search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix comments for functions with missing @return tag
[phpmyadmin.git] / libraries / auth / cookie.auth.lib.php
blobc2e50c0671aeb2594147c83f7b082730509e5637
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * Set of functions used to run cookie based authentication.
5 *
6 * @package phpMyAdmin-Auth-Cookie
7 */
8
9 if (! defined('PHPMYADMIN')) {
10 exit;
11 }
12
13 /**
14 * Swekey authentication functions.
15 */
16 require './libraries/auth/swekey/swekey.auth.lib.php';
17
18 if (function_exists('mcrypt_encrypt')) {
19 /**
20 * Uses faster mcrypt library if available
21 * (as this is not called from anywhere else, put the code in-line
22 * for faster execution)
23 */
24
25 /**
26 * Initialization
27 * Store the initialization vector because it will be needed for
28 * further decryption. I don't think necessary to have one iv
29 * per server so I don't put the server number in the cookie name.
30 */
31 if (empty($_COOKIE['pma_mcrypt_iv']) || false === ($iv = base64_decode($_COOKIE['pma_mcrypt_iv'], true))) {
32 srand((double) microtime() * 1000000);
33 $td = mcrypt_module_open(MCRYPT_BLOWFISH, '', MCRYPT_MODE_CBC, '');
34 if ($td === false) {
35 die('Failed to use Blowfish from mcrypt!');
36 }
37 $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
38 $GLOBALS['PMA_Config']->setCookie('pma_mcrypt_iv', base64_encode($iv));
39 }
40
41 /**
42 * Encryption using blowfish algorithm (mcrypt)
43 *
44 * @param string original data
45 * @param string the secret
46 *
47 * @return string the encrypted result
48 *
49 * @access public
50 *
51 */
52 function PMA_blowfish_encrypt($data, $secret)
53 {
54 global $iv;
55 return base64_encode(mcrypt_encrypt(MCRYPT_BLOWFISH, $secret, $data, MCRYPT_MODE_CBC, $iv));
56 }
57
58 /**
59 * Decryption using blowfish algorithm (mcrypt)
60 *
61 * @param string encrypted data
62 * @param string the secret
63 *
64 * @return string original data
65 *
66 * @access public
67 *
68 */
69 function PMA_blowfish_decrypt($encdata, $secret)
70 {
71 global $iv;
72 return trim(mcrypt_decrypt(MCRYPT_BLOWFISH, $secret, base64_decode($encdata), MCRYPT_MODE_CBC, $iv));
73 }
74
75 } else {
76 require_once './libraries/blowfish.php';
77 }
78
79 /**
80 * Returns blowfish secret or generates one if needed.
81 *
82 * @access public
83 * @return string
84 */
85 function PMA_get_blowfish_secret()
86 {
87 if (empty($GLOBALS['cfg']['blowfish_secret'])) {
88 if (empty($_SESSION['auto_blowfish_secret'])) {
89 // this returns 23 characters
90 $_SESSION['auto_blowfish_secret'] = uniqid('', true);
91 }
92 return $_SESSION['auto_blowfish_secret'];
93 } else {
94 // apply md5() to work around too long secrets (returns 32 characters)
95 return md5($GLOBALS['cfg']['blowfish_secret']);
96 }
97 }
98
99 /**
100 * Displays authentication form
101 *
102 * this function MUST exit/quit the application
103 *
104 * @global string the last connection error
105 *
106 * @access public
107 */
108 function PMA_auth()
109 {
110 global $conn_error;
111
112 /* Perform logout to custom URL */
113 if (! empty($_REQUEST['old_usr'])
114 && ! empty($GLOBALS['cfg']['Server']['LogoutURL'])) {
115 PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['LogoutURL']);
116 exit;
117 }
118
119 /* No recall if blowfish secret is not configured as it would produce garbage */
120 if ($GLOBALS['cfg']['LoginCookieRecall'] && !empty($GLOBALS['cfg']['blowfish_secret'])) {
121 $default_user = $GLOBALS['PHP_AUTH_USER'];
122 $default_server = $GLOBALS['pma_auth_server'];
123 $autocomplete = '';
124 } else {
125 $default_user = '';
126 $default_server = '';
127 // skip the IE autocomplete feature.
