Encrypt passwords stored in session by a key stored in cookie (thanks to Michal Spacek)
This commit is contained in:
Jakub Vrana
parent
1bdb65c4dc
commit
6160604023
|
|
@ -95,6 +95,8 @@ function auth_error($exception = null) {
|
|||
unset_permanent();
|
||||
}
|
||||
}
|
||||
$params = session_get_cookie_params();
|
||||
cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);
|
||||
page_header(lang('Login'), $error, null);
|
||||
echo "<form action='' method='post'>\n";
|
||||
$adminer->loginForm();
|
||||
|
|
@ -106,11 +108,21 @@ function auth_error($exception = null) {
|
|||
}
|
||||
|
||||
function set_password($vendor, $server, $username, $password) {
|
||||
$_SESSION["pwds"][$vendor][$server][$username] = $password;
|
||||
$_SESSION["pwds"][$vendor][$server][$username] = ($_COOKIE["adminer_key"]
|
||||
? array(encrypt_string($password, $_COOKIE["adminer_key"]))
|
||||
: $password
|
||||
);
|
||||
}
|
||||
|
||||
function get_password() {
|
||||
return get_session("pwds");
|
||||
$return = get_session("pwds");
|
||||
if (is_array($return)) {
|
||||
if (!$_COOKIE["adminer_key"]) {
|
||||
return false;
|
||||
}
|
||||
$return = decrypt_string($return[0], $_COOKIE["adminer_key"]);
|
||||
}
|
||||
return $return;
|
||||
}
|
||||
|
||||
if (isset($_GET["username"])) {
|
||||
|
|
|
|||
|
|
@ -408,17 +408,18 @@ function convert_fields($columns, $fields, $select = array()) {
|
|||
return $return;
|
||||
}
|
||||
|
||||
/** Set cookie valid for 1 month
|
||||
/** Set cookie valid on current path
|
||||
* @param string
|
||||
* @param string
|
||||
* @param int number of seconds, 0 for session cookie
|
||||
* @return bool
|
||||
*/
|
||||
function cookie($name, $value) {
|
||||
function cookie($name, $value, $lifetime = 2592000) { // 2592000 - 30 days
|
||||
global $HTTPS;
|
||||
$params = array(
|
||||
$name,
|
||||
(preg_match("~\n~", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2
|
||||
time() + 2592000, // 2592000 - 30 days
|
||||
($lifetime ? time() + $lifetime : 0),
|
||||
preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]),
|
||||
"",
|
||||
$HTTPS
|
||||
|
|
@ -986,13 +987,20 @@ function password_file($create) {
|
|||
}
|
||||
$fp = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic
|
||||
if ($fp) {
|
||||
$return = md5(uniqid(mt_rand(), true));
|
||||
$return = rand_string();
|
||||
fwrite($fp, $return);
|
||||
fclose($fp);
|
||||
}
|
||||
return $return;
|
||||
}
|
||||
|
||||
/** Get a random string
|
||||
* @return string 32 hexadecimal characters
|
||||
*/
|
||||
function rand_string() {
|
||||
return md5(uniqid(mt_rand(), true));
|
||||
}
|
||||
|
||||
/** Format value to use in select
|
||||
* @param string
|
||||
* @param string
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ Add links to documentation
|
|||
Disable underlining links
|
||||
Improve speed of CSV import
|
||||
Keep form values after refresh in Firefox
|
||||
Encrypt passwords stored in session by a key stored in cookie
|
||||
Don't append newlines to uploaded files, bug since Adminer 3.7.0
|
||||
Don't display SQL edit form on Ctrl+click on the select query, introduced in Adminer 3.6.4
|
||||
Use MD5 for editing long keys only in supported drivers, bug since Adminer 3.6.4
|
||||
|
|
|
|||
Loading…
Reference in a new issue