Use XXTEA for permanent login
git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1287 7c3ca157-0c34-0410-bff1-cbf682f78f5c
This commit is contained in:
parent
e2485744c6
commit
55ce473397
|
@ -7,7 +7,7 @@ if (isset($_POST["server"])) {
|
|||
cookie("adminer_permanent",
|
||||
base64_encode($_POST["server"])
|
||||
. ":" . base64_encode($_POST["username"])
|
||||
. ":" . base64_encode(cipher_password($_POST["password"], pack("H*", sha1(str_pad($_POST["username"], 1) . $adminer->permanentLogin())))) // str_pad - to hide original key
|
||||
. ":" . base64_encode(encrypt_string($_POST["password"], $adminer->permanentLogin()))
|
||||
);
|
||||
}
|
||||
if (count($_POST) == 3 + ($_POST["permanent"] ? 1 : 0)) { // 3 - server, username, password
|
||||
|
@ -40,36 +40,13 @@ if (isset($_POST["server"])) {
|
|||
if (!strlen($_GET["server"]) || $server == $_GET["server"]) {
|
||||
session_regenerate_id(); // defense against session fixation
|
||||
$_SESSION["usernames"][$server] = $username;
|
||||
$_SESSION["passwords"][$server] = decipher_password($cipher, pack("H*", sha1(str_pad($username, 1) . $adminer->permanentLogin())));
|
||||
$_SESSION["passwords"][$server] = decrypt_string($cipher, $adminer->permanentLogin());
|
||||
if (!$_POST && $server != $_GET["server"]) {
|
||||
redirect(preg_replace('~^([^?]*).*~', '\\1', ME) . '?server=' . urlencode($server));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/** Cipher password
|
||||
* @param string plain-text password
|
||||
* @param string binary key, should be longer than $password
|
||||
* @return string binary cipher
|
||||
*/
|
||||
function cipher_password($password, $key) {
|
||||
$password2 = strlen($password) . ":" . str_pad($password, 17);
|
||||
$repeat = ceil(strlen($password2) / strlen($key));
|
||||
return $password2 ^ str_repeat($key, $repeat);
|
||||
}
|
||||
|
||||
/** Decipher password
|
||||
* @param string binary cipher
|
||||
* @param string binary key
|
||||
* @return string plain-text password
|
||||
*/
|
||||
function decipher_password($cipher, $key) {
|
||||
$repeat = ceil(strlen($cipher) / strlen($key));
|
||||
$password2 = $cipher ^ str_repeat($key, $repeat);
|
||||
list($length, $password) = explode(":", $password2, 2);
|
||||
return substr($password, 0, $length);
|
||||
}
|
||||
|
||||
function auth_error($exception = null) {
|
||||
global $connection, $adminer;
|
||||
$session_name = session_name();
|
||||
|
|
|
@ -85,6 +85,7 @@ include "./include/adminer.inc.php";
|
|||
include "../adminer/include/design.inc.php";
|
||||
include "../adminer/include/pdo.inc.php";
|
||||
include "../adminer/include/mysql.inc.php";
|
||||
include "../adminer/include/xxtea.inc.php";
|
||||
include "../adminer/include/auth.inc.php";
|
||||
include "./include/connect.inc.php";
|
||||
include "./include/editing.inc.php";
|
||||
|
|
|
@ -201,7 +201,7 @@ function where_link($i, $column, $value) {
|
|||
* @return bool
|
||||
*/
|
||||
function cookie($name, $value) {
|
||||
$params = array($name, $value, time() + 2592000, preg_replace('~\\?.*~', '', ME), "", (bool) $_SERVER["HTTPS"]); // 2592000 = 30 * 24 * 60 * 60
|
||||
$params = array($name, $value, time() + 2592000, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", (bool) $_SERVER["HTTPS"]); // 2592000 = 30 * 24 * 60 * 60
|
||||
if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
|
||||
$params[] = true; // HttpOnly
|
||||
}
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
<?php
|
||||
$VERSION = "2.2.2-dev";
|
||||
$VERSION = "2.3.0-dev";
|
||||
|
|
96
adminer/include/xxtea.inc.php
Normal file
96
adminer/include/xxtea.inc.php
Normal file
|
@ -0,0 +1,96 @@
|
|||
<?php
|
||||
/** PHP implementation of XXTEA encryption algorithm.
