search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Translated using Weblate (Portuguese)
[phpmyadmin.git] / src / Config / ServerConfigChecks.php
blob23ce39c98f45ad320f1b6fe8a90ce7edb9401fea
1 <?php
2 /**
3 * Server config checks management
4 */
5
6 declare(strict_types=1);
7
8 namespace PhpMyAdmin\Config;
9
10 use PhpMyAdmin\Core;
11 use PhpMyAdmin\Sanitize;
12 use PhpMyAdmin\Setup\Index as SetupIndex;
13 use PhpMyAdmin\Url;
14
15 use function __;
16 use function function_exists;
17 use function htmlspecialchars;
18 use function ini_get;
19 use function mb_strlen;
20 use function sodium_crypto_secretbox_keygen;
21 use function sprintf;
22
23 use const SODIUM_CRYPTO_SECRETBOX_KEYBYTES;
24
25 /**
26 * Performs various compatibility, security and consistency checks on current config
27 *
28 * Outputs results to message list, must be called between SetupIndex::messagesBegin()
29 * and SetupIndex::messagesEnd()
30 */
31 class ServerConfigChecks
32 {
33 public function __construct(protected ConfigFile $cfg)
34 {
35 }
36
37 /**
38 * Perform config checks
39 */
40 public function performConfigChecks(): void
41 {
42 /** @var string $blowfishSecret */
43 $blowfishSecret = $this->cfg->get('blowfish_secret', '');
44
45 $this->performConfigChecksServers($blowfishSecret);
46
47 // $cfg['AllowArbitraryServer']
48 // should be disabled
49 if ($this->cfg->getValue('AllowArbitraryServer')) {
50 $sAllowArbitraryServerWarn = sprintf(
51 __(
52 'This %soption%s should be disabled as it allows attackers to '
53 . 'bruteforce login to any MySQL server. If you feel this is necessary, '
54 . 'use %srestrict login to MySQL server%s or %strusted proxies list%s. '
55 . 'However, IP-based protection with trusted proxies list may not be '
56 . 'reliable if your IP belongs to an ISP where thousands of users, '
57 . 'including you, are connected to.',
58 ),
59 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
60 '[/a]',
61 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
62 '[/a]',
63 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
64 '[/a]',
65 );
66 SetupIndex::messagesSet(
67 'notice',
68 'AllowArbitraryServer',
69 Descriptions::get('AllowArbitraryServer'),
70 Sanitize::convertBBCode($sAllowArbitraryServerWarn),
71 );
72 }
73
74 $this->performConfigChecksLoginCookie();
75
76 $sDirectoryNotice = __(
77 'This value should be double checked to ensure that this directory is '
78 . 'neither world accessible nor readable or writable by other users on '
79 . 'your server.',
80 );
81
82 // $cfg['SaveDir']
83 // should not be world-accessible
84 if ($this->cfg->getValue('SaveDir') != '') {
85 SetupIndex::messagesSet(
86 'notice',
87 'SaveDir',
88 Descriptions::get('SaveDir'),
89 Sanitize::convertBBCode($sDirectoryNotice),
90 );
91 }
92
93 // $cfg['TempDir']
94 // should not be world-accessible
95 if ($this->cfg->getValue('TempDir') != '') {
96 SetupIndex::messagesSet(
97 'notice',
98 'TempDir',
99 Descriptions::get('TempDir'),
100 Sanitize::convertBBCode($sDirectoryNotice),
101 );
102 }
103
104 $this->performConfigChecksZips();
105 }
106
107 /**
108 * Check config of servers
109 *
110 * @param string $blowfishSecret Blowfish secret
111 */
112 protected function performConfigChecksServers(string $blowfishSecret): void
113 {
114 $blowfishSecretSet = false;
115
116 $serverCnt = $this->cfg->getServerCount();
117 $isCookieAuthUsed = 0;
118 /** @infection-ignore-all */
119 for ($i = 1; $i <= $serverCnt; $i++) {
120 $cookieAuthServer = $this->cfg->getValue('Servers/' . $i . '/auth_type') === 'cookie';
121 $isCookieAuthUsed |= (int) $cookieAuthServer;
122 $serverName = $this->performConfigChecksServersGetServerName(
123 $this->cfg->getServerName($i),
124 $i,
125 );
126 $serverName = htmlspecialchars($serverName);
127
128 if ($cookieAuthServer && mb_strlen($blowfishSecret, '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
129 $blowfishSecretSet = true;
130 $this->cfg->set('blowfish_secret', sodium_crypto_secretbox_keygen());
