search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'master' of ssh://phpmyadmin.git.sourceforge.net/gitroot/phpmyadmin...
[phpmyadmin-themes.git] / setup / lib / index.lib.php
bloba90bc3d110b453b20c674e6d2c1ef09d91d6ffa2
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * Various checks and message functions used on index page.
5 *
6 * Security checks are the idea of Aung Khant <aungkhant[at]yehg.net>, http://yehg.net/lab
7 * Version check taken from the old setup script by Michal Čihař <michal@cihar.com>
8 *
9 * @package phpMyAdmin-setup
10 */
11
12 if (!defined('PHPMYADMIN')) {
13 exit;
14 }
15
16 /**
17 * Initializes message list
18 */
19 function messages_begin()
20 {
21 if (!isset($_SESSION['messages']) || !is_array($_SESSION['messages'])) {
22 $_SESSION['messages'] = array('error' => array(), 'warning' => array(), 'notice' => array());
23 } else {
24 // reset message states
25 foreach ($_SESSION['messages'] as &$messages) {
26 foreach ($messages as &$msg) {
27 $msg['fresh'] = false;
28 $msg['active'] = false;
29 }
30 }
31 }
32 }
33
34 /**
35 * Adds a new message to message list
36 *
37 * @param string $id unique message identifier
38 * @param string $type one of: notice, warning, error
39 * @param string $title language string id (in $str array)
40 * @param string $message message text
41 */
42 function messages_set($type, $id, $title, $message)
43 {
44 $fresh = !isset($_SESSION['messages'][$type][$id]);
45 $_SESSION['messages'][$type][$id] = array(
46 'fresh' => $fresh,
47 'active' => true,
48 'title' => $title,
49 'message' => $message);
50 }
51
52 /**
53 * Cleans up message list
54 */
55 function messages_end()
56 {
57 foreach ($_SESSION['messages'] as &$messages) {
58 $remove_ids = array();
59 foreach ($messages as $id => &$msg) {
60 if ($msg['active'] == false) {
61 $remove_ids[] = $id;
62 }
63 }
64 foreach ($remove_ids as $id) {
65 unset($messages[$id]);
66 }
67 }
68 }
69
70 /**
71 * Prints message list, must be called after messages_end()
72 */
73 function messages_show_html()
74 {
75 $old_ids = array();
76 foreach ($_SESSION['messages'] as $type => $messages) {
77 foreach ($messages as $id => $msg) {
78 echo '<div class="' . $type . '" id="' . $id . '">' . '<h4>' . $msg['title'] . '</h4>' . $msg['message'] . '</div>';
79 if (!$msg['fresh'] && $type != 'error') {
80 $old_ids[] = $id;
81 }
82 }
83 }
84
85 echo "\n" . '<script type="text/javascript">';
86 foreach ($old_ids as $id) {
87 echo "\nhiddenMessages.push('$id');";
88 }
89 echo "\n</script>\n";
90 }
91
92 /**
93 * Checks for newest phpMyAdmin version and sets result as a new notice
94 */
95 function PMA_version_check()
96 {
97 // version check messages should always be visible so let's make
98 // a unique message id each time we run it
99 $message_id = uniqid('version_check');
100 // wait 3s at most for server response, it's enough to get information
101 // from a working server
102 $connection_timeout = 3;
103
104 $url = 'http://phpmyadmin.net/home_page/version.php';
105 $context = stream_context_create(array(
106 'http' => array(
107 'timeout' => $connection_timeout)));
108 $data = @file_get_contents($url, null, $context);
109 if ($data === false) {
110 if (function_exists('curl_init')) {
111 $ch = curl_init($url);
112 curl_setopt($ch, CURLOPT_HEADER, false);
113 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
114 curl_setopt($ch, CURLOPT_TIMEOUT, $connection_timeout);
115 $data = curl_exec($ch);
116 curl_close($ch);
117 } else {
118 messages_set('error', $message_id, __('Version check'),
119 __('Neither URL wrapper nor CURL is available. Version check is not possible.'));
120 return;
121 }
122 }
123
124 if (empty($data)) {
125 messages_set('error', $message_id, __('Version check'),