|
||||
* @author Ma Bingyao <andot@ujn.edu.cn>
|
||||
* @link http://www.coolcode.cn/?action=show&id=128
|
||||
*/
|
||||
|
||||
function int32($n) {
|
||||
while ($n >= 2147483648) {
|
||||
$n -= 4294967296;
|
||||
}
|
||||
while ($n <= -2147483649) {
|
||||
$n += 4294967296;
|
||||
}
|
||||
return (int) $n;
|
||||
}
|
||||
|
||||
function long2str($v, $w) {
|
||||
$s = '';
|
||||
foreach ($v as $val) {
|
||||
$s .= pack('V', $val);
|
||||
}
|
||||
if ($w) {
|
||||
return substr($s, 0, end($v));
|
||||
}
|
||||
return $s;
|
||||
}
|
||||
|
||||
function str2long($s, $w) {
|
||||
$v = array_values(unpack('V*', str_pad($s, 4 * ceil(strlen($s) / 4), "\0")));
|
||||
if ($w) {
|
||||
$v[] = strlen($s);
|
||||
}
|
||||
return $v;
|
||||
}
|
||||
|
||||
function xxtea_mx($z, $y, $sum, $k) {
|
||||
return int32((($z >> 5 & 0x7FFFFFF) ^ $y << 2) + (($y >> 3 & 0x1FFFFFFF) ^ $z << 4)) ^ int32(($sum ^ $y) + ($k ^ $z));
|
||||
}
|
||||
|
||||
/** Cipher
|
||||
* @param string plain-text password
|
||||
* @param array 4 integers
|
||||
* @return string binary cipher
|
||||
*/
|
||||
function encrypt_string($str, $key) {
|
||||
$v = str2long($str, true);
|
||||
$n = count($v) - 1;
|
||||
$z = $v[$n];
|
||||
$y = $v[0];
|
||||
$q = floor(6 + 52 / ($n + 1));
|
||||
$sum = 0;
|
||||
while ($q-- > 0) {
|
||||
$sum = int32($sum + 0x9E3779B9);
|
||||
$e = $sum >> 2 & 3;
|
||||
for ($p=0; $p < $n; $p++) {
|
||||
$y = $v[$p + 1];
|
||||
$mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
|
||||
$z = int32($v[$p] + $mx);
|
||||
$v[$p] = $z;
|
||||
}
|
||||
$y = $v[0];
|
||||
$mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
|
||||
$z = int32($v[$n] + $mx);
|
||||
$v[$n] = $z;
|
||||
}
|
||||
return long2str($v, false);
|
||||
}
|
||||
|
||||
/** Decipher
|
||||
* @param string binary cipher
|
||||
* @param array 4 integers
|
||||
* @return string plain-text password
|
||||
*/
|
||||
function decrypt_string($str, $key) {
|
||||
$v = str2long($str, false);
|
||||
$n = count($v) - 1;
|
||||
$z = $v[$n];
|
||||
$y = $v[0];
|
||||
$q = floor(6 + 52 / ($n + 1));
|
||||
$sum = int32($q * 0x9E3779B9);
|
||||
while ($sum) {
|
||||
$e = $sum >> 2 & 3;
|
||||
for ($p=$n; $p > 0; $p--) {
|
||||
$z = $v[$p - 1];
|
||||
$mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
|
||||
$y = int32($v[$p] - $mx);
|
||||
$v[$p] = $y;
|
||||
}
|
||||
$z = $v[$n];
|
||||
$mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
|
||||
$y = int32($v[0] - $mx);
|
||||
$v[0] = $y;
|
||||
$sum = int32($sum - 0x9E3779B9);
|
||||
}
|
||||
return long2str($v, true);
|
||||
}
|
|
@ -1,9 +1,10 @@
|
|||
Adminer 2.2.2-dev:
|
||||
Adminer 2.3.0-dev:
|
||||
Support for permanent login (customization required)
|
||||
Show status variables
|
||||
Add Delete button to Edit page (regression from 2.0.0)
|
||||
Simplify SQL syntax error message
|
||||
Print SQL query info if available
|
||||
Delete length when changing type
|
||||
Show SQL query info if available
|
||||
Delete length when changing type in alter table
|
||||
|
||||
Adminer 2.2.1 (released 2009-11-26):
|
||||
Highlight current links
|
||||
|
|
Loading…
Reference in a new issue