Do not store plain text password to history in creating user
This commit is contained in:
parent
c270a06fb1
commit
0eadfc2b3f
|
@ -46,17 +46,24 @@ if (isset($_GET["host"]) && ($result = $connection->query("SHOW GRANTS FOR " . q
|
|||
|
||||
if ($_POST && !$error) {
|
||||
$old_user = (isset($_GET["host"]) ? q($USER) . "@" . q($_GET["host"]) : "''");
|
||||
$new_user = q($_POST["user"]) . "@" . q($_POST["host"]); // if $_GET["host"] is not set then $new_user is always different
|
||||
$pass = q($_POST["pass"]);
|
||||
if ($_POST["drop"]) {
|
||||
query_redirect("DROP USER $old_user", ME . "privileges=", lang('User has been dropped.'));
|
||||
} else {
|
||||
$new_user = q($_POST["user"]) . "@" . q($_POST["host"]); // if $_GET["host"] is not set then $new_user is always different
|
||||
$pass = $_POST["pass"];
|
||||
if (!$_POST["hashed"]) {
|
||||
// compute hash in a separate query so that plain text password is not saved to history
|
||||
$pass = $connection->result("SELECT PASSWORD(" . q($pass) . ")");
|
||||
$error = !$pass;
|
||||
}
|
||||
$created = false;
|
||||
if ($old_user != $new_user) {
|
||||
$created = queries(($connection->server_info < 5 ? "GRANT USAGE ON *.* TO" : "CREATE USER") . " $new_user IDENTIFIED BY" . ($_POST["hashed"] ? " PASSWORD" : "") . " $pass");
|
||||
$error = !$created;
|
||||
} elseif ($_POST["pass"] != $old_pass || !$_POST["hashed"]) {
|
||||
queries("SET PASSWORD FOR $new_user = " . ($_POST["hashed"] ? $pass : "PASSWORD($pass)"));
|
||||
if (!$error) {
|
||||
if ($old_user != $new_user) {
|
||||
$created = queries(($connection->server_info < 5 ? "GRANT USAGE ON *.* TO" : "CREATE USER") . " $new_user IDENTIFIED BY PASSWORD " . q($pass));
|
||||
$error = !$created;
|
||||
} elseif ($pass != $old_pass) {
|
||||
queries("SET PASSWORD FOR $new_user = " . q($pass));
|
||||
}
|
||||
}
|
||||
if (!$error) {
|
||||
$revoke = array();
|
||||
|
|
|
@ -2,8 +2,9 @@ Adminer 3.6.4-dev:
|
|||
Display pagination on a fixed position
|
||||
Increase default select limit to 50
|
||||
Display SQL edit form on Ctrl+click on the select query
|
||||
Display SQL history from oldest
|
||||
Display SQL history from newest
|
||||
Recover original view, trigger, routine if creating fails
|
||||
Do not store plain text password to history in creating user
|
||||
Selectable ON UPDATE CURRENT_TIMESTAMP field in create table
|
||||
Open database to a new window after selecting it with Ctrl
|
||||
Clear column name after resetting search (bug #3601200)
|
||||
|
|
Loading…
Reference in a new issue