131 }
132
133 // $cfg['Servers'][$i]['ssl']
134 // should be enabled if possible
135 if (! $this->cfg->getValue('Servers/' . $i . '/ssl')) {
136 $title = Descriptions::get('Servers/1/ssl') . ' (' . $serverName . ')';
137 SetupIndex::messagesSet(
138 'notice',
139 'Servers/' . $i . '/ssl',
140 $title,
141 __(
142 'You should use SSL connections if your database server supports it.',
143 ),
144 );
145 }
146
147 $sSecurityInfoMsg = Sanitize::convertBBCode(sprintf(
148 __(
149 'If you feel this is necessary, use additional protection settings - '
150 . '%1$shost authentication%2$s settings and %3$strusted proxies list%4$s. '
151 . 'However, IP-based protection may not be reliable if your IP belongs '
152 . 'to an ISP where thousands of users, including you, are connected to.',
153 ),
154 '[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server_config]',
155 '[/a]',
156 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
157 '[/a]',
158 ));
159
160 // $cfg['Servers'][$i]['auth_type']
161 // warn about full user credentials if 'auth_type' is 'config'
162 if (
163 $this->cfg->getValue('Servers/' . $i . '/auth_type') === 'config'
164 && $this->cfg->getValue('Servers/' . $i . '/user') != ''
165 && $this->cfg->getValue('Servers/' . $i . '/password') != ''
166 ) {
167 $title = Descriptions::get('Servers/1/auth_type')
168 . ' (' . $serverName . ')';
169 SetupIndex::messagesSet(
170 'notice',
171 'Servers/' . $i . '/auth_type',
172 $title,
173 Sanitize::convertBBCode(sprintf(
174 __(
175 'You set the [kbd]config[/kbd] authentication type and included '
176 . 'username and password for auto-login, which is not a desirable '
177 . 'option for live hosts. Anyone who knows or guesses your phpMyAdmin '
178 . 'URL can directly access your phpMyAdmin panel. Set %1$sauthentication '
179 . 'type%2$s to [kbd]cookie[/kbd] or [kbd]http[/kbd].',
180 ),
181 '[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server]',
182 '[/a]',
183 ))
184 . ' ' . $sSecurityInfoMsg,
185 );
186 }
187
188 // $cfg['Servers'][$i]['AllowRoot']
189 // $cfg['Servers'][$i]['AllowNoPassword']
190 // serious security flaw
191 if (
192 ! $this->cfg->getValue('Servers/' . $i . '/AllowRoot')
193 || ! $this->cfg->getValue('Servers/' . $i . '/AllowNoPassword')
194 ) {
195 continue;
196 }
197
198 $title = Descriptions::get('Servers/1/AllowNoPassword')
199 . ' (' . $serverName . ')';
200 SetupIndex::messagesSet(
201 'notice',
202 'Servers/' . $i . '/AllowNoPassword',
203 $title,
204 __('You allow for connecting to the server without a password.')
205 . ' ' . $sSecurityInfoMsg,
206 );
207 }
208
209 // $cfg['blowfish_secret']
210 // it's required for 'cookie' authentication
211 if ($isCookieAuthUsed === 0 || ! $blowfishSecretSet) {
212 return;
213 }
214
215 // 'cookie' auth used, blowfish_secret was generated
216 SetupIndex::messagesSet(
217 'notice',
218 'blowfish_secret_created',
219 Descriptions::get('blowfish_secret'),
220 Sanitize::convertBBCode(__(
221 'You didn\'t have blowfish secret set and have enabled '
222 . '[kbd]cookie[/kbd] authentication, so a key was automatically '
223 . 'generated for you. It is used to encrypt cookies; you don\'t need to '
224 . 'remember it.',
225 )),
226 );
227 }
228
229 /**
230 * Define server name
231 *
232 * @param string $serverName Server name
233 * @param int $serverId Server id
234 *
235 * @return string Server name
236 */
237 protected function performConfigChecksServersGetServerName(
238 string $serverName,
239 int $serverId,
240 ): string {
241 if ($serverName === 'localhost') {
242 return $serverName . ' [' . $serverId . ']';
243 }
244
245 return $serverName;
246 }
247
248 /**
249 * Perform config checks for zip part.
250 */
251 protected function performConfigChecksZips(): void
252 {
253 $this->performConfigChecksServerGZipdump();
254 $this->performConfigChecksServerBZipdump();
255 $this->performConfigChecksServersZipdump();
256 }
257
258 /**
259 * Perform config checks for zip part.
