search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Check before commit!
[phpmyadmin/crack.git] / libraries / auth / cookie.auth.lib.php
blob14c0e2679463198420fac4e64379fa898d0d852f
1 <?php
2 /* $Id$ */
3 // vim: expandtab sw=4 ts=4 sts=4:
4
5 // +--------------------------------------------------------------------------+
6 // | Set of functions used to run cookie based authentication. |
7 // | Thanks to Piotr Roszatycki <d3xter at users.sourceforge.net> and |
8 // | Dan Wilson who built this patch for the Debian package. |
9 // +--------------------------------------------------------------------------+
10
11
12 if (!isset($coming_from_common)) {
13 exit;
14 }
15
16 // timestamp for login timeout
17 $current_time = time();
18
19 // Uses faster mcrypt library if available
20 // (Note: mcrypt.lib.php needs $cookie_path and $is_https)
21 if (function_exists('mcrypt_encrypt') || PMA_dl('mcrypt')) {
22 require_once './libraries/mcrypt.lib.php';
23 } else {
24 require_once './libraries/blowfish.php';
25 }
26
27
28 /**
29 * Displays authentication form
30 *
31 * @global string the font face to use
32 * @global string the default font size to use
33 * @global string the big font size to use
34 * @global array the list of servers settings
35 * @global array the list of available translations
36 * @global string the current language
37 * @global integer the current server id
38 * @global string the currect charset for MySQL
39 * @global array the array of cookie variables if register_globals is
40 * off
41 *
42 * @return boolean always true (no return indeed)
43 *
44 * @access public
45 */
46 function PMA_auth()
47 {
48 global $cfg, $lang, $server, $convcharset, $conn_error;
49
50 /* Perform logout to custom URL */
51 if (!empty($_REQUEST['old_usr']) && !empty($GLOBALS['cfg']['Server']['LogoutURL'])) {
52 PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['LogoutURL']);
53 exit;
54 }
55
56 // Tries to get the username from cookie whatever are the values of the
57 // 'register_globals' and the 'variables_order' directives if last login
58 // should be recalled, else skip the IE autocomplete feature.
59 if ($cfg['LoginCookieRecall'] && !empty($GLOBALS['cfg']['blowfish_secret'])) {
60 // username
61 // do not try to use pma_cookie_username as it was encoded differently
62 // in previous versions and would produce an undefined offset in blowfish
63 if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_username-' . $server])) {
64 $default_user = $_COOKIE['pma_cookie_username-' . $server];
65 }
66 $decrypted_user = isset($default_user) ? PMA_blowfish_decrypt($default_user, $GLOBALS['cfg']['blowfish_secret']) : '';
67 if (!empty($decrypted_user)) {
68 $pos = strrpos($decrypted_user, ':');
69 $default_user = substr($decrypted_user, 0, $pos);
70 } else {
71 $default_user = '';
72 }
73 // server name
74 if (!empty($GLOBALS['pma_cookie_servername'])) {
75 $default_server = $GLOBALS['pma_cookie_servername'];
76 } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_servername-' . $server])) {
77 $default_server = $_COOKIE['pma_cookie_servername-' . $server];
78 }
79
80 $autocomplete = '';
81 } else {
82 $default_user = '';
83 $autocomplete = ' autocomplete="off"';
84 }
85
86 $cell_align = ($GLOBALS['text_dir'] == 'ltr') ? 'left' : 'right';
87
88 // Defines the charset to be used
89 header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
90 // Defines the "item" image depending on text direction
91 $item_img = $GLOBALS['pmaThemeImage'] . 'item_ltr.png';
92
93 /* HTML header */
94 $page_title = 'phpMyAdmin ' . PMA_VERSION;
95 require './libraries/header_meta_style.inc.php';
