From 0eadfc2b3f11a3f4b7dffef4c82b3711aa71070b Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Wed, 24 Apr 2013 18:42:26 -0700 Subject: [PATCH] Do not store plain text password to history in creating user --- adminer/user.inc.php | 21 ++++++++++++++------- changes.txt | 3 ++- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/adminer/user.inc.php b/adminer/user.inc.php index cdf4360c..39520bcb 100644 --- a/adminer/user.inc.php +++ b/adminer/user.inc.php @@ -46,17 +46,24 @@ if (isset($_GET["host"]) && ($result = $connection->query("SHOW GRANTS FOR " . q if ($_POST && !$error) { $old_user = (isset($_GET["host"]) ? q($USER) . "@" . q($_GET["host"]) : "''"); - $new_user = q($_POST["user"]) . "@" . q($_POST["host"]); // if $_GET["host"] is not set then $new_user is always different - $pass = q($_POST["pass"]); if ($_POST["drop"]) { query_redirect("DROP USER $old_user", ME . "privileges=", lang('User has been dropped.')); } else { + $new_user = q($_POST["user"]) . "@" . q($_POST["host"]); // if $_GET["host"] is not set then $new_user is always different + $pass = $_POST["pass"]; + if (!$_POST["hashed"]) { + // compute hash in a separate query so that plain text password is not saved to history + $pass = $connection->result("SELECT PASSWORD(" . q($pass) . ")"); + $error = !$pass; + } $created = false; - if ($old_user != $new_user) { - $created = queries(($connection->server_info < 5 ? "GRANT USAGE ON *.* TO" : "CREATE USER") . " $new_user IDENTIFIED BY" . ($_POST["hashed"] ? " PASSWORD" : "") . " $pass"); - $error = !$created; - } elseif ($_POST["pass"] != $old_pass || !$_POST["hashed"]) { - queries("SET PASSWORD FOR $new_user = " . ($_POST["hashed"] ? $pass : "PASSWORD($pass)")); + if (!$error) { + if ($old_user != $new_user) { + $created = queries(($connection->server_info < 5 ? "GRANT USAGE ON *.* TO" : "CREATE USER") . " $new_user IDENTIFIED BY PASSWORD " . q($pass)); + $error = !$created; + } elseif ($pass != $old_pass) { + queries("SET PASSWORD FOR $new_user = " . q($pass)); + } } if (!$error) { $revoke = array(); diff --git a/changes.txt b/changes.txt index f38cb2e1..4410a034 100644 --- a/changes.txt +++ b/changes.txt @@ -2,8 +2,9 @@ Adminer 3.6.4-dev: Display pagination on a fixed position Increase default select limit to 50 Display SQL edit form on Ctrl+click on the select query -Display SQL history from oldest +Display SQL history from newest Recover original view, trigger, routine if creating fails +Do not store plain text password to history in creating user Selectable ON UPDATE CURRENT_TIMESTAMP field in create table Open database to a new window after selecting it with Ctrl Clear column name after resetting search (bug #3601200)