Viewing file:  AuthenticationCookie.class.php (27.91 KB) -rw-rw-rw-
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Cookie Authentication plugin for phpMyAdmin
*
* @package PhpMyAdmin-Authentication
* @subpackage Cookie
*/
if (! defined('PHPMYADMIN')) {
exit;
}
/* Get the authentication interface */
require_once 'libraries/plugins/AuthenticationPlugin.class.php';
/**
* Remember where to redirect the user
* in case of an expired session.
*/
if (! empty($_REQUEST['target'])) {
$GLOBALS['target'] = $_REQUEST['target'];
} else if (PMA_getenv('SCRIPT_NAME')) {
$GLOBALS['target'] = basename(PMA_getenv('SCRIPT_NAME'));
}
/**
* Swekey authentication functions.
*/
require './libraries/plugins/auth/swekey/swekey.auth.lib.php';
/**
* Handles the cookie authentication method
*
* @package PhpMyAdmin-Authentication
*/
class AuthenticationCookie extends AuthenticationPlugin
{
/**
* IV for Blowfish.
*/
private $_blowfish_iv = null;
/**
* Displays authentication form
*
* this function MUST exit/quit the application
*
* @global string $conn_error the last connection error
*
* @return boolean|void
*/
public function auth()
{
global $conn_error;
$response = PMA_Response::getInstance();
if ($response->isAjax()) {
$response->isSuccess(false);
$response->addJSON(
'redirect_flag',
'1'
);
if (defined('TESTSUITE')) {
return true;
} else {
exit;
}
}
/* Perform logout to custom URL */
if (! empty($_REQUEST['old_usr'])
&& ! empty($GLOBALS['cfg']['Server']['LogoutURL'])
) {
PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['LogoutURL']);
if (defined('TESTSUITE')) {
return true;
} else {
exit;
}
}
// No recall if blowfish secret is not configured as it would produce
// garbage
if ($GLOBALS['cfg']['LoginCookieRecall']
&& ! empty($GLOBALS['cfg']['blowfish_secret'])
) {
$default_user = $GLOBALS['PHP_AUTH_USER'];
$default_server = $GLOBALS['pma_auth_server'];
$autocomplete = '';
} else {
$default_user = '';
$default_server = '';
// skip the IE autocomplete feature.
$autocomplete = ' autocomplete="off"';
}
$response->getFooter()->setMinimal();
$header = $response->getHeader();
$header->setBodyId('loginform');
$header->setTitle('phpMyAdmin');
$header->disableMenu();
$header->disableWarnings();
if (file_exists(CUSTOM_HEADER_FILE)) {
include CUSTOM_HEADER_FILE;
}
echo '
<div class="container">
<a href="';
echo PMA_linkURL('http://www.phpmyadmin.net/');
echo '" target="_blank" class="logo">';
$logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png';
if (@file_exists($logo_image)) {
echo '<img src="' . $logo_image
. '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />';
} else {
echo '<img name="imLogo" id="imLogo" src="'
. $GLOBALS['pmaThemeImage'] . 'pma_logo.png' . '" '
. 'border="0" width="88" height="31" alt="phpMyAdmin" />';
}
echo '</a>
<h1>';
echo sprintf(
__('Welcome to %s'),
'<bdo dir="ltr" lang="en">phpMyAdmin</bdo>'
);
echo "</h1>";
// Show error message
if (! empty($conn_error)) {
PMA_Message::rawError($conn_error)->display();
} elseif (isset($_GET['session_expired'])
&& intval($_GET['session_expired']) == 1
) {
PMA_Message::rawError(
__('Your session has expired. Please log in again.')
)->display();
}
echo "<noscript>\n";
PMA_message::error(
__("Javascript must be enabled past this point!")
)->display();
echo "</noscript>\n";
echo "<div class='hide js-show'>";
// Displays the languages form
if (empty($GLOBALS['cfg']['Lang'])) {
include_once './libraries/display_select_lang.lib.php';
// use fieldset, don't show doc link
echo PMA_getLanguageSelectorHtml(true, false);
}
echo '</div>
<br />
<!-- Login form -->
<form method="post" action="index.php" name="login_form"' . $autocomplete .
' class="disableAjax login hide js-show">
<fieldset>
<legend>';
echo __('Log in');
echo PMA_Util::showDocu('index');
echo '</legend>';
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
echo '
<div class="item">
<label for="input_servername" title="';
echo __(
'You can enter hostname/IP address and port separated by space.'