96 ?>
97 <script type="text/javascript" language="javascript">
98 //<![CDATA[
99 // show login form in top frame
100 if (top != self) {
101 window.top.location.href=location;
102 }
103 //]]>
104 </script>
105 </head>
106
107 <body class="loginform">
108
109 <?php if (file_exists('./config.header.inc.php')) {
110 require('./config.header.inc.php');
111 }
112 ?>
113
114 <div class="container">
115 <a href="http://www.phpmyadmin.net" target="_blank" class="logo"><?php
116 $logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png';
117 if (@file_exists($logo_image)) {
118 echo '<img src="' . $logo_image . '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />';
119 } else {
120 echo '<img name="imLogo" id="imLogo" src="' . $GLOBALS['pmaThemeImage'] . 'pma_logo.png' . '" '
121 . 'border="0" width="88" height="31" alt="phpMyAdmin" />';
122 }
123 ?></a>
124 <h1>
125 <?php
126 echo sprintf( $GLOBALS['strWelcome'],
127 '<bdo dir="ltr" xml:lang="en">phpMyAdmin ' . PMA_VERSION . '</bdo>');
128 ?>
129 </h1>
130 <?php
131
132 // Show error message
133 if ( !empty($conn_error)) {
134 echo '<div class="error"><h1>' . $GLOBALS['strError'] . '</h1>' . "\n";
135 echo $conn_error . '</div>' . "\n";
136 }
137
138 // Displays the languages form
139 if (empty($cfg['Lang'])) {
140 echo "\n";
141 require_once './libraries/display_select_lang.lib.php';
142 PMA_select_language(true);
143 }
144 echo "\n\n";
145
146 // Displays the warning message and the login form
147
148 if (empty($GLOBALS['cfg']['blowfish_secret'])) {
149 ?>
150 <div class="error"><h1><?php echo $GLOBALS['strError']; ?></h1>
151 <?php echo $GLOBALS['strSecretRequired']; ?>
152 </div>
153 <?php
154 echo '</div>' . "\n";
155 if (file_exists('./config.footer.inc.php')) {
156 require('./config.footer.inc.php');
157 }
158
159 echo ' </body>' . "\n"
160 . '</html>';
161 exit();
162 }
163 ?>
164 <br />
165 <!-- Login form -->
166 <form method="post" action="index.php" name="login_form"<?php echo $autocomplete; ?> target="_top" class="login">
167 <fieldset>
168 <legend><?php echo $GLOBALS['strLogin']; ?></legend>
169
170 <?php if ($GLOBALS['cfg']['AllowArbitraryServer']) { ?>
171 <div class="item">
172 <label for="input_servername"><?php echo $GLOBALS['strLogServer']; ?></label>
173 <input type="text" name="pma_servername" id="input_servername" value="<?php echo (isset($default_server) ? htmlspecialchars($default_server) : ''); ?>" size="24" class="textfield" />
174 </div>
175 <?php } ?>
176 <div class="item">
177 <label for="input_username"><?php echo $GLOBALS['strLogUsername']; ?></label>
178 <input type="text" name="pma_username" id="input_username" value="<?php echo (isset($default_user) ? htmlspecialchars($default_user) : ''); ?>" size="24" class="textfield" />
179 </div>
180 <div class="item">
181 <label for="input_password"><?php echo $GLOBALS['strLogPassword']; ?></label>
182 <input type="password" name="pma_password" id="input_password" value="" size="24" class="textfield" />
183 </div>
184 <?php
185 if (count($cfg['Servers']) > 1) {
186 echo "\n";
187 ?>
188 <div class="item">
189 <label for="select_server"><?php echo $GLOBALS['strServerChoice']; ?>:</label>
190 <select name="server" id="select_server"
191 <?php
192 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
193 echo ' onchange="document.forms[\'login_form\'].elements[\'pma_servername\'].value = \'\'" ';
194 }
195 ?>
196 >
197 <?php
198 require_once './libraries/select_server.lib.php';
199 PMA_select_server(false, false);
200 ?>
201 </select>
202 </div>
203 <?php
204 } else {
