setup/lib/index.lib.php

   1 <?php
   2
   3 /**
   4  * Various checks and message functions used on index page.
   5  *
   6  * Security checks are the idea of Aung Khant <aungkhant[at]yehg.net>, http://yehg.net/lab
   7  * Version check taken from the old setup script by Michal Čihař <michal@cihar.com>
   8  *
   9  * @package    phpMyAdmin-setup
  10  * @author     Piotr Przybylski <piotrprz@gmail.com>
  11  * @license    http://www.gnu.org/licenses/gpl.html GNU GPL 2.0
  12  * @version    $Id$
  13  */
  14
  15 if (!defined('PHPMYADMIN')) {
  16     exit;
  17 }
  18
  19 /**
  20  * Load vendor config.
  21  */
  22 require_once('./libraries/vendor_config.php');
  23
  24 /**
  25  * Initializes message list
  26  */
  27 function messages_begin()
  28 {
  29     if (!isset($_SESSION['messages']) || !is_array($_SESSION['messages'])) {
  30         $_SESSION['messages'] = array('error' => array(), 'warning' => array(), 'notice' => array());
  31     } else {
  32         // reset message states
  33         foreach ($_SESSION['messages'] as &$messages) {
  34             foreach ($messages as &$msg) {
  35                 $msg['fresh'] = false;
  36                 $msg['active'] = false;
  37             }
  38         }
  39     }
  40 }
  41
  42 /**
  43  * Adds a new message to message list
  44  *
  45  * @param string $id unique message identifier
  46  * @param string $type one of: notice, warning, error
  47  * @param string $title language string id (in $str array)
  48  * @param string $message message text
  49  */
  50 function messages_set($type, $id, $title, $message)
  51 {
  52     $fresh = !isset($_SESSION['messages'][$type][$id]);
  53     $title = PMA_lang($title);
  54     $_SESSION['messages'][$type][$id] = array(
  55         'fresh' => $fresh,
  56         'active' => true,
  57         'title' => $title,
  58         'message' => $message);
  59 }
  60
  61 /**
  62  * Cleans up message list
  63  */
  64 function messages_end()
  65 {
  66     foreach ($_SESSION['messages'] as &$messages) {
  67         $remove_ids = array();
  68         foreach ($messages as $id => &$msg) {
  69             if ($msg['active'] == false) {
  70                 $remove_ids[] = $id;
  71             }
  72         }
  73         foreach ($remove_ids as $id) {
  74             unset($messages[$id]);
  75         }
  76     }
  77 }
  78
  79 /**
  80  * Prints message list, must be called after messages_end()
  81  */
  82 function messages_show_html()
  83 {
  84     $old_ids = array();
  85     foreach ($_SESSION['messages'] as $type => $messages) {
  86         foreach ($messages as $id => $msg) {
  87             echo '<div class="' . $type . '" id="' . $id . '">' . '<h4>' . $msg['title'] . '</h4>' . $msg['message'] . '</div>';
  88             if (!$msg['fresh'] && $type != 'error') {
  89                 $old_ids[] = $id;
  90             }
  91         }
  92     }
  93
  94     echo "\n" . '<script type="text/javascript">';
  95     foreach ($old_ids as $id) {
  96         echo "\nhiddenMessages.push('$id');";
  97     }
  98     echo "\n</script>\n";
  99 }
 100
 101 /**
 102  * Checks for newest phpMyAdmin version and sets result as a new notice
 103  */
 104 function PMA_version_check()
 105 {
 106     // version check messages should always be visible so let's make
 107     // a unique message id each time we run it
 108     $message_id = uniqid('version_check');
 109     // wait 3s at most for server response, it's enough to get information
 110     // from a working server
 111     $connection_timeout = 3;
 112
 113     $url = 'http://phpmyadmin.net/home_page/version.php';
 114     $context = stream_context_create(array(
 115         'http' => array(
 116             'timeout' => $connection_timeout)));