);
echo '">';
echo __('Server:');
echo '</label>
<input type="text" name="pma_servername" id="input_servername"';
echo ' value="';
echo htmlspecialchars($default_server);
echo '" size="24" class="textfield" title="';
echo __(
'You can enter hostname/IP address and port separated by space.'
); echo '" />
</div>';
}
echo '<div class="item">
<label for="input_username">' . __('Username:') . '</label>
<input type="text" name="pma_username" id="input_username" '
. 'value="' . htmlspecialchars($default_user) . '" size="24"'
. ' class="textfield"/>
</div>
<div class="item">
<label for="input_password">' . __('Password:') . '</label>
<input type="password" name="pma_password" id="input_password"'
. ' value="" size="24" class="textfield" />
</div>';
if (count($GLOBALS['cfg']['Servers']) > 1) {
echo '<div class="item">
<label for="select_server">' . __('Server Choice:') . '</label>
<select name="server" id="select_server"';
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
echo ' onchange="document.forms[\'login_form\'].'
. 'elements[\'pma_servername\'].value = \'\'" ';
}
echo '>';
include_once './libraries/select_server.lib.php';
echo PMA_selectServer(false, false);
echo '</select></div>';
} else {
echo ' <input type="hidden" name="server" value="'
. $GLOBALS['server'] . '" />';
} // end if (server choice)
// We already have one correct captcha.
$skip = false;
if ( isset($_SESSION['last_valid_captcha'])
&& $_SESSION['last_valid_captcha']
) {
$skip = true;
}
// Add captcha input field if reCaptcha is enabled
if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
&& !$skip
) {
// If enabled show captcha to the user on the login screen.
echo '<script type="text/javascript">
var RecaptchaOptions = {
theme : "white"
};
</script>
<script type="text/javascript"
src="https://www.google.com/recaptcha/api/challenge?'
. 'k=' . $GLOBALS['cfg']['CaptchaLoginPublicKey'] . '&'
. 'hl=' . $GLOBALS['lang'] . '">
</script>
<noscript>
<iframe src="https://www.google.com/recaptcha/api/noscript?k='
. $GLOBALS['cfg']['CaptchaLoginPublicKey'] . '"
height="300" width="500" frameborder="0"></iframe><br>
<textarea name="recaptcha_challenge_field" rows="3" cols="40">
</textarea>
<input type="hidden" name="recaptcha_response_field"
value="manual_challenge">
</noscript>
<script type="text/javascript">
$("#recaptcha_reload_btn").addClass("disableAjax");
$("#recaptcha_switch_audio_btn").addClass("disableAjax");
$("#recaptcha_switch_img_btn").addClass("disableAjax");
$("#recaptcha_whatsthis_btn").addClass("disableAjax");
$("#recaptcha_audio_play_again").live("mouseover", function() {
$(this).addClass("disableAjax");
});
</script>';
}
echo '</fieldset>
<fieldset class="tblFooters">
<input value="' . __('Go') . '" type="submit" id="input_go" />';
$_form_params = array();
if (! empty($GLOBALS['target'])) {
$_form_params['target'] = $GLOBALS['target'];
}
if (! empty($GLOBALS['db'])) {
$_form_params['db'] = $GLOBALS['db'];
}
if (! empty($GLOBALS['table'])) {
$_form_params['table'] = $GLOBALS['table'];
}
// do not generate a "server" hidden field as we want the "server"
// drop-down to have priority
echo PMA_URL_getHiddenInputs($_form_params, '', 0, 'server');
echo '</fieldset>
</form>';
// BEGIN Swekey Integration
Swekey_login('input_username', 'input_go');
// END Swekey Integration
if ($GLOBALS['error_handler']->hasDisplayErrors()) {
echo '<div>';
$GLOBALS['error_handler']->dispErrors();
echo '</div>';
}
echo '</div>';
if (file_exists(CUSTOM_FOOTER_FILE)) {
include CUSTOM_FOOTER_FILE;
}
if (! defined('TESTSUITE')) {
exit;
} else {
return true;
}
}
/**
* Gets advanced authentication settings
*
* this function DOES NOT check authentication - it just checks/provides
* authentication credentials required to connect to the MySQL server
* usually with $GLOBALS['dbi']->connect()
*
* it returns false if something is missing - which usually leads to
* auth() which displays login form
*
* it returns true if all seems ok which usually leads to auth_set_user()
*
* it directly switches to authFails() if user inactivity timout is reached
*
* @todo AllowArbitraryServer on does not imply that the user wants an
* arbitrary server, or? so we should also check if this is filled
* and not only if allowed
*
* @return boolean whether we get authentication settings or not
*/
public function authCheck()
{
global $conn_error;
// Initialization
/**
* @global $GLOBALS['pma_auth_server'] the user provided server to
* connect to
*/
$GLOBALS['pma_auth_server'] = '';
$GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
$GLOBALS['from_cookie'] = false;
// BEGIN Swekey Integration
if (! Swekey_Auth_check()) {
return false;
}
// END Swekey Integration
if (defined('PMA_CLEAR_COOKIES')) {
foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
$GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
$GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key);
$GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key);
}
return false;
}
// We already have one correct captcha.