205 echo ' <input type="hidden" name="server" value="' . $server . '" />';
206 } // end if (server choice)
207 ?>
208 </fieldset>
209 <fieldset class="tblFooters">
210 <input value="<?php echo $GLOBALS['strGo']; ?>" type="submit" />
211 <input type="hidden" name="lang" value="<?php echo $lang; ?>" />
212 <input type="hidden" name="convcharset" value="<?php echo $convcharset; ?>" />
213 <?php
214 if (!empty($GLOBALS['target'])) {
215 echo ' <input type="hidden" name="target" value="' . htmlspecialchars($GLOBALS['target']) . '" />' . "\n";
216 }
217 if (!empty($GLOBALS['db'])) {
218 echo ' <input type="hidden" name="db" value="' . htmlspecialchars($GLOBALS['db']) . '" />' . "\n";
219 }
220 if (!empty($GLOBALS['table'])) {
221 echo ' <input type="hidden" name="table" value="' . htmlspecialchars($GLOBALS['table']) . '" />' . "\n";
222 }
223 ?>
224 </fieldset>
225 </form>
226
227 <?php
228 // show the "Cookies required" message only if cookies are disabled
229 // (we previously tried to set some cookies)
230 if (empty($_COOKIE)) {
231 echo '<div class="notice">' . $GLOBALS['strCookiesRequired'] . '</div>' . "\n";
232 }
233 if ( ! empty( $GLOBALS['PMA_errors'] ) && is_array( $GLOBALS['PMA_errors'] ) ) {
234 foreach ( $GLOBALS['PMA_errors'] as $error ) {
235 echo '<div class="error">' . $error . '</div>' . "\n";
236 }
237 }
238 ?>
239
240 <script type="text/javascript" language="javascript">
241 <!--
242 var uname = document.forms['login_form'].elements['pma_username'];
243 var pword = document.forms['login_form'].elements['pma_password'];
244 if (uname.value == '') {
245 uname.focus();
246 } else {
247 pword.focus();
248 }
249 //-->
250 </script>
251 </div>
252
253 <?php if (file_exists('./config.footer.inc.php')) {
254 require('./config.footer.inc.php');
255 }
256 ?>
257
258 </body>
259
260 </html>
261 <?php
262 exit();
263
264 return true;
265 } // end of the 'PMA_auth()' function
266
267
268 /**
269 * Gets advanced authentication settings
270 *
271 * @global string the username if register_globals is on
272 * @global string the password if register_globals is on
273 * @global array the array of cookie variables if register_globals is
274 * off
275 * @global string the servername sent by the login form
276 * @global string the username sent by the login form
277 * @global string the password sent by the login form
278 * @global string the username of the user who logs out
279 * @global boolean whether the login/password pair is grabbed from a
280 * cookie or not
281 *
282 * @return boolean whether we get authentication settings or not
283 *
284 * @access public
285 */
286 function PMA_auth_check()
287 {
288 global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
289 global $pma_servername, $pma_username, $pma_password, $old_usr, $server;
290 global $from_cookie;
291
292 // avoid an error in mcrypt
293 if (empty($GLOBALS['cfg']['blowfish_secret'])) {
294 return false;
295 }
296
297 // Initialization
298 $PHP_AUTH_USER = $PHP_AUTH_PW = '';
299 $from_cookie = false;
300 $from_form = false;
301
302 // The user wants to be logged out -> delete password cookie(s)
303 if (!empty($old_usr)) {
304 if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
305 foreach($GLOBALS['cfg']['Servers'] as $key => $val) {
306 PMA_removeCookie('pma_cookie_password-' . $key);
307 }
308 } else {
309 PMA_removeCookie('pma_cookie_password-' . $server);
310 }
311 }
312
313 // The user just logged in
314 elseif (!empty($pma_username)) {
315 $PHP_AUTH_USER = $pma_username;
316 $PHP_AUTH_PW = (empty($pma_password)) ? '' : $pma_password;
317 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