126 __('Reading of version failed. Maybe you\'re offline or the upgrade server does not respond.'));
127 return;
128 }
129
130 /* Format: version\ndate\n(download\n)* */
131 $data_list = explode("\n", $data);
132
133 if (count($data_list) > 1) {
134 $version = $data_list[0];
135 $date = $data_list[1];
136 } else {
137 $version = $date = '';
138 }
139
140 $version_upstream = version_to_int($version);
141 if ($version_upstream === false) {
142 messages_set('error', $message_id, __('Version check'),
143 __('Got invalid version string from server'));
144 return;
145 }
146
147 $version_local = version_to_int($GLOBALS['PMA_Config']->get('PMA_VERSION'));
148 if ($version_local === false) {
149 messages_set('error', $message_id, __('Version check'),
150 __('Unparsable version string'));
151 return;
152 }
153
154 if ($version_upstream > $version_local) {
155 $version = htmlspecialchars($version);
156 $date = htmlspecialchars($date);
157 messages_set('notice', $message_id, __('Version check'),
158 sprintf(__('A newer version of phpMyAdmin is available and you should consider upgrading. The newest version is %s, released on %s.'), $version, $date));
159 } else {
160 if ($version_local % 100 == 0) {
161 messages_set('notice', $message_id, __('Version check'),
162 PMA_sanitize(sprintf(__('You are using Git version, run [kbd]git pull[/kbd] :-)[br]The latest stable version is %s, released on %s.'), $version, $date)));
163 } else {
164 messages_set('notice', $message_id, __('Version check'),
165 __('No newer stable version is available'));
166 }
167 }
168 }
169
170 /**
171 * Calculates numerical equivalent of phpMyAdmin version string
172 *
173 * @param string version
174 * @return mixed false on failure, integer on success
175 */
176 function version_to_int($version)
177 {
178 $matches = array();
179 if (!preg_match('/^(\d+)\.(\d+)\.(\d+)((\.|-(pl|rc|dev|beta|alpha))(\d+)?)?$/', $version, $matches)) {
180 return false;
181 }
182 if (!empty($matches[6])) {
183 switch ($matches[6]) {
184 case 'pl':
185 $added = 60;
186 break;
187 case 'rc':
188 $added = 30;
189 break;
190 case 'beta':
191 $added = 20;
192 break;
193 case 'alpha':
194 $added = 10;
195 break;
196 case 'dev':
197 $added = 0;
198 break;
199 default:
200 messages_set('notice', 'version_match', __('Version check'),
201 'Unknown version part: ' . htmlspecialchars($matches[6]));
202 $added = 0;
203 break;
204 }
205 } else {
206 $added = 50; // for final
207 }
208 if (!empty($matches[7])) {
209 $added = $added + $matches[7];
210 }
211 return $matches[1] * 1000000 + $matches[2] * 10000 + $matches[3] * 100 + $added;
212 }
213
214 /**
215 * Checks whether config file is readable/writable
216 *
217 * @param bool &$is_readable
218 * @param bool &$is_writable
219 * @param bool &$file_exists
220 */
221 function check_config_rw(&$is_readable, &$is_writable, &$file_exists)
222 {
223 $file_path = ConfigFile::getInstance()->getFilePath();
224 $file_dir = dirname($file_path);
225 $is_readable = true;
226 $is_writable = is_dir($file_dir);
227 if (SETUP_DIR_WRITABLE) {
228 $is_writable = $is_writable && is_writable($file_dir);
229 }
230 $file_exists = file_exists($file_path);
231 if ($file_exists) {
232 $is_readable = is_readable($file_path);
233 $is_writable = $is_writable && is_writable($file_path);
234 }
235 }
236
237 /**
238 * Performs various compatibility, security and consistency checks on current config
239 *
240 * Outputs results to message list, must be called between messages_begin()
241 * and messages_end()
242 */
243 function perform_config_checks()
244 {
245 $cf = ConfigFile::getInstance();
246 $blowfish_secret = $cf->get('blowfish_secret');
247 $blowfish_secret_set = false;
248 $cookie_auth_used = false;
249