$skip = false;
if ( isset($_SESSION['last_valid_captcha'])
&& $_SESSION['last_valid_captcha']
) {
$skip = true;
}
// Verify Captcha if it is required.
if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
&& !$skip
) {
if ( !empty($_POST["recaptcha_challenge_field"])
&& !empty($_POST["recaptcha_response_field"])
) {
include_once 'libraries/plugins/auth/recaptchalib.php';
// Use private key to verify captcha status.
$resp = recaptcha_check_answer(
$GLOBALS['cfg']['CaptchaLoginPrivateKey'],
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]
);
// Check if the captcha entered is valid, if not stop the login.
if ( !$resp->is_valid ) {
$conn_error = __('Entered captcha is wrong, try again!');
$_SESSION['last_valid_captcha'] = false;
return false;
} else {
$_SESSION['last_valid_captcha'] = true;
}
} elseif (! empty($_POST["recaptcha_challenge_field"])
&& empty($_POST["recaptcha_response_field"])
) {
$conn_error = __('Please enter correct captcha!');
return false;
} else {
if (! isset($_SESSION['last_valid_captcha'])
|| ! $_SESSION['last_valid_captcha']
) {
return false;
}
}
}
if (! empty($_REQUEST['old_usr'])) {
// The user wants to be logged out
// -> delete his choices that were stored in session
// according to the PHP manual we should do this before the destroy:
//$_SESSION = array();
if (! defined('TESTSUITE')) {
session_destroy();
// $_SESSION array is not immediately emptied
$_SESSION['last_valid_captcha'] = false;
}
// -> delete password cookie(s)
if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
$GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key);
if (isset($_COOKIE['pmaPass-' . $key])) {
unset($_COOKIE['pmaPass-' . $key]);
}
}
} else {
$GLOBALS['PMA_Config']->removeCookie(
'pmaPass-' . $GLOBALS['server']
);
if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
unset($_COOKIE['pmaPass-' . $GLOBALS['server']]);
}
}
}
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
$GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password'])
? ''
: $_REQUEST['pma_password'];
if ($GLOBALS['cfg']['AllowArbitraryServer']
&& isset($_REQUEST['pma_servername'])
) {
$GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
}
return true;
}
// At the end, try to set the $GLOBALS['PHP_AUTH_USER']
// and $GLOBALS['PHP_AUTH_PW'] variables from cookies
// servername
if ($GLOBALS['cfg']['AllowArbitraryServer']
&& ! empty($_COOKIE['pmaServer-' . $GLOBALS['server']])
) {
$GLOBALS['pma_auth_server']
= $_COOKIE['pmaServer-' . $GLOBALS['server']];
}
// check cookies
if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])
|| empty($_COOKIE['pma_mcrypt_iv'])
) {
return false;
}
$GLOBALS['PHP_AUTH_USER'] = $this->blowfishDecrypt(
$_COOKIE['pmaUser-' . $GLOBALS['server']],
$this->_getBlowfishSecret()
);
// user was never logged in since session start
if (empty($_SESSION['last_access_time'])) {
return false;
}
// User inactive too long
$last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity'];
if ($_SESSION['last_access_time'] < $last_access_time
) {
PMA_Util::cacheUnset('is_create_db_priv', null);
PMA_Util::cacheUnset('is_process_priv', null);
PMA_Util::cacheUnset('is_reload_priv', null);
PMA_Util::cacheUnset('db_to_create', null);
PMA_Util::cacheUnset('dbs_where_create_table_allowed', null);
$GLOBALS['no_activity'] = true;
$this->authFails();
if (! defined('TESTSUITE')) {
exit;
} else {
return false;
}
}
// check password cookie
if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) {
return false;
}
$GLOBALS['PHP_AUTH_PW'] = $this->blowfishDecrypt(
$_COOKIE['pmaPass-' . $GLOBALS['server']],
$this->_getBlowfishSecret()
);
if ($GLOBALS['PHP_AUTH_PW'] == "\xff(blank)") {
$GLOBALS['PHP_AUTH_PW'] = '';
}
$GLOBALS['from_cookie'] = true;
return true;
}
/**
* Set the user and password after last checkings if required
*
* @return boolean always true
*/
public function authSetUser()
{
global $cfg;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if ($cfg['Server']['user'] != $GLOBALS['PHP_AUTH_USER']) {
foreach ($cfg['Servers'] as $idx => $current) {
if ($current['host'] == $cfg['Server']['host']
&& $current['port'] == $cfg['Server']['port']