318 $pma_auth_server = $pma_servername;
319 }
320 $from_form = true;
321 }
322
323 // At the end, try to set the $PHP_AUTH_USER & $PHP_AUTH_PW variables
324 // from cookies whatever are the values of the 'register_globals' and
325 // the 'variables_order' directives
326 else {
327 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
328 // servername
329 if (!empty($pma_cookie_servername)) {
330 $pma_auth_server = $pma_cookie_servername;
331 $from_cookie = true;
332 } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_servername-' . $server])) {
333 $pma_auth_server = $_COOKIE['pma_cookie_servername-' . $server];
334 $from_cookie = true;
335 }
336 }
337
338 // username
339 if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_username-' . $server])) {
340 $PHP_AUTH_USER = $_COOKIE['pma_cookie_username-' . $server];
341 $from_cookie = true;
342 }
343 $decrypted_user = PMA_blowfish_decrypt($PHP_AUTH_USER, $GLOBALS['cfg']['blowfish_secret']);
344 if (!empty($decrypted_user)) {
345 $pos = strrpos($decrypted_user, ':');
346 $PHP_AUTH_USER = substr($decrypted_user, 0, $pos);
347 $decrypted_time = (int)substr($decrypted_user, $pos + 1);
348 } else {
349 $decrypted_time = 0;
350 }
351
352 // User inactive too long
353 if ($decrypted_time > 0 && $decrypted_time < $GLOBALS['current_time'] - $GLOBALS['cfg']['LoginCookieValidity']) {
354 // Display an error message only if the inactivity has lasted
355 // less than 4 times the timeout value. This is to avoid
356 // alerting users with a error after "much" time has passed,
357 // for example next morning.
358 if ($decrypted_time > $GLOBALS['current_time'] - ($GLOBALS['cfg']['LoginCookieValidity'] * 4)) {
359 $GLOBALS['no_activity'] = true;
360 PMA_auth_fails();
361 }
362 return false;
363 }
364
365 // password
366 if (!empty($pma_cookie_password)) {
367 $PHP_AUTH_PW = $pma_cookie_password;
368 } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_password-' . $server])) {
369 $PHP_AUTH_PW = $_COOKIE['pma_cookie_password-' . $server];
370 } else {
371 $from_cookie = false;
372 }
373 $PHP_AUTH_PW = PMA_blowfish_decrypt($PHP_AUTH_PW, $GLOBALS['cfg']['blowfish_secret'] . $decrypted_time);
374
375 if ($PHP_AUTH_PW == "\xff(blank)") {
376 $PHP_AUTH_PW = '';
377 }
378 }
379
380 // Returns whether we get authentication settings or not
381 if (!$from_cookie && !$from_form) {
382 return false;
383 } elseif ($from_cookie) {
384 return true;
385 } else {
386 // we don't need to strip here, it is done in grab_globals
387 return true;
388 }
389 } // end of the 'PMA_auth_check()' function
390
391
392 /**
393 * Set the user and password after last checkings if required
394 *
395 * @global array the valid servers settings
396 * @global integer the id of the current server
397 * @global array the current server settings
398 * @global string the current username
399 * @global string the current password
400 * @global boolean whether the login/password pair has been grabbed from
401 * a cookie or not
402 *
403 * @return boolean always true
404 *
405 * @access public
406 */
407 function PMA_auth_set_user()
408 {
409 global $cfg, $server;
410 global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
411 global $from_cookie;
412
413 // Ensures valid authentication mode, 'only_db', bookmark database and
414 // table names and relation table name are used
415 if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
416 $servers_cnt = count($cfg['Servers']);
417 for ($i = 1; $i <= $servers_cnt; $i++) {
418 if (isset($cfg['Servers'][$i])
419 && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) {
420 $server = $i;
421 $cfg['Server'] = $cfg['Servers'][$i];