260 */
261 protected function performConfigChecksServersZipdump(): void
262 {
263 // $cfg['ZipDump']
264 // requires zip_open in import
265 if ($this->cfg->getValue('ZipDump') && ! $this->functionExists('zip_open')) {
266 SetupIndex::messagesSet(
267 'error',
268 'ZipDump_import',
269 Descriptions::get('ZipDump'),
270 Sanitize::convertBBCode(sprintf(
271 __(
272 '%sZip decompression%s requires functions (%s) which are unavailable on this system.',
273 ),
274 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
275 '[/a]',
276 'zip_open',
277 )),
278 );
279 }
280
281 // $cfg['ZipDump']
282 // requires gzcompress in export
283 if (! $this->cfg->getValue('ZipDump') || $this->functionExists('gzcompress')) {
284 return;
285 }
286
287 SetupIndex::messagesSet(
288 'error',
289 'ZipDump_export',
290 Descriptions::get('ZipDump'),
291 Sanitize::convertBBCode(sprintf(
292 __(
293 '%sZip compression%s requires functions (%s) which are unavailable on this system.',
294 ),
295 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
296 '[/a]',
297 'gzcompress',
298 )),
299 );
300 }
301
302 /**
303 * Check configuration for login cookie
304 */
305 protected function performConfigChecksLoginCookie(): void
306 {
307 // $cfg['LoginCookieValidity']
308 // value greater than session.gc_maxlifetime will cause
309 // random session invalidation after that time
310 $loginCookieValidity = $this->cfg->getValue('LoginCookieValidity');
311 if ($loginCookieValidity > ini_get('session.gc_maxlifetime')) {
312 SetupIndex::messagesSet(
313 'error',
314 'LoginCookieValidity',
315 Descriptions::get('LoginCookieValidity'),
316 Sanitize::convertBBCode(sprintf(
317 __(
318 '%1$sLogin cookie validity%2$s greater than %3$ssession.gc_maxlifetime%4$s may '
319 . 'cause random session invalidation (currently session.gc_maxlifetime '
320 . 'is %5$d).',
321 ),
322 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
323 '[/a]',
324 '[a@' . Core::getPHPDocLink('session.configuration.php#ini.session.gc-maxlifetime') . ']',
325 '[/a]',
326 ini_get('session.gc_maxlifetime'),
327 )),
328 );
329 }
330
331 // $cfg['LoginCookieValidity']
332 // should be at most 1800 (30 min)
333 if ($loginCookieValidity > 1800) {
334 SetupIndex::messagesSet(
335 'notice',
336 'LoginCookieValidity',
337 Descriptions::get('LoginCookieValidity'),
338 Sanitize::convertBBCode(sprintf(
339 __(
340 '%sLogin cookie validity%s should be set to 1800 seconds (30 minutes) '
341 . 'at most. Values larger than 1800 may pose a security risk such as '
342 . 'impersonation.',
343 ),
344 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
345 '[/a]',
346 )),
347 );
348 }
349
350 // $cfg['LoginCookieValidity']
351 // $cfg['LoginCookieStore']
352 // LoginCookieValidity must be less or equal to LoginCookieStore
353 if (
354 $this->cfg->getValue('LoginCookieStore') == 0
355 || $loginCookieValidity <= $this->cfg->getValue('LoginCookieStore')
356 ) {
357 return;
358 }
359
360 SetupIndex::messagesSet(
361 'error',
362 'LoginCookieValidity',
363 Descriptions::get('LoginCookieValidity'),
364 Sanitize::convertBBCode(sprintf(
365 __(
366 'If using [kbd]cookie[/kbd] authentication and %sLogin cookie store%s '
367 . 'is not 0, %sLogin cookie validity%s must be set to a value less or '
368 . 'equal to it.',
369 ),
370 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
371 '[/a]',
372 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
373 '[/a]',
374 )),
375 );
376 }
377
378 /**
379 * Check GZipDump configuration
380 */
381 protected function performConfigChecksServerBZipdump(): void
382 {
383 // $cfg['BZipDump']
384 // requires bzip2 functions
385 if (
386 ! $this->cfg->getValue('BZipDump')
387 || ($this->functionExists('bzopen') && $this->functionExists('bzcompress'))
388 ) {
389 return;
390 }
391
392 $functions = $this->functionExists('bzopen') ? '' : 'bzopen';
393 $functions .= $this->functionExists('bzcompress') ? '' : ($functions !== '' ? ', ' : '') . 'bzcompress';
394 SetupIndex::messagesSet(
395 'error',
396 'BZipDump',
397 Descriptions::get('BZipDump'),
398 Sanitize::convertBBCode(
399 sprintf(
400 __(
401 '%1$sBzip2 compression and decompression%2$s requires functions (%3$s) which '
402 . 'are unavailable on this system.',
403 ),
404 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
405 '[/a]',
406 $functions,
407 ),
408 ),
409 );
410 }
411
412 /**
413 * Check GZipDump configuration
414 */
415 protected function performConfigChecksServerGZipdump(): void
416 {
417 // $cfg['GZipDump']
418 // requires zlib functions
419 if (
420 ! $this->cfg->getValue('GZipDump')
421 || ($this->functionExists('gzopen') && $this->functionExists('gzencode'))
422 ) {
423 return;
424 }
425
426 SetupIndex::messagesSet(
427 'error',
428 'GZipDump',
429 Descriptions::get('GZipDump'),
430 Sanitize::convertBBCode(sprintf(
431 __(
432 '%1$sGZip compression and decompression%2$s requires functions (%3$s) which '
433 . 'are unavailable on this system.',
434 ),
435 '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
436 '[/a]',
437 'gzencode',
438 )),
439 );
440 }
441
442 /**
443 * Wrapper around function_exists to allow mock in test
444 *
445 * @param string $name Function name
446 */
447 protected function functionExists(string $name): bool
448 {
449 return function_exists($name);
450 }
451 }
phpMyAdmin