128 $autocomplete = ' autocomplete="off"';
129 }
130
131 $cell_align = ($GLOBALS['text_dir'] == 'ltr') ? 'left' : 'right';
132
133 // Defines the charset to be used
134 header('Content-Type: text/html; charset=utf-8');
135 // Defines the "item" image depending on text direction
136 $item_img = 'ic_item_' . $GLOBALS['text_dir'];
137
138 /* HTML header; do not show here the PMA version to improve security */
139 $page_title = 'phpMyAdmin ';
140 require './libraries/header_meta_style.inc.php';
141 // if $page_title is set, this script uses it as the title:
142 require './libraries/header_scripts.inc.php';
143 ?>
144 <script type="text/javascript">
145 //<![CDATA[
146 // show login form in top frame
147 if (top != self) {
148 window.top.location.href=location;
149 }
150 //]]>
151 </script>
152 </head>
153
154 <body class="loginform">
155
156 <?php
157 if (file_exists(CUSTOM_HEADER_FILE)) {
158 require CUSTOM_HEADER_FILE;
159 }
160 ?>
161
162 <div class="container">
163 <a href="<?php echo PMA_linkURL('http://www.phpmyadmin.net/'); ?>" target="_blank" class="logo"><?php
164 $logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png';
165 if (@file_exists($logo_image)) {
166 echo '<img src="' . $logo_image . '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />';
167 } else {
168 echo '<img name="imLogo" id="imLogo" src="' . $GLOBALS['pmaThemeImage'] . 'pma_logo.png' . '" '
169 . 'border="0" width="88" height="31" alt="phpMyAdmin" />';
170 }
171 ?></a>
172 <h1>
173 <?php
174 echo sprintf(__('Welcome to %s'),
175 '<bdo dir="ltr" xml:lang="en">' . $page_title . '</bdo>');
176 ?>
177 </h1>
178 <?php
179
180 // Show error message
181 if (! empty($conn_error)) {
182 PMA_Message::rawError($conn_error)->display();
183 }
184
185 // Displays the languages form
186 if (empty($GLOBALS['cfg']['Lang'])) {
187 require_once './libraries/display_select_lang.lib.php';
188 // use fieldset, don't show doc link
189 PMA_select_language(true, false);
190 }
191
192 ?>
193 <br />
194 <!-- Login form -->
195 <form method="post" action="index.php" name="login_form"<?php echo $autocomplete; ?> target="_top" class="login">
196 <fieldset>
197 <legend>
198 <?php
199 echo __('Log in');
200 echo '<a href="./Documentation.html" target="documentation" ' .
201 'title="' . __('phpMyAdmin documentation') . '">';
202 if ($GLOBALS['cfg']['ReplaceHelpImg']) {
203 echo '<img class="icon ic_b_help_s" src="themes/dot.gif" alt="' . __('phpMyAdmin documentation') . '" />';
204 } else {
205 echo '(*)';
206 }
207 echo '</a>';
208 ?>
209 </legend>
210
211 <?php if ($GLOBALS['cfg']['AllowArbitraryServer']) { ?>
212 <div class="item">
213 <label for="input_servername" title="<?php echo __('You can enter hostname/IP address and port separated by space.'); ?>"><?php echo __('Server:'); ?></label>
214 <input type="text" name="pma_servername" id="input_servername" value="<?php echo htmlspecialchars($default_server); ?>" size="24" class="textfield" title="<?php echo __('You can enter hostname/IP address and port separated by space.'); ?>" />
215 </div>
216 <?php } ?>
217 <div class="item">
218 <label for="input_username"><?php echo __('Username:'); ?></label>
219 <input type="text" name="pma_username" id="input_username" value="<?php echo htmlspecialchars($default_user); ?>" size="24" class="textfield"/>
220 </div>
221 <div class="item">
222 <label for="input_password"><?php echo __('Password:'); ?></label>
223 <input type="password" name="pma_password" id="input_password" value="" size="24" class="textfield" />
224 </div>
225 <?php
226 if (count($GLOBALS['cfg']['Servers']) > 1) {
227 ?>
228 <div class="item">
229 <label for="select_server"><?php echo __('Server Choice'); ?>:</label>
230 <select name="server" id="select_server"
231 <?php
232 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
