beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Do not store plain text password to history in creating user

Browse source
This commit is contained in:
Jakub Vrana 2013-04-24 18:42:26 -07:00
parent c270a06fb1
commit 0eadfc2b3f
2 changed files with 16 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
adminer/user.inc.php
View file

@ -46,17 +46,24 @@ if (isset($_GET["host"]) && ($result = $connection->query("SHOW GRANTS FOR " . q
if ($_POST && !$error) {
$old_user = (isset($_GET["host"]) ? q($USER) . "@" . q($_GET["host"]) : "''");
$new_user = q($_POST["user"]) . "@" . q($_POST["host"]); // if $_GET["host"] is not set then $new_user is always different
$pass = q($_POST["pass"]);
if ($_POST["drop"]) {
query_redirect("DROP USER $old_user", ME . "privileges=", lang('User has been dropped.'));
} else {
$new_user = q($_POST["user"]) . "@" . q($_POST["host"]); // if $_GET["host"] is not set then $new_user is always different
$pass = $_POST["pass"];
if (!$_POST["hashed"]) {
// compute hash in a separate query so that plain text password is not saved to history
$pass = $connection->result("SELECT PASSWORD(" . q($pass) . ")");
$error = !$pass;
}
$created = false;
if ($old_user != $new_user) {
$created = queries(($connection->server_info < 5 ? "GRANT USAGE ON *.* TO" : "CREATE USER") . " $new_user IDENTIFIED BY" . ($_POST["hashed"] ? " PASSWORD" : "") . " $pass");
$error = !$created;
} elseif ($_POST["pass"] != $old_pass || !$_POST["hashed"]) {
queries("SET PASSWORD FOR $new_user = " . ($_POST["hashed"] ? $pass : "PASSWORD($pass)"));
if (!$error) {
if ($old_user != $new_user) {
$created = queries(($connection->server_info < 5 ? "GRANT USAGE ON *.* TO" : "CREATE USER") . " $new_user IDENTIFIED BY PASSWORD " . q($pass));
$error = !$created;
} elseif ($pass != $old_pass) {
queries("SET PASSWORD FOR $new_user = " . q($pass));
}
}
if (!$error) {
$revoke = array();

3
changes.txt
View file

@ -2,8 +2,9 @@ Adminer 3.6.4-dev:
Display pagination on a fixed position
Increase default select limit to 50
Display SQL edit form on Ctrl+click on the select query
Display SQL history from oldest
Display SQL history from newest
Recover original view, trigger, routine if creating fails
Do not store plain text password to history in creating user
Selectable ON UPDATE CURRENT_TIMESTAMP field in create table
Open database to a new window after selecting it with Ctrl
Clear column name after resetting search (bug #3601200)