksZips(
123 $sGZipDumpWarn, $sBZipDumpWarn, $sZipDumpImportWarn,
124 $sZipDumpExportWarn
125 );
126 }
127
128 /**
129 * Check config of servers
130 *
131 * @param boolean $cookieAuthUsed Cookie auth is used
132 * @param string $blowfishSecret Blowfish secret
133 * @param string $sServerAuthCfgMsg Message for server auth config
134 * @param string $sSecurityInfoMsg Message for security information
135 * @param boolean $blowfishSecretSet Blowfish secret set
136 *
137 * @return array
138 */
139 protected function performConfigChecksServers(
140 $cookieAuthUsed, $blowfishSecret, $sServerAuthCfgMsg,
141 $sSecurityInfoMsg, $blowfishSecretSet
142 ) {
143 $serverCnt = $this->cfg->getServerCount();
144 for ($i = 1; $i <= $serverCnt; $i++) {
145 $cookieAuthServer
146 = ($this->cfg->getValue("Servers/$i/auth_type") == 'cookie');
147 $cookieAuthUsed |= $cookieAuthServer;
148 $serverName = $this->performConfigChecksServersGetServerName(
149 $this->cfg->getServerName($i), $i
150 );
151 $serverName = htmlspecialchars($serverName);
152
153 list($blowfishSecret, $blowfishSecretSet)
154 = $this->performConfigChecksServersSetBlowfishSecret(
155 $blowfishSecret, $cookieAuthServer, $blowfishSecretSet
156 );
157
158 //
159 // $cfg['Servers'][$i]['ssl']
160 // should be enabled if possible
161 //
162 if (!$this->cfg->getValue("Servers/$i/ssl")) {
163 $title = PMA_lang(PMA_langName('Servers/1/ssl')) . " ($serverName)";
164 PMA_messagesSet(
165 'notice',
166 "Servers/$i/ssl",
167 $title,
168 __('You should use SSL connections if your database server supports it.')
169 );
170 }
171
172 //
173 // $cfg['Servers'][$i]['auth_type']
174 // warn about full user credentials if 'auth_type' is 'config'
175 //
176 if ($this->cfg->getValue("Servers/$i/auth_type") == 'config'
177 && $this->cfg->getValue("Servers/$i/user") != ''
178 && $this->cfg->getValue("Servers/$i/password") != ''
179 ) {
180 $title = PMA_lang(PMA_langName('Servers/1/auth_type'))
181 . " ($serverName)";
182 PMA_messagesSet(
183 'notice',
184 "Servers/$i/auth_type",
185 $title,
186 PMA_lang($sServerAuthCfgMsg, $i) . ' '
187 . PMA_lang($sSecurityInfoMsg, $i)
188 );
189 }
190
191 //
192 // $cfg['Servers'][$i]['AllowRoot']
193 // $cfg['Servers'][$i]['AllowNoPassword']
194 // serious security flaw
195 //
196 if ($this->cfg->getValue("Servers/$i/AllowRoot")
197 && $this->cfg->getValue("Servers/$i/AllowNoPassword")
198 ) {
199 $title = PMA_lang(PMA_langName('Servers/1/AllowNoPassword'))
200 . " ($serverName)";
201 PMA_messagesSet(
202 'notice',
203 "Servers/$i/AllowNoPassword",
204 $title,
205 __('You allow for connecting to the server without a password.') . ' '
206 . PMA_lang($sSecurityInfoMsg, $i)
207 );
208 }
209 }
210 return array($cookieAuthUsed, $blowfishSecret, $blowfishSecretSet);
211 }
212
213 /**
214 * Set blowfish secret
215 *
216 * @param string $blowfishSecret Blowfish secret
217 * @param boolean $cookieAuthServer Cookie auth is used
218 * @param boolean $blowfishSecretSet Blowfish secret set
219 *
220 * @return array
221 */
222 protected function performConfigChecksServersSetBlowfishSecret(
223 $blowfishSecret, $cookieAuthServer, $blowfishSecretSet
224 ) {
225 if ($cookieAuthServer && $blowfishSecret === null) {
226 $blowfishSecret = uniqid('', true);
227 $blowfishSecretSet = true;
228 $this->cfg->set('blowfish_secret', $blowfishSecret);
229 return array($blowfishSecret, $blowfishSecretSet);
230 }
231 return array($blowfishSecret, $blowfishSecretSet);
232 }
233
234 /**
235 * Define server name
236 *
237 * @param string $serverName Server name
238 * @param int $serverId Server id
239 *
240 * @return string Server name
241 */
242 protected function performConfigChecksServersGetServerName(
243 $serverName, $serverId
244 ) {
245 if ($serverName == 'localhost') {
246 $serverName .= " [$serverId]";
247 return $serverName;
248 }
249 return $serverName;
250 }
251
252 /**
253 * Perform config checks for zip part.