233 echo ' onchange="document.forms[\'login_form\'].elements[\'pma_servername\'].value = \'\'" ';
234 }
235 echo '>';
236
237 require_once './libraries/select_server.lib.php';
238 PMA_select_server(false, false);
239
240 echo '</select></div>';
241 } else {
242 echo ' <input type="hidden" name="server" value="' . $GLOBALS['server'] . '" />';
243 } // end if (server choice)
244 ?>
245 </fieldset>
246 <fieldset class="tblFooters">
247 <input value="<?php echo __('Go'); ?>" type="submit" id="input_go" />
248 <?php
249 $_form_params = array();
250 if (! empty($GLOBALS['target'])) {
251 $_form_params['target'] = $GLOBALS['target'];
252 }
253 if (! empty($GLOBALS['db'])) {
254 $_form_params['db'] = $GLOBALS['db'];
255 }
256 if (! empty($GLOBALS['table'])) {
257 $_form_params['table'] = $GLOBALS['table'];
258 }
259 // do not generate a "server" hidden field as we want the "server"
260 // drop-down to have priority
261 echo PMA_generate_common_hidden_inputs($_form_params, '', 0, 'server');
262 ?>
263 </fieldset>
264 </form>
265
266 <?php
267
268 // BEGIN Swekey Integration
269 Swekey_login('input_username', 'input_go');
270 // END Swekey Integration
271
272 // show the "Cookies required" message only if cookies are disabled
273 // (we previously tried to set some cookies)
274 if (empty($_COOKIE)) {
275 trigger_error(__('Cookies must be enabled past this point.'), E_USER_NOTICE);
276 }
277 if ($GLOBALS['error_handler']->hasDisplayErrors()) {
278 echo '<div>';
279 $GLOBALS['error_handler']->dispErrors();
280 echo '</div>';
281 }
282 ?>
283 </div>
284 <?php
285 if (file_exists(CUSTOM_FOOTER_FILE)) {
286 require CUSTOM_FOOTER_FILE;
287 }
288 ?>
289 </body>
290 </html>
291 <?php
292 exit;
293 } // end of the 'PMA_auth()' function
294
295
296
297 /**
298 * Gets advanced authentication settings
299 *
300 * this function DOES NOT check authentication - it just checks/provides
301 * authentication credentials required to connect to the MySQL server
302 * usually with PMA_DBI_connect()
303 *
304 * it returns false if something is missing - which usually leads to
305 * PMA_auth() which displays login form
306 *
307 * it returns true if all seems ok which usually leads to PMA_auth_set_user()
308 *
309 * it directly switches to PMA_auth_fails() if user inactivity timout is reached
310 *
311 * @todo AllowArbitraryServer on does not imply that the user wants an
312 * arbitrary server, or? so we should also check if this is filled and
313 * not only if allowed
314 *
315 * @return boolean whether we get authentication settings or not
316 *
317 * @access public
318 */
319 function PMA_auth_check()
320 {
321 // Initialization
322 /**
323 * @global $GLOBALS['pma_auth_server'] the user provided server to connect to
324 */
325 $GLOBALS['pma_auth_server'] = '';
326
327 $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
328 $GLOBALS['from_cookie'] = false;
329
330 // BEGIN Swekey Integration
331 if (! Swekey_auth_check()) {
332 return false;
333 }
334 // END Swekey Integration
335
336 if (defined('PMA_CLEAR_COOKIES')) {
337 foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
338 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
339 $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key);
340 $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key);
341 }
342 return false;
343 }
344
345 if (! empty($_REQUEST['old_usr'])) {
346 // The user wants to be logged out
347 // -> delete his choices that were stored in session
348
349 // according to the PHP manual we should do this before the destroy:
350 //$_SESSION = array();
351 // but we still need some parts of the session information
352 // in libraries/header_meta_style.inc.php
353
354 session_destroy();
355 // -> delete password cookie(s)
356 if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