 117     $data = @file_get_contents($url, null, $context);
 118     if ($data === false) {
 119         if (function_exists('curl_init')) {
 120             $ch = curl_init($url);
 121             curl_setopt($ch, CURLOPT_HEADER, false);
 122             curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 123             curl_setopt($ch, CURLOPT_TIMEOUT, $connection_timeout);
 124             $data = curl_exec($ch);
 125             curl_close($ch);
 126         } else {
 127             messages_set('error', $message_id, 'VersionCheck',
 128                 PMA_lang('VersionCheckWrapperError'));
 129             return;
 130         }
 131     }
 132
 133     if (empty($data)) {
 134         messages_set('error', $message_id, 'VersionCheck',
 135             PMA_lang('VersionCheckDataError'));
 136         return;
 137     }
 138
 139     /* Format: version\ndate\n(download\n)* */
 140     $data_list = explode("\n", $data);
 141
 142     if (count($data_list) > 1) {
 143         $version = $data_list[0];
 144         $date = $data_list[1];
 145     } else {
 146         $version = $date = '';
 147     }
 148
 149     $version_upstream = version_to_int($version);
 150     if ($version_upstream === false) {
 151         messages_set('error', $message_id, 'VersionCheck',
 152             PMA_lang('VersionCheckInvalid'));
 153         return;
 154     }
 155
 156     $version_local = version_to_int($_SESSION['PMA_Config']->get('PMA_VERSION'));
 157     if ($version_local === false) {
 158         messages_set('error', $message_id, 'VersionCheck',
 159             PMA_lang('VersionCheckUnparsable'));
 160         return;
 161     }
 162
 163     if ($version_upstream > $version_local) {
 164         $version = htmlspecialchars($version);
 165         $date = htmlspecialchars($date);
 166         messages_set('notice', $message_id, 'VersionCheck',
 167             PMA_lang('VersionCheckNewAvailable', $version, $date));
 168     } else {
 169         if ($version_local % 100 == 0) {
 170             messages_set('notice', $message_id, 'VersionCheck',
 171                 PMA_lang('VersionCheckNewAvailableSvn', $version, $date));
 172         } else {
 173             messages_set('notice', $message_id, 'VersionCheck',
 174                 PMA_lang('VersionCheckNone'));
 175         }
 176     }
 177 }
 178
 179 /**
 180  * Calculates numerical equivalent of phpMyAdmin version string
 181  *
 182  * @param string  version
 183  * @return mixed  false on failure, integer on success
 184  */
 185 function version_to_int($version)
 186 {
 187     $matches = array();
 188     if (!preg_match('/^(\d+)\.(\d+)\.(\d+)((\.|-(pl|rc|dev|beta|alpha))(\d+)?)?$/', $version, $matches)) {
 189         return false;
 190     }
 191     if (!empty($matches[6])) {
 192         switch ($matches[6]) {
 193             case 'pl':
 194                 $added = 60;
 195                 break;
 196             case 'rc':
 197                 $added = 30;
 198                 break;
 199             case 'beta':
 200                 $added = 20;
 201                 break;
 202             case 'alpha':
 203                 $added = 10;
 204                 break;
 205             case 'dev':
 206                 $added = 0;
 207                 break;
 208             default:
 209                 messages_set('notice', 'version_match', 'VersionCheck',
 210                     'Unknown version part: ' . htmlspecialchars($matches[6]));
 211                 $added = 0;
 212                 break;
 213         }
 214     } else {
 215         $added = 50; // for final
 216     }
 217     if (!empty($matches[7])) {
 218         $added = $added + $matches[7];
 219     }