254 *
255 * @param string $sGZipDumpWarning Gzip dump warning
256 * @param string $sBZipDumpWarning Bzip dump warning
257 * @param string $sZipDumpImportWarn Zip dump import warning
258 * @param string $sZipDumpExportWarn Zip dump export warning
259 *
260 * @return void
261 */
262 protected function performConfigChecksZips(
263 $sGZipDumpWarning, $sBZipDumpWarning, $sZipDumpImportWarn,
264 $sZipDumpExportWarn
265 ) {
266 $this->performConfigChecksServerGZipdump($sGZipDumpWarning);
267 $this->performConfigChecksServerBZipdump($sBZipDumpWarning);
268 $this->performConfigChecksServersZipdump(
269 $sZipDumpImportWarn, $sZipDumpExportWarn
270 );
271 }
272
273 /**
274 * Perform config checks for zip part.
275 *
276 * @param string $sZipDumpImportWarn Zip dump import warning
277 * @param string $sZipDumpExportWarn Zip dump export warning
278 *
279 * @return void
280 */
281 protected function performConfigChecksServersZipdump(
282 $sZipDumpImportWarn, $sZipDumpExportWarn
283 ) {
284 //
285 // $cfg['ZipDump']
286 // requires zip_open in import
287 //
288 if ($this->cfg->getValue('ZipDump') && !@function_exists('zip_open')) {
289 PMA_messagesSet(
290 'error',
291 'ZipDump_import',
292 PMA_lang(PMA_langName('ZipDump')),
293 PMA_lang($sZipDumpImportWarn, 'zip_open')
294 );
295 }
296
297 //
298 // $cfg['ZipDump']
299 // requires gzcompress in export
300 //
301 if ($this->cfg->getValue('ZipDump') && !@function_exists('gzcompress')) {
302 PMA_messagesSet(
303 'error',
304 'ZipDump_export',
305 PMA_lang(PMA_langName('ZipDump')),
306 PMA_lang($sZipDumpExportWarn, 'gzcompress')
307 );
308 }
309 }
310
311 /**
312 * Check config of servers
313 *
314 * @param boolean $cookieAuthUsed Cookie auth is used
315 * @param boolean $blowfishSecretSet Blowfish secret set
316 * @param string $sBlowfishSecretMsg Blowfish secret message
317 * @param string $blowfishSecret Blowfish secret
318 *
319 * @return array
320 */
321 protected function performConfigChecksCookieAuthUsed(
322 $cookieAuthUsed, $blowfishSecretSet, $sBlowfishSecretMsg,
323 $blowfishSecret
324 ) {
325 //
326 // $cfg['blowfish_secret']
327 // it's required for 'cookie' authentication
328 //
329 if ($cookieAuthUsed) {
330 if ($blowfishSecretSet) {
331 // 'cookie' auth used, blowfish_secret was generated
332 PMA_messagesSet(
333 'notice',
334 'blowfish_secret_created',
335 PMA_lang(PMA_langName('blowfish_secret')),
336 PMA_lang($sBlowfishSecretMsg)
337 );
338 } else {
339 $blowfishWarnings = array();
340 // check length
341 if (strlen($blowfishSecret) < 8) {
342 // too short key
343 $blowfishWarnings[] = __('Key is too short, it should have at least 8 characters.');
344 }
345 // check used characters
346 $hasDigits = (bool)preg_match('/\d/', $blowfishSecret);
347 $hasChars = (bool)preg_match('/\S/', $blowfishSecret);
348 $hasNonword = (bool)preg_match('/\W/', $blowfishSecret);
349 if (!$hasDigits || !$hasChars || !$hasNonword) {
350 $blowfishWarnings[] = PMA_lang(__('Key should contain letters, numbers [em]and[/em] special characters.'));
351 }
352 if (!empty($blowfishWarnings)) {
353 PMA_messagesSet(
354 'error',
355 'blowfish_warnings' . count($blowfishWarnings),
356 PMA_lang(PMA_langName('blowfish_secret')),
357 implode('<br />', $blowfishWarnings)
358 );
359 }
360 }
361 }
362 }
363
364 /**
365 * Define all messages
366 *
367 * @return array
368 */
369 protected static function defineMessages()
370 {
371 $sAllowArbitraryServerWarn = __('This %soption%s should be disabled as it allows attackers to bruteforce login to any MySQL server. If you feel this is necessary, use %strusted proxies list%s. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.');
372 $sAllowArbitraryServerWarn = sprintf(