250 $strAllowArbitraryServerWarning = __('This %soption%s should be disabled as it allows attackers to bruteforce login to any MySQL server. If you feel this is necessary, use %strusted proxies list%s. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.');
251 $strAllowArbitraryServerWarning = sprintf($strAllowArbitraryServerWarning, '[a@?page=form&amp;formset=Features#tab_Security]', '[/a]', '[a@?page=form&amp;formset=Features#tab_Security]', '[/a]');
252 $strBlowfishSecretMsg = __('You didn\'t have blowfish secret set and have enabled cookie authentication, so a key was automatically generated for you. It is used to encrypt cookies; you don\'t need to remember it.');
253 $strBZipDumpWarning = __('%sBzip2 compression and decompression%s requires functions (%s) which are unavailable on this system.');
254 $strBZipDumpWarning = sprintf($strBZipDumpWarning, '[a@?page=form&amp;formset=Features#tab_Import_export]', '[/a]', '%s');
255 $strDirectoryNotice = __('This value should be double checked to ensure that this directory is neither world accessible nor readable or writable by other users on your server.');
256 $strForceSSLNotice = __('This %soption%s should be enabled if your web server supports it.');
257 $strForceSSLNotice = sprintf($strForceSSLNotice, '[a@?page=form&amp;formset=Features#tab_Security]', '[/a]');
258 $strGZipDumpWarning = __('%sGZip compression and decompression%s requires functions (%s) which are unavailable on this system.');
259 $strGZipDumpWarning = sprintf($strGZipDumpWarning, '[a@?page=form&amp;formset=Features#tab_Import_export]', '[/a]', '%s');
260 $strLoginCookieValidityWarning = __('%sLogin cookie validity%s greater than 1440 seconds may cause random session invalidation if %ssession.gc_maxlifetime%s is lower than its value (currently %d).');
261 $strLoginCookieValidityWarning = sprintf($strLoginCookieValidityWarning, '[a@?page=form&amp;formset=Features#tab_Security]', '[/a]', '[a@' . PMA_getPHPDocLink('session.configuration.php#ini.session.gc-maxlifetime') . ']', '[/a]', ini_get('session.gc_maxlifetime'));
262 $strLoginCookieValidityWarning2 = __('%sLogin cookie validity%s should be set to 1800 seconds (30 minutes) at most. Values larger than 1800 may pose a security risk such as impersonation.');
263 $strLoginCookieValidityWarning2 = sprintf($strLoginCookieValidityWarning2, '[a@?page=form&amp;formset=Features#tab_Security]', '[/a]');
264 $strLoginCookieValidityWarning3 = __('If using cookie authentication and %sLogin cookie store%s is not 0, %sLogin cookie validity%s must be set to a value less or equal to it.');
265 $strLoginCookieValidityWarning3 = sprintf($strLoginCookieValidityWarning3, '[a@?page=form&amp;formset=Features#tab_Security]', '[/a]', '[a@?page=form&amp;formset=Features#tab_Security]', '[/a]');
266 $strSecurityInfoMsg = __('If you feel this is necessary, use additional protection settings - %shost authentication%s settings and %strusted proxies list%s. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.');
267 $strSecurityInfoMsg = sprintf($strSecurityInfoMsg, '[a@?page=servers&amp;mode=edit&amp;id=%1$d#tab_Server_config]', '[/a]', '[a@?page=form&amp;formset=Features#tab_Security]', '%s');
268 $strServerAuthConfigMsg = __('You set the [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows or guesses your phpMyAdmin URL can directly access your phpMyAdmin panel. Set %sauthentication type%s to [kbd]cookie[/kbd] or [kbd]http[/kbd].');
269 $strServerAuthConfigMsg = sprintf($strServerAuthConfigMsg, '[a@?page=servers&amp;mode=edit&amp;id=%1$d#tab_Server]', '[/a]');
270 $strZipDumpExportWarning = __('%sZip compression%s requires functions (%s) which are unavailable on this system.');
271 $strZipDumpExportWarning = sprintf($strZipDumpExportWarning, '[a@?page=form&amp;formset=Features#tab_Import_export]', '[/a]', '%s');
