From 594085c6f534711beeca6575449d24eacec39884 Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Sat, 13 Sep 2014 12:03:13 -0700 Subject: [PATCH] Send 403 for auth error --- adminer/include/auth.inc.php | 8 +++++--- changes.txt | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php index c4136fb2..138bdf17 100644 --- a/adminer/include/auth.inc.php +++ b/adminer/include/auth.inc.php @@ -117,9 +117,8 @@ function unset_permanent() { function auth_error($error) { global $adminer, $has_token; $session_name = session_name(); - if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) { - $error = lang('Session support must be enabled.'); - } elseif (isset($_GET["username"])) { + if (isset($_GET["username"])) { + header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$has_token) { $error = lang('Session expired, please login again.'); } else { @@ -134,6 +133,9 @@ function auth_error($error) { unset_permanent(); } } + if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_bool("session.use_only_cookies")) { + $error = lang('Session support must be enabled.'); + } $params = session_get_cookie_params(); cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]); page_header(lang('Login'), $error, null); diff --git a/changes.txt b/changes.txt index b60b67ca..2dda7f40 100644 --- a/changes.txt +++ b/changes.txt @@ -5,6 +5,7 @@ Make master key unreadable to others (bug #410) Fix edit by long non-utf8 string Specify encoding for PHP 5.6 with invalid default_charset Fix saving NULL value, bug since Adminer 4.0.3 +Send 403 for auth error MySQL: Use utf8mb4 if available PostgreSQL: Materialized views Elasticsearch: Use where in select