373 $sAllowArbitraryServerWarn,
374 '[a@?page=form&amp;formset=Features#tab_Security]',
375 '[/a]', '[a@?page=form&amp;formset=Features#tab_Security]',
376 '[/a]'
377 );
378 $sBlowfishSecretMsg = __('You didn\'t have blowfish secret set and have enabled [kbd]cookie[/kbd] authentication, so a key was automatically generated for you. It is used to encrypt cookies; you don\'t need to remember it.');
379 $sBZipDumpWarning = __('%sBzip2 compression and decompression%s requires functions (%s) which are unavailable on this system.');
380 $sBZipDumpWarning = sprintf(
381 $sBZipDumpWarning,
382 '[a@?page=form&amp;formset=Features#tab_Import_export]',
383 '[/a]', '%s'
384 );
385 $sDirectoryNotice = __('This value should be double checked to ensure that this directory is neither world accessible nor readable or writable by other users on your server.');
386 $sForceSSLNotice = __('This %soption%s should be enabled if your web server supports it.');
387 $sForceSSLNotice = sprintf(
388 $sForceSSLNotice,
389 '[a@?page=form&amp;formset=Features#tab_Security]',
390 '[/a]'
391 );
392 $sGZipDumpWarning = __('%sGZip compression and decompression%s requires functions (%s) which are unavailable on this system.');
393 $sGZipDumpWarning = sprintf(
394 $sGZipDumpWarning,
395 '[a@?page=form&amp;formset=Features#tab_Import_export]',
396 '[/a]',
397 '%s'
398 );
399 $sLoginCookieValidityWarn = __('%sLogin cookie validity%s greater than %ssession.gc_maxlifetime%s may cause random session invalidation (currently session.gc_maxlifetime is %d).');
400 $sLoginCookieValidityWarn = sprintf(
401 $sLoginCookieValidityWarn,
402 '[a@?page=form&amp;formset=Features#tab_Security]',
403 '[/a]',
404 '[a@' . PMA_getPHPDocLink(
405 'session.configuration.php#ini.session.gc-maxlifetime'
406 ) . ']',
407 '[/a]',
408 ini_get('session.gc_maxlifetime')
409 );
410 $sLoginCookieValidityWarn2 = __('%sLogin cookie validity%s should be set to 1800 seconds (30 minutes) at most. Values larger than 1800 may pose a security risk such as impersonation.');
411 $sLoginCookieValidityWarn2 = sprintf(
412 $sLoginCookieValidityWarn2,
413 '[a@?page=form&amp;formset=Features#tab_Security]',
414 '[/a]'
415 );
416 $sLoginCookieValidityWarn3 = __('If using [kbd]cookie[/kbd] authentication and %sLogin cookie store%s is not 0, %sLogin cookie validity%s must be set to a value less or equal to it.');
417 $sLoginCookieValidityWarn3 = sprintf(
418 $sLoginCookieValidityWarn3,
419 '[a@?page=form&amp;formset=Features#tab_Security]',
420 '[/a]', '[a@?page=form&amp;formset=Features#tab_Security]',
421 '[/a]'
422 );
423 $sSecurityInfoMsg = __('If you feel this is necessary, use additional protection settings - %shost authentication%s settings and %strusted proxies list%s. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.');
424 $sSecurityInfoMsg = sprintf(
425 $sSecurityInfoMsg,
426 '[a@?page=servers&amp;mode=edit&amp;id=%1$d#tab_Server_config]',
427 '[/a]',
428 '[a@?page=form&amp;formset=Features#tab_Security]',
429 '[/a]'
430 );
431 $sServerAuthConfigMsg = __('You set the [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows or guesses your phpMyAdmin URL can directly access your phpMyAdmin panel. Set %sauthentication type%s to [kbd]cookie[/kbd] or [kbd]http[/kbd].');
432 $sServerAuthConfigMsg = sprintf(
433 $sServerAuthConfigMsg,
434 '[a@?page=servers&amp;mode=edit&amp;id=%1$d#tab_Server]',
435 '[/a]'
436 );
437 $sZipDumpExportWarn = __('%sZip compression%s requires functions (%s) which are unavailable on this system.');
438 $sZipDumpExportWarn = sprintf(
439 $sZipDumpExportWarn,
440 '[a@?page=form&amp;formset=Features#tab_Import_export]',
441 '[/a]',
442 '%s'
443 );