422 break;
423 }
424 } // end for
425 } // end if
426
427 $pma_server_changed = false;
428 if ($GLOBALS['cfg']['AllowArbitraryServer']
429 && isset($pma_auth_server) && !empty($pma_auth_server)
430 && ($cfg['Server']['host'] != $pma_auth_server)
431 ) {
432 $cfg['Server']['host'] = $pma_auth_server;
433 $pma_server_changed = true;
434 }
435 $cfg['Server']['user'] = $PHP_AUTH_USER;
436 $cfg['Server']['password'] = $PHP_AUTH_PW;
437
438 // Name and password cookies needs to be refreshed each time
439 // Duration = one month for username
440 PMA_setCookie('pma_cookie_username-' . $server, PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'], $GLOBALS['cfg']['blowfish_secret']));
441
442 // Duration = as configured
443 PMA_setCookie('pma_cookie_password-' . $server,
444 PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "\xff(blank)",
445 $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']),
446 null,
447 $GLOBALS['cfg']['LoginCookieStore']);
448
449 // Set server cookies if required (once per session) and, in this case, force
450 // reload to ensure the client accepts cookies
451 if (!$from_cookie) {
452 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
453 if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) {
454 // Duration = one month for serverrname
455 PMA_setCookie('pma_cookie_servername-' . $server, $cfg['Server']['host']);
456 } else {
457 // Delete servername cookie
458 PMA_removeCookie('pma_cookie_servername-' . $server);
459 }
460 }
461
462 // URL where to go:
463 $redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
464
465 // any parameters to pass?
466 $url_params = array();
467 if ( isset($GLOBALS['db']) && strlen($GLOBALS['db']) ) {
468 $url_params['db'] = $GLOBALS['db'];
469 }
470 if ( isset($GLOBALS['table']) && strlen($GLOBALS['table']) ) {
471 $url_params['table'] = $GLOBALS['table'];
472 }
473 // Language change from the login panel needs to be remembered
474 if ( ! empty($GLOBALS['lang']) ) {
475 $url_params['lang'] = $GLOBALS['lang'];
476 }
477 // any target to pass?
478 if ( ! empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php' ) {
479 $url_params['target'] = $GLOBALS['target'];
480 }
481
482 define('PMA_COMING_FROM_COOKIE_LOGIN',1);
483 PMA_sendHeaderLocation( $redirect_url . PMA_generate_common_url( $url_params, '&' ) );
484 exit();
485 } // end if
486
487 return true;
488 } // end of the 'PMA_auth_set_user()' function
489
490
491 /**
492 * User is not allowed to login to MySQL -> authentication failed
493 *
494 * @return boolean always true (no return indeed)
495 *
496 * @access public
497 */
498 function PMA_auth_fails()
499 {
500 global $conn_error, $server;
501
502 // Deletes password cookie and displays the login form
503 PMA_removeCookie('pma_cookie_password-' . $server);
504
505 if (isset($GLOBALS['allowDeny_forbidden']) && $GLOBALS['allowDeny_forbidden']) {
506 $conn_error = $GLOBALS['strAccessDenied'];
507 } elseif (isset($GLOBALS['no_activity']) && $GLOBALS['no_activity']) {
508 $conn_error = sprintf($GLOBALS['strNoActivity'], $GLOBALS['cfg']['LoginCookieValidity']);
509 // Remember where we got timeout to return on same place
510 if (PMA_getenv('SCRIPT_NAME')) {
511 $GLOBALS['target'] = basename(PMA_getenv('SCRIPT_NAME'));
512 }
513 } elseif (PMA_DBI_getError()) {
514 $conn_error = PMA_sanitize(PMA_DBI_getError());
515 } elseif (isset($php_errormsg)) {
516 $conn_error = $php_errormsg;
517 } else {
518 $conn_error = $GLOBALS['strCannotLogin'];
519 }
520
521 PMA_auth();
522
523 return true;
524 } // end of the 'PMA_auth_fails()' function
525
526 ?>
Drizzle / GSOC 2011