 220     return $matches[1] * 1000000 + $matches[2] * 10000 + $matches[3] * 100 + $added;
 221 }
 222
 223 /**
 224  * Checks whether config file is readable/writable
 225  *
 226  * @param bool &$is_readable
 227  * @param bool &$is_writable
 228  * @param bool &$file_exists
 229  */
 230 function check_config_rw(&$is_readable, &$is_writable, &$file_exists)
 231 {
 232     $file_path = ConfigFile::getInstance()->getFilePath();
 233     $file_dir = dirname($file_path);
 234     $is_readable = true;
 235     $is_writable = is_dir($file_dir);
 236     if (SETUP_DIR_WRITABLE) {
 237         $is_writable = $is_writable && is_writable($file_dir);
 238     }
 239     $file_exists = file_exists($file_path);
 240     if ($file_exists) {
 241         $is_readable = is_readable($file_path);
 242         $is_writable = $is_writable && is_writable($file_path);
 243     }
 244 }
 245
 246 /**
 247  * Performs various compatibility, security and consistency checks on current config
 248  *
 249  * Outputs results to message list, must be called between messages_begin()
 250  * and messages_end()
 251  */
 252 function perform_config_checks()
 253 {
 254     $cf = ConfigFile::getInstance();
 255     $blowfish_secret = $cf->get('blowfish_secret');
 256     $blowfish_secret_set = false;
 257     $cookie_auth_used = false;
 258     for ($i = 1, $server_cnt = $cf->getServerCount(); $i <= $server_cnt; $i++) {
 259         $cookie_auth_server = ($cf->getValue("Servers/$i/auth_type") == 'cookie');
 260         $cookie_auth_used |= $cookie_auth_server;
 261         $server_name = $cf->getServerName($i);
 262         if ($server_name == 'localhost') {
 263             $server_name .=  " [$i]";
 264         }
 265
 266         if ($cookie_auth_server && $blowfish_secret === null) {
 267             $blowfish_secret = uniqid('', true);
 268             $blowfish_secret_set = true;
 269             $cf->set('blowfish_secret', $blowfish_secret);
 270         }
 271
 272         //
 273         // $cfg['Servers'][$i]['ssl']
 274         // should be enabled if possible
 275         //
 276         if (!$cf->getValue("Servers/$i/ssl")) {
 277             $title = PMA_lang_name('Servers/1/ssl') . " ($server_name)";
 278             messages_set('notice', "Servers/$i/ssl", $title,
 279                 PMA_lang('ServerSslMsg'));
 280         }
 281
 282         //
 283         // $cfg['Servers'][$i]['extension']
 284         // warn about using 'mysql'
 285         //
 286         if ($cf->getValue("Servers/$i/extension") == 'mysql') {
 287             $title = PMA_lang_name('Servers/1/extension') . " ($server_name)";
 288             messages_set('notice', "Servers/$i/extension", $title,
 289                 PMA_lang('ServerExtensionMsg'));
 290         }
 291
 292         //
 293         // $cfg['Servers'][$i]['auth_type']
 294         // warn about full user credentials if 'auth_type' is 'config'
 295         //
 296         if ($cf->getValue("Servers/$i/auth_type") == 'config'
 297             && $cf->getValue("Servers/$i/user") != ''
 298             && $cf->getValue("Servers/$i/password") != '') {
 299             $title = PMA_lang_name('Servers/1/auth_type') . " ($server_name)";
 300             messages_set('warning', "Servers/$i/auth_type", $title,
 301                 PMA_lang('ServerAuthConfigMsg', $i) . ' ' .
 302                 PMA_lang('ServerSecurityInfoMsg', $i));
 303         }
 304
 305         //
 306         // $cfg['Servers'][$i]['AllowRoot']
 307         // $cfg['Servers'][$i]['AllowNoPassword']
 308         // serious security flaw
 309         //
 310         if ($cf->getValue("Servers/$i/AllowRoot")
 311             && $cf->getValue("Servers/$i/AllowNoPassword")) {
 312             $title = PMA_lang_name('Servers/1/AllowNoPassword') . " ($server_name)";