444 $sZipDumpImportWarn = __('%sZip decompression%s requires functions (%s) which are unavailable on this system.');
445 $sZipDumpImportWarn = sprintf(
446 $sZipDumpImportWarn,
447 '[a@?page=form&amp;formset=Features#tab_Import_export]',
448 '[/a]',
449 '%s'
450 );
451 return array(
452 $sAllowArbitraryServerWarn, $sBlowfishSecretMsg, $sBZipDumpWarning,
453 $sDirectoryNotice, $sForceSSLNotice, $sGZipDumpWarning,
454 $sLoginCookieValidityWarn, $sLoginCookieValidityWarn2,
455 $sLoginCookieValidityWarn3, $sSecurityInfoMsg, $sServerAuthConfigMsg,
456 $sZipDumpExportWarn, $sZipDumpImportWarn
457 );
458 }
459
460 /**
461 * Check configuration for login cookie
462 *
463 * @param string $sLoginCookieValidityWarn Warning 1 for login cookie validity
464 * @param string $sLoginCookieValidityWarn2 Warning 2 for login cookie validity
465 * @param string $sLoginCookieValidityWarn3 Warning 3 for login cookie validity
466 *
467 * @return void
468 */
469 protected function performConfigChecksLoginCookie(
470 $sLoginCookieValidityWarn, $sLoginCookieValidityWarn2,
471 $sLoginCookieValidityWarn3
472 ) {
473 //
474 // $cfg['LoginCookieValidity']
475 // value greater than session.gc_maxlifetime will cause
476 // random session invalidation after that time
477 $loginCookieValidity = $this->cfg->getValue('LoginCookieValidity');
478 if ($loginCookieValidity > ini_get('session.gc_maxlifetime')
479 ) {
480 PMA_messagesSet(
481 'error',
482 'LoginCookieValidity',
483 PMA_lang(PMA_langName('LoginCookieValidity')),
484 PMA_lang($sLoginCookieValidityWarn)
485 );
486 }
487
488 //
489 // $cfg['LoginCookieValidity']
490 // should be at most 1800 (30 min)
491 //
492 if ($loginCookieValidity > 1800) {
493 PMA_messagesSet(
494 'notice',
495 'LoginCookieValidity',
496 PMA_lang(PMA_langName('LoginCookieValidity')),
497 PMA_lang($sLoginCookieValidityWarn2)
498 );
499 }
500
501 //
502 // $cfg['LoginCookieValidity']
503 // $cfg['LoginCookieStore']
504 // LoginCookieValidity must be less or equal to LoginCookieStore
505 //
506 if (($this->cfg->getValue('LoginCookieStore') != 0)
507 && ($loginCookieValidity > $this->cfg->getValue('LoginCookieStore'))
508 ) {
509 PMA_messagesSet(
510 'error',
511 'LoginCookieValidity',
512 PMA_lang(PMA_langName('LoginCookieValidity')),
513 PMA_lang($sLoginCookieValidityWarn3)
514 );
515 }
516 }
517
518 /**
519 * Check GZipDump configuration
520 *
521 * @param string $sBZipDumpWarn Warning for BZipDumpWarning
522 *
523 * @return void
524 */
525 protected function performConfigChecksServerBZipdump($sBZipDumpWarn)
526 {
527 //
528 // $cfg['BZipDump']
529 // requires bzip2 functions
530 //
531 if ($this->cfg->getValue('BZipDump')
532 && (!@function_exists('bzopen') || !@function_exists('bzcompress'))
533 ) {
534 $functions = @function_exists('bzopen')
535 ? '' :
536 'bzopen';
537 $functions .= @function_exists('bzcompress')
538 ? ''
539 : ($functions ? ', ' : '') . 'bzcompress';
540 PMA_messagesSet(
541 'error',
542 'BZipDump',
543 PMA_lang(PMA_langName('BZipDump')),
544 PMA_lang($sBZipDumpWarn, $functions)
545 );
546 }
547 }
548
549 /**
550 * Check GZipDump configuration
551 *
552 * @param string $sGZipDumpWarn Warning for GZipDumpWarning
553 *
554 * @return void
555 */
556 protected function performConfigChecksServerGZipdump($sGZipDumpWarn)
557 {
558 //
559 // $cfg['GZipDump']
560 // requires zlib functions
561 //
562 if ($this->cfg->getValue('GZipDump')
563 && (@!function_exists('gzopen') || @!function_exists('gzencode'))
564 ) {
565 PMA_messagesSet(
566 'error',
567 'GZipDump',
568 PMA_lang(PMA_langName('GZipDump')),
569 PMA_lang($sGZipDumpWarn, 'gzencode')
570 );
571 }
572 }
573 }
Mirror of official OpenEMR Sourceforge repository