357 foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
358 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
359 if (isset($_COOKIE['pmaPass-' . $key])) {
360 unset($_COOKIE['pmaPass-' . $key]);
361 }
362 }
363 } else {
364 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
365 if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
366 unset($_COOKIE['pmaPass-' . $GLOBALS['server']]);
367 }
368 }
369 }
370
371 if (! empty($_REQUEST['pma_username'])) {
372 // The user just logged in
373 $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
374 $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
375 if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
376 $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
377 }
378 return true;
379 }
380
381 // At the end, try to set the $GLOBALS['PHP_AUTH_USER']
382 // and $GLOBALS['PHP_AUTH_PW'] variables from cookies
383
384 // servername
385 if ($GLOBALS['cfg']['AllowArbitraryServer']
386 && ! empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) {
387 $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']];
388 }
389
390 // username
391 if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
392 return false;
393 }
394
395 $GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt(
396 $_COOKIE['pmaUser-' . $GLOBALS['server']],
397 PMA_get_blowfish_secret());
398
399 // user was never logged in since session start
400 if (empty($_SESSION['last_access_time'])) {
401 return false;
402 }
403
404 // User inactive too long
405 if ($_SESSION['last_access_time'] < time() - $GLOBALS['cfg']['LoginCookieValidity']) {
406 PMA_cacheUnset('is_create_db_priv', true);
407 PMA_cacheUnset('is_process_priv', true);
408 PMA_cacheUnset('is_reload_priv', true);
409 PMA_cacheUnset('db_to_create', true);
410 PMA_cacheUnset('dbs_where_create_table_allowed', true);
411 $GLOBALS['no_activity'] = true;
412 PMA_auth_fails();
413 exit;
414 }
415
416 // password
417 if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
418 return false;
419 }
420
421 $GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt(
422 $_COOKIE['pmaPass-' . $GLOBALS['server']],
423 PMA_get_blowfish_secret());
424
425 if ($GLOBALS['PHP_AUTH_PW'] == "\xff(blank)") {
426 $GLOBALS['PHP_AUTH_PW'] = '';
427 }
428
429 $GLOBALS['from_cookie'] = true;
430
431 return true;
432 } // end of the 'PMA_auth_check()' function
433
434
435 /**
436 * Set the user and password after last checkings if required
437 *
438 * @return boolean always true
439 *
440 * @access public
441 */
442 function PMA_auth_set_user()
443 {
444 global $cfg;
445
446 // Ensures valid authentication mode, 'only_db', bookmark database and
447 // table names and relation table name are used
448 if ($cfg['Server']['user'] != $GLOBALS['PHP_AUTH_USER']) {
449 foreach ($cfg['Servers'] as $idx => $current) {
450 if ($current['host'] == $cfg['Server']['host']
451 && $current['port'] == $cfg['Server']['port']
452 && $current['socket'] == $cfg['Server']['socket']
453 && $current['ssl'] == $cfg['Server']['ssl']
454 && $current['connect_type'] == $cfg['Server']['connect_type']
455 && $current['user'] == $GLOBALS['PHP_AUTH_USER']) {
456 $GLOBALS['server'] = $idx;
457 $cfg['Server'] = $current;
458 break;
459 }
460 } // end foreach
461 } // end if
462
463 if ($GLOBALS['cfg']['AllowArbitraryServer']
464 && ! empty($GLOBALS['pma_auth_server'])) {
465 /* Allow to specify 'host port' */
466 $parts = explode(' ', $GLOBALS['pma_auth_server']);
467 if (count($parts) == 2) {
468 $tmp_host = $parts[0];
469 $tmp_port = $parts[1];
470 } else {
471 $tmp_host = $GLOBALS['pma_auth_server'];
472 $tmp_port = '';
473 }
474 if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) {
475 $cfg['Server']['host'] = $tmp_host;
476 if (!empty($tmp_port)) {
477 $cfg['Server']['port'] = $tmp_port;
478 }
479 }
480 unset($tmp_host, $tmp_port, $parts);