272 $strZipDumpImportWarning = __('%sZip decompression%s requires functions (%s) which are unavailable on this system.');
273 $strZipDumpImportWarning = sprintf($strZipDumpImportWarning, '[a@?page=form&amp;formset=Features#tab_Import_export]', '[/a]', '%s');
274
275 for ($i = 1, $server_cnt = $cf->getServerCount(); $i <= $server_cnt; $i++) {
276 $cookie_auth_server = ($cf->getValue("Servers/$i/auth_type") == 'cookie');
277 $cookie_auth_used |= $cookie_auth_server;
278 $server_name = $cf->getServerName($i);
279 if ($server_name == 'localhost') {
280 $server_name .= " [$i]";
281 }
282
283 if ($cookie_auth_server && $blowfish_secret === null) {
284 $blowfish_secret = uniqid('', true);
285 $blowfish_secret_set = true;
286 $cf->set('blowfish_secret', $blowfish_secret);
287 }
288
289 //
290 // $cfg['Servers'][$i]['ssl']
291 // should be enabled if possible
292 //
293 if (!$cf->getValue("Servers/$i/ssl")) {
294 $title = PMA_lang(PMA_lang_name('Servers/1/ssl')) . " ($server_name)";
295 messages_set('notice', "Servers/$i/ssl", $title,
296 __('You should use SSL connections if your web server supports it.'));
297 }
298
299 //
300 // $cfg['Servers'][$i]['extension']
301 // warn about using 'mysql'
302 //
303 if ($cf->getValue("Servers/$i/extension") == 'mysql') {
304 $title = PMA_lang(PMA_lang_name('Servers/1/extension')) . " ($server_name)";
305 messages_set('notice', "Servers/$i/extension", $title,
306 __('You should use mysqli for performance reasons.'));
307 }
308
309 //
310 // $cfg['Servers'][$i]['auth_type']
311 // warn about full user credentials if 'auth_type' is 'config'
312 //
313 if ($cf->getValue("Servers/$i/auth_type") == 'config'
314 && $cf->getValue("Servers/$i/user") != ''
315 && $cf->getValue("Servers/$i/password") != '') {
316 $title = PMA_lang(PMA_lang_name('Servers/1/auth_type')) . " ($server_name)";
317 messages_set('warning', "Servers/$i/auth_type", $title,
318 PMA_lang($strServerAuthConfigMsg, $i) . ' ' .
319 PMA_lang($strSecurityInfoMsg, $i));
320 }
321
322 //
323 // $cfg['Servers'][$i]['AllowRoot']
324 // $cfg['Servers'][$i]['AllowNoPassword']
325 // serious security flaw
326 //
327 if ($cf->getValue("Servers/$i/AllowRoot")
328 && $cf->getValue("Servers/$i/AllowNoPassword")) {
329 $title = PMA_lang(PMA_lang_name('Servers/1/AllowNoPassword')) . " ($server_name)";
330 messages_set('warning', "Servers/$i/AllowNoPassword", $title,
331 __('You allow for connecting to the server without a password.') . ' ' .
332 PMA_lang($strSecurityInfoMsg, $i));
333 }
334 }
335
336 //
337 // $cfg['blowfish_secret']
338 // it's required for 'cookie' authentication
339 //
340 if ($cookie_auth_used) {
341 if ($blowfish_secret_set) {
342 // 'cookie' auth used, blowfish_secret was generated
343 messages_set('notice', 'blowfish_secret_created',
344 PMA_lang(PMA_lang_name('blowfish_secret')),
345 $strBlowfishSecretMsg);
346 } else {
347 $blowfish_warnings = array();
348 // check length
349 if (strlen($blowfish_secret) < 8) {
350 // too short key
351 $blowfish_warnings[] = __('Key is too short, it should have at least 8 characters.');
352 }
353 // check used characters
354 $has_digits = (bool) preg_match('/\d/', $blowfish_secret);
355 $has_chars = (bool) preg_match('/\S/', $blowfish_secret);
356 $has_nonword = (bool) preg_match('/\W/', $blowfish_secret);
357 if (!$has_digits || !$has_chars || !$has_nonword) {
358 $blowfish_warnings[] = PMA_lang(__('Key should contain letters, numbers [em]and[/em] special characters.'));
359 }
360 if (!empty($blowfish_warnings)) {
361 messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings),
362 PMA_lang(PMA_lang_name('blowfish_secret')),
363 implode('<br />', $blowfish_warnings));
364 }
365 }
