From 6160604023209b22e82796da5025df230f23c957 Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Sun, 11 Aug 2013 09:26:18 -0700 Subject: [PATCH] Encrypt passwords stored in session by a key stored in cookie (thanks to Michal Spacek) --- adminer/include/auth.inc.php | 16 ++++++++++++++-- adminer/include/functions.inc.php | 16 ++++++++++++---- changes.txt | 1 + 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php index 7b1dad56..cae42afd 100644 --- a/adminer/include/auth.inc.php +++ b/adminer/include/auth.inc.php @@ -95,6 +95,8 @@ function auth_error($exception = null) { unset_permanent(); } } + $params = session_get_cookie_params(); + cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]); page_header(lang('Login'), $error, null); echo "
\n"; $adminer->loginForm(); @@ -106,11 +108,21 @@ function auth_error($exception = null) { } function set_password($vendor, $server, $username, $password) { - $_SESSION["pwds"][$vendor][$server][$username] = $password; + $_SESSION["pwds"][$vendor][$server][$username] = ($_COOKIE["adminer_key"] + ? array(encrypt_string($password, $_COOKIE["adminer_key"])) + : $password + ); } function get_password() { - return get_session("pwds"); + $return = get_session("pwds"); + if (is_array($return)) { + if (!$_COOKIE["adminer_key"]) { + return false; + } + $return = decrypt_string($return[0], $_COOKIE["adminer_key"]); + } + return $return; } if (isset($_GET["username"])) { diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php index 7ac377fe..08e42dae 100644 --- a/adminer/include/functions.inc.php +++ b/adminer/include/functions.inc.php @@ -408,17 +408,18 @@ function convert_fields($columns, $fields, $select = array()) { return $return; } -/** Set cookie valid for 1 month +/** Set cookie valid on current path * @param string * @param string +* @param int number of seconds, 0 for session cookie * @return bool */ -function cookie($name, $value) { +function cookie($name, $value, $lifetime = 2592000) { // 2592000 - 30 days global $HTTPS; $params = array( $name, (preg_match("~\n~", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2 - time() + 2592000, // 2592000 - 30 days + ($lifetime ? time() + $lifetime : 0), preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", $HTTPS @@ -986,13 +987,20 @@ function password_file($create) { } $fp = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic if ($fp) { - $return = md5(uniqid(mt_rand(), true)); + $return = rand_string(); fwrite($fp, $return); fclose($fp); } return $return; } +/** Get a random string +* @return string 32 hexadecimal characters +*/ +function rand_string() { + return md5(uniqid(mt_rand(), true)); +} + /** Format value to use in select * @param string * @param string diff --git a/changes.txt b/changes.txt index f9f691b9..3e204cc0 100644 --- a/changes.txt +++ b/changes.txt @@ -11,6 +11,7 @@ Add links to documentation Disable underlining links Improve speed of CSV import Keep form values after refresh in Firefox +Encrypt passwords stored in session by a key stored in cookie Don't append newlines to uploaded files, bug since Adminer 3.7.0 Don't display SQL edit form on Ctrl+click on the select query, introduced in Adminer 3.6.4 Use MD5 for editing long keys only in supported drivers, bug since Adminer 3.6.4