&& $current['socket'] == $cfg['Server']['socket']
&& $current['ssl'] == $cfg['Server']['ssl']
&& $current['connect_type'] == $cfg['Server']['connect_type']
&& $current['user'] == $GLOBALS['PHP_AUTH_USER']
) {
$GLOBALS['server'] = $idx;
$cfg['Server'] = $current;
break;
}
} // end foreach
} // end if
if ($GLOBALS['cfg']['AllowArbitraryServer']
&& ! empty($GLOBALS['pma_auth_server'])
) {
/* Allow to specify 'host port' */
$parts = explode(' ', $GLOBALS['pma_auth_server']);
if (count($parts) == 2) {
$tmp_host = $parts[0];
$tmp_port = $parts[1];
} else {
$tmp_host = $GLOBALS['pma_auth_server'];
$tmp_port = '';
}
if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) {
$cfg['Server']['host'] = $tmp_host;
if (! empty($tmp_port)) {
$cfg['Server']['port'] = $tmp_port;
}
}
unset($tmp_host, $tmp_port, $parts);
}
$cfg['Server']['user'] = $GLOBALS['PHP_AUTH_USER'];
$cfg['Server']['password'] = $GLOBALS['PHP_AUTH_PW'];
// Avoid showing the password in phpinfo()'s output
unset($GLOBALS['PHP_AUTH_PW']);
unset($_SERVER['PHP_AUTH_PW']);
$_SESSION['last_access_time'] = time();
$this->createBlowfishIV();
// Name and password cookies need to be refreshed each time
// Duration = one month for username
$GLOBALS['PMA_Config']->setCookie(
'pmaUser-' . $GLOBALS['server'],
$this->blowfishEncrypt(
$cfg['Server']['user'],
$this->_getBlowfishSecret()
)
);
// Duration = as configured
$GLOBALS['PMA_Config']->setCookie(
'pmaPass-' . $GLOBALS['server'],
$this->blowfishEncrypt(
! empty($cfg['Server']['password'])
? $cfg['Server']['password'] : "\xff(blank)",
$this->_getBlowfishSecret()
),
null,
$GLOBALS['cfg']['LoginCookieStore']
);
// Set server cookies if required (once per session) and, in this case,
// force reload to ensure the client accepts cookies
if (! $GLOBALS['from_cookie']) {
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
if (! empty($GLOBALS['pma_auth_server'])) {
// Duration = one month for servername
$GLOBALS['PMA_Config']->setCookie(
'pmaServer-' . $GLOBALS['server'],
$cfg['Server']['host']
);
} else {
// Delete servername cookie
$GLOBALS['PMA_Config']->removeCookie(
'pmaServer-' . $GLOBALS['server']
);
}
}
// URL where to go:
$redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
// any parameters to pass?
$url_params = array();
if (strlen($GLOBALS['db'])) {
$url_params['db'] = $GLOBALS['db'];
}
if (strlen($GLOBALS['table'])) {
$url_params['table'] = $GLOBALS['table'];
}
// any target to pass?
if (! empty($GLOBALS['target'])
&& $GLOBALS['target'] != 'index.php'
) {
$url_params['target'] = $GLOBALS['target'];
}
/**
* Clear user cache.
*/
PMA_Util::clearUserCache();
PMA_Response::getInstance()->disable();
PMA_sendHeaderLocation(
$redirect_url . PMA_URL_getCommon($url_params, '&'),
true
);
if (! defined('TESTSUITE')) {
exit;
} else {
return false;
}
} // end if
return true;
}
/**
* User is not allowed to login to MySQL -> authentication failed
*
* prepares error message and switches to auth() which display the error
* and the login form
*
* this function MUST exit/quit the application,
* currently doen by call to auth()
*
* @return void
*/
public function authFails()
{
global $conn_error;
// Deletes password cookie and displays the login form
$GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']);
if (! empty($GLOBALS['login_without_password_is_forbidden'])) {
$conn_error = __(
'Login without a password is forbidden by configuration'
. ' (see AllowNoPassword)'
);
} elseif (! empty($GLOBALS['allowDeny_forbidden'])) {
$conn_error = __('Access denied!');
} elseif (! empty($GLOBALS['no_activity'])) {
$conn_error = sprintf(
__('No activity within %s seconds; please log in again.'),
$GLOBALS['cfg']['LoginCookieValidity']
);
} elseif ($GLOBALS['dbi']->getError()) {
$conn_error = '#' . $GLOBALS['errno'] . ' '
. __('Cannot log in to the MySQL server');
} else {
$conn_error = __('Cannot log in to the MySQL server');
}
// needed for PHP-CGI (not need for FastCGI or mod-php)
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Pragma: no-cache');
$this->auth();
}
/**
* Returns blowfish secret or generates one if needed.