366 }
367
368 //
369 // $cfg['ForceSSL']
370 // should be enabled if possible
371 //
372 if (!$cf->getValue('ForceSSL')) {
373 messages_set('notice', 'ForceSSL',
374 PMA_lang(PMA_lang_name('ForceSSL')),
375 PMA_lang($strForceSSLNotice));
376 }
377
378 //
379 // $cfg['AllowArbitraryServer']
380 // should be disabled
381 //
382 if ($cf->getValue('AllowArbitraryServer')) {
383 messages_set('warning', 'AllowArbitraryServer',
384 PMA_lang(PMA_lang_name('AllowArbitraryServer')),
385 PMA_lang($strAllowArbitraryServerWarning));
386 }
387
388 //
389 // $cfg['LoginCookieValidity']
390 // value greater than session.gc_maxlifetime will cause random session invalidation after that time
391 //
392 if ($cf->getValue('LoginCookieValidity') > 1440
393 || $cf->getValue('LoginCookieValidity') > ini_get('session.gc_maxlifetime')) {
394 $message_type = $cf->getValue('LoginCookieValidity') > ini_get('session.gc_maxlifetime')
395 ? 'error'
396 : 'warning';
397 messages_set($message_type, 'LoginCookieValidity',
398 PMA_lang(PMA_lang_name('LoginCookieValidity')),
399 PMA_lang($strLoginCookieValidityWarning));
400 }
401
402 //
403 // $cfg['LoginCookieValidity']
404 // should be at most 1800 (30 min)
405 //
406 if ($cf->getValue('LoginCookieValidity') > 1800) {
407 messages_set('warning', 'LoginCookieValidity',
408 PMA_lang(PMA_lang_name('LoginCookieValidity')),
409 PMA_lang($strLoginCookieValidityWarning2));
410 }
411
412 //
413 // $cfg['LoginCookieValidity']
414 // $cfg['LoginCookieStore']
415 // LoginCookieValidity must be less or equal to LoginCookieStore
416 //
417 if ($cf->getValue('LoginCookieStore') != 0 && $cf->getValue('LoginCookieValidity') > $cf->getValue('LoginCookieStore')) {
418 messages_set('error', 'LoginCookieValidity',
419 PMA_lang(PMA_lang_name('LoginCookieValidity')),
420 PMA_lang($strLoginCookieValidityWarning3));
421 }
422
423 //
424 // $cfg['SaveDir']
425 // should not be world-accessible
426 //
427 if ($cf->getValue('SaveDir') != '') {
428 messages_set('notice', 'SaveDir',
429 PMA_lang(PMA_lang_name('SaveDir')),
430 PMA_lang($strDirectoryNotice));
431 }
432
433 //
434 // $cfg['TempDir']
435 // should not be world-accessible
436 //
437 if ($cf->getValue('TempDir') != '') {
438 messages_set('notice', 'TempDir',
439 PMA_lang(PMA_lang_name('TempDir')),
440 PMA_lang($strDirectoryNotice));
441 }
442
443 //
444 // $cfg['GZipDump']
445 // requires zlib functions
446 //
447 if ($cf->getValue('GZipDump')
448 && (@!function_exists('gzopen') || @!function_exists('gzencode'))) {
449 messages_set('warning', 'GZipDump',
450 PMA_lang(PMA_lang_name('GZipDump')),
451 PMA_lang($strGZipDumpWarning, 'gzencode'));
452 }
453
454 //
455 // $cfg['BZipDump']
456 // requires bzip2 functions
457 //
458 if ($cf->getValue('BZipDump')
459 && (!@function_exists('bzopen') || !@function_exists('bzcompress'))) {
460 $functions = @function_exists('bzopen')
461 ? '' :
462 'bzopen';
463 $functions .= @function_exists('bzcompress')
464 ? ''
465 : ($functions ? ', ' : '') . 'bzcompress';
466 messages_set('warning', 'BZipDump',
467 PMA_lang(PMA_lang_name('BZipDump')),
468 PMA_lang($strBZipDumpWarning, $functions));
469 }
470
471 //
472 // $cfg['ZipDump']
473 // requires zip_open in import
474 //
475 if ($cf->getValue('ZipDump') && !@function_exists('zip_open')) {
476 messages_set('warning', 'ZipDump_import',
477 PMA_lang(PMA_lang_name('ZipDump')),
478 PMA_lang($strZipDumpImportWarning, 'zip_open'));
479 }
480
481 //
482 // $cfg['ZipDump']
483 // requires gzcompress in export
484 //
485 if ($cf->getValue('ZipDump') && !@function_exists('gzcompress')) {
486 messages_set('warning', 'ZipDump_export',
487 PMA_lang(PMA_lang_name('ZipDump')),
488 PMA_lang($strZipDumpExportWarning, 'gzcompress'));
489 }
490 }
491 ?>
phpMyAdmin