481 }
482 $cfg['Server']['user'] = $GLOBALS['PHP_AUTH_USER'];
483 $cfg['Server']['password'] = $GLOBALS['PHP_AUTH_PW'];
484
485 $_SESSION['last_access_time'] = time();
486
487 // Name and password cookies need to be refreshed each time
488 // Duration = one month for username
489 $GLOBALS['PMA_Config']->setCookie('pmaUser-' . $GLOBALS['server'],
490 PMA_blowfish_encrypt($cfg['Server']['user'],
491 PMA_get_blowfish_secret()));
492
493 // Duration = as configured
494 $GLOBALS['PMA_Config']->setCookie('pmaPass-' . $GLOBALS['server'],
495 PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "\xff(blank)",
496 PMA_get_blowfish_secret()),
497 null,
498 $GLOBALS['cfg']['LoginCookieStore']);
499
500 // Set server cookies if required (once per session) and, in this case, force
501 // reload to ensure the client accepts cookies
502 if (! $GLOBALS['from_cookie']) {
503 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
504 if (! empty($GLOBALS['pma_auth_server'])) {
505 // Duration = one month for servername
506 $GLOBALS['PMA_Config']->setCookie('pmaServer-' . $GLOBALS['server'], $cfg['Server']['host']);
507 } else {
508 // Delete servername cookie
509 $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $GLOBALS['server']);
510 }
511 }
512
513 // URL where to go:
514 $redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
515
516 // any parameters to pass?
517 $url_params = array();
518 if (strlen($GLOBALS['db'])) {
519 $url_params['db'] = $GLOBALS['db'];
520 }
521 if (strlen($GLOBALS['table'])) {
522 $url_params['table'] = $GLOBALS['table'];
523 }
524 // any target to pass?
525 if (! empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') {
526 $url_params['target'] = $GLOBALS['target'];
527 }
528
529 /**
530 * whether we come from a fresh cookie login
531 */
532 define('PMA_COMING_FROM_COOKIE_LOGIN', true);
533
534 /**
535 * Clear user cache.
536 */
537 PMA_clearUserCache();
538
539 PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&'));
540 exit();
541 } // end if
542
543 return true;
544 } // end of the 'PMA_auth_set_user()' function
545
546
547 /**
548 * User is not allowed to login to MySQL -> authentication failed
549 *
550 * prepares error message and switches to PMA_auth() which display the error
551 * and the login form
552 *
553 * this function MUST exit/quit the application,
554 * currently doen by call to PMA_auth()
555 *
556 * @access public
557 */
558 function PMA_auth_fails()
559 {
560 global $conn_error;
561
562 // Deletes password cookie and displays the login form
563 $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
564
565 if (! empty($GLOBALS['login_without_password_is_forbidden'])) {
566 $conn_error = __('Login without a password is forbidden by configuration (see AllowNoPassword)');
567 } elseif (! empty($GLOBALS['allowDeny_forbidden'])) {
568 $conn_error = __('Access denied');
569 } elseif (! empty($GLOBALS['no_activity'])) {
570 $conn_error = sprintf(__('No activity within %s seconds; please log in again'), $GLOBALS['cfg']['LoginCookieValidity']);
571 // Remember where we got timeout to return on same place
572 if (PMA_getenv('SCRIPT_NAME')) {
573 $GLOBALS['target'] = basename(PMA_getenv('SCRIPT_NAME'));
574 // avoid "missing parameter: field" on re-entry
575 if ('tbl_alter.php' == $GLOBALS['target']) {
576 $GLOBALS['target'] = 'tbl_structure.php';
577 }
578 }
579 } elseif (PMA_DBI_getError()) {
580 $conn_error = '#' . $GLOBALS['errno'] . ' ' . __('Cannot log in to the MySQL server');
581 } else {
582 $conn_error = __('Cannot log in to the MySQL server');
583 }
584
585 // needed for PHP-CGI (not need for FastCGI or mod-php)
586 header('Cache-Control: no-store, no-cache, must-revalidate');
587 header('Pragma: no-cache');
588
589 PMA_auth();
590 } // end of the 'PMA_auth_fails()' function
591
592 ?>
phpMyAdmin