*
* @return string
*/
private function _getBlowfishSecret()
{
if (empty($GLOBALS['cfg']['blowfish_secret'])) {
if (empty($_SESSION['auto_blowfish_secret'])) {
// this returns 23 characters
$_SESSION['auto_blowfish_secret'] = uniqid('', true);
}
return $_SESSION['auto_blowfish_secret'];
} else {
// apply md5() to work around too long secrets (returns 32 characters)
return md5($GLOBALS['cfg']['blowfish_secret']);
}
}
/**
* Encryption using blowfish algorithm (mcrypt)
* or phpseclib's AES if mcrypt not available
*
* @param string $data original data
* @param string $secret the secret
*
* @return string the encrypted result
*/
public function blowfishEncrypt($data, $secret)
{
if (! function_exists('mcrypt_encrypt')) {
/**
* This library uses mcrypt when available, so
* we could always call it instead of having an
* if/then/else logic, however the include_once
* call is costly
*/
include_once PHPSECLIB_INC_DIR . '/Crypt/AES.php';
$cipher = new Crypt_AES(CRYPT_AES_MODE_ECB);
$cipher->setKey($secret);
return base64_encode($cipher->encrypt($data));
} else {
return base64_encode(
mcrypt_encrypt(
MCRYPT_BLOWFISH,
$secret,
$data,
MCRYPT_MODE_CBC,
$this->_blowfish_iv
)
);
}
}
/**
* Decryption using blowfish algorithm (mcrypt)
* or phpseclib's AES if mcrypt not available
*
* @param string $encdata encrypted data
* @param string $secret the secret
*
* @return string original data
*/
public function blowfishDecrypt($encdata, $secret)
{
if (is_null($this->_blowfish_iv)) {
$this->_blowfish_iv = base64_decode($_COOKIE['pma_mcrypt_iv'], true);
}
if (! function_exists('mcrypt_encrypt')) {
include_once PHPSECLIB_INC_DIR . '/Crypt/AES.php';
$cipher = new Crypt_AES(CRYPT_AES_MODE_ECB);
$cipher->setKey($secret);
return $cipher->decrypt(base64_decode($encdata));
} else {
$data = base64_decode($encdata);
$decrypted = mcrypt_decrypt(
MCRYPT_BLOWFISH,
$secret,
$data,
MCRYPT_MODE_CBC,
$this->_blowfish_iv
);
return trim($decrypted);
}
}
/**
* Initialization
* Store the initialization vector because it will be needed for
* further decryption. I don't think necessary to have one iv
* per server so I don't put the server number in the cookie name.
*
* @return void
*/
public function createBlowfishIV()
{
if (function_exists('mcrypt_encrypt')) {
$td = mcrypt_module_open(MCRYPT_BLOWFISH, '', MCRYPT_MODE_CBC, '');
if ($td === false) {
PMA_fatalError(__('Failed to use Blowfish from mcrypt!'));
}
$this->_blowfish_iv = mcrypt_create_iv(
mcrypt_enc_get_iv_size($td),
MCRYPT_DEV_URANDOM
);
} else {
/*
* We don't use this value without mcrypt, but let's set it
* so that we don't have to check conditionally for it.
*/
$this->_blowfish_iv = 'dummy';
}
$GLOBALS['PMA_Config']->setCookie(
'pma_mcrypt_iv',
base64_encode($this->_blowfish_iv)
);
}
/**
* Sets Blowfis IV to use
*
* @param string $vector The IV
*
* @return void
*/
public function setBlowfishIv($vector)
{
$this->_blowfish_iv = $vector;
}
/**
* This method is called when any PluginManager to which the observer
* is attached calls PluginManager::notify()
*
* @param SplSubject $subject The PluginManager notifying the observer
* of an update.
*
* @return void
*/
public function update (SplSubject $subject)
{
}
}
|