 313             messages_set('warning', "Servers/$i/AllowNoPassword", $title,
 314                 PMA_lang('ServerNoPasswordMsg') . ' ' .
 315                 PMA_lang('ServerSecurityInfoMsg', $i));
 316         }
 317     }
 318
 319     //
 320     // $cfg['blowfish_secret']
 321     // it's required for 'cookie' authentication
 322     //
 323     if ($cookie_auth_used) {
 324         if ($blowfish_secret_set) {
 325             // 'cookie' auth used, blowfish_secret was generated
 326             messages_set('notice', 'blowfish_secret_created', 'blowfish_secret_name',
 327                  PMA_lang('BlowfishSecretMsg'));
 328         } else {
 329             $blowfish_warnings = array();
 330             // check length
 331             if (strlen($blowfish_secret) < 8) {
 332                 // too short key
 333                 $blowfish_warnings[] = PMA_lang('BlowfishSecretLengthMsg');
 334             }
 335             // check used characters
 336             $has_digits = (bool) preg_match('/\d/', $blowfish_secret);
 337             $has_chars = (bool) preg_match('/\S/', $blowfish_secret);
 338             $has_nonword = (bool) preg_match('/\W/', $blowfish_secret);
 339             if (!$has_digits || !$has_chars || !$has_nonword) {
 340                 $blowfish_warnings[] = PMA_lang('BlowfishSecretCharsMsg');
 341             }
 342             if (!empty($blowfish_warnings)) {
 343                 messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings),
 344                     'blowfish_secret_name', implode("<br />", $blowfish_warnings));
 345             }
 346         }
 347     }
 348
 349     //
 350     // $cfg['ForceSSL']
 351     // should be enabled if possible
 352     //
 353     if (!$cf->getValue('ForceSSL')) {
 354         messages_set('notice', 'ForceSSL', 'ForceSSL_name',
 355             PMA_lang('ForceSSLMsg'));
 356     }
 357
 358     //
 359     // $cfg['AllowArbitraryServer']
 360     // should be disabled
 361     //
 362     if ($cf->getValue('AllowArbitraryServer')) {
 363         messages_set('warning', 'AllowArbitraryServer', 'AllowArbitraryServer_name',
 364             PMA_lang('AllowArbitraryServerMsg'));
 365     }
 366
 367     //
 368     // $cfg['LoginCookieValidity']
 369     // should be at most 1800 (30 min)
 370     //
 371     if ($cf->getValue('LoginCookieValidity') > 1800) {
 372         messages_set('warning', 'LoginCookieValidity', 'LoginCookieValidity_name',
 373             PMA_lang('LoginCookieValidityMsg'));
 374     }
 375
 376     //
 377     // $cfg['SaveDir']
 378     // should not be world-accessible
 379     //
 380     if ($cf->getValue('SaveDir') != '') {
 381         messages_set('notice', 'SaveDir', 'SaveDir_name',
 382             PMA_lang('DirectoryNotice'));
 383     }
 384
 385     //
 386     // $cfg['TempDir']
 387     // should not be world-accessible
 388     //
 389     if ($cf->getValue('TempDir') != '') {
 390         messages_set('notice', 'TempDir', 'TempDir_name',
 391             PMA_lang('DirectoryNotice'));
 392     }
 393
 394     //
 395     // $cfg['GZipDump']
 396     // requires zlib functions
 397     //
 398     if ($cf->getValue('GZipDump')
 399         && (@!function_exists('gzopen') || @!function_exists('gzencode'))) {
 400         messages_set('warning', 'GZipDump', 'GZipDump_name',
 401             PMA_lang('GZipDumpWarning', 'gzencode'));
 402     }
 403
 404     //
 405     // $cfg['BZipDump']
 406     // requires bzip2 functions
 407     //
 408     if ($cf->getValue('BZipDump')
 409         && (!@function_exists('bzopen') || !@function_exists('bzcompress'))) {
 410         $functions = @function_exists('bzopen')
 411             ? '' :
 412             'bzopen';
 413         $functions .= @function_exists('bzcompress')
 414             ? ''
 415             : ($functions ? ', ' : '') . 'bzcompress';
 416         messages_set('warning', 'BZipDump', 'BZipDump_name',
 417             PMA_lang('BZipDumpWarning', $functions));
 418     }
 419
 420     //
 421     // $cfg['ZipDump']
 422     // requires zip_open in import
 423     //
 424     if ($cf->getValue('ZipDump') && !@function_exists('zip_open')) {
 425         messages_set('warning', 'ZipDump_import', 'ZipDump_name',
 426             PMA_lang('ZipDumpImportWarning', 'zip_open'));
 427     }
 428
 429     //
 430     // $cfg['ZipDump']
 431     // requires gzcompress in export
 432     //
 433     if ($cf->getValue('ZipDump') && !@function_exists('gzcompress')) {
 434         messages_set('warning', 'ZipDump_export', 'ZipDump_name',
 435             PMA_lang('ZipDumpExportWarning', 'gzcompress'));
 436     }
 437 }
 438 ?>