Encrypt passwords stored in session by a key stored in cookie (thanks to Michal Spacek)
This commit is contained in:
parent
1bdb65c4dc
commit
6160604023
|
@ -95,6 +95,8 @@ function auth_error($exception = null) {
|
||||||
unset_permanent();
|
unset_permanent();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
$params = session_get_cookie_params();
|
||||||
|
cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);
|
||||||
page_header(lang('Login'), $error, null);
|
page_header(lang('Login'), $error, null);
|
||||||
echo "<form action='' method='post'>\n";
|
echo "<form action='' method='post'>\n";
|
||||||
$adminer->loginForm();
|
$adminer->loginForm();
|
||||||
|
@ -106,11 +108,21 @@ function auth_error($exception = null) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function set_password($vendor, $server, $username, $password) {
|
function set_password($vendor, $server, $username, $password) {
|
||||||
$_SESSION["pwds"][$vendor][$server][$username] = $password;
|
$_SESSION["pwds"][$vendor][$server][$username] = ($_COOKIE["adminer_key"]
|
||||||
|
? array(encrypt_string($password, $_COOKIE["adminer_key"]))
|
||||||
|
: $password
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
function get_password() {
|
function get_password() {
|
||||||
return get_session("pwds");
|
$return = get_session("pwds");
|
||||||
|
if (is_array($return)) {
|
||||||
|
if (!$_COOKIE["adminer_key"]) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
$return = decrypt_string($return[0], $_COOKIE["adminer_key"]);
|
||||||
|
}
|
||||||
|
return $return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_GET["username"])) {
|
if (isset($_GET["username"])) {
|
||||||
|
|
|
@ -408,17 +408,18 @@ function convert_fields($columns, $fields, $select = array()) {
|
||||||
return $return;
|
return $return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Set cookie valid for 1 month
|
/** Set cookie valid on current path
|
||||||
* @param string
|
* @param string
|
||||||
* @param string
|
* @param string
|
||||||
|
* @param int number of seconds, 0 for session cookie
|
||||||
* @return bool
|
* @return bool
|
||||||
*/
|
*/
|
||||||
function cookie($name, $value) {
|
function cookie($name, $value, $lifetime = 2592000) { // 2592000 - 30 days
|
||||||
global $HTTPS;
|
global $HTTPS;
|
||||||
$params = array(
|
$params = array(
|
||||||
$name,
|
$name,
|
||||||
(preg_match("~\n~", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2
|
(preg_match("~\n~", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2
|
||||||
time() + 2592000, // 2592000 - 30 days
|
($lifetime ? time() + $lifetime : 0),
|
||||||
preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]),
|
preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]),
|
||||||
"",
|
"",
|
||||||
$HTTPS
|
$HTTPS
|
||||||
|
@ -986,13 +987,20 @@ function password_file($create) {
|
||||||
}
|
}
|
||||||
$fp = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic
|
$fp = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic
|
||||||
if ($fp) {
|
if ($fp) {
|
||||||
$return = md5(uniqid(mt_rand(), true));
|
$return = rand_string();
|
||||||
fwrite($fp, $return);
|
fwrite($fp, $return);
|
||||||
fclose($fp);
|
fclose($fp);
|
||||||
}
|
}
|
||||||
return $return;
|
return $return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Get a random string
|
||||||
|
* @return string 32 hexadecimal characters
|
||||||
|
*/
|
||||||
|
function rand_string() {
|
||||||
|
return md5(uniqid(mt_rand(), true));
|
||||||
|
}
|
||||||
|
|
||||||
/** Format value to use in select
|
/** Format value to use in select
|
||||||
* @param string
|
* @param string
|
||||||
* @param string
|
* @param string
|
||||||
|
|
|
@ -11,6 +11,7 @@ Add links to documentation
|
||||||
Disable underlining links
|
Disable underlining links
|
||||||
Improve speed of CSV import
|
Improve speed of CSV import
|
||||||
Keep form values after refresh in Firefox
|
Keep form values after refresh in Firefox
|
||||||
|
Encrypt passwords stored in session by a key stored in cookie
|
||||||
Don't append newlines to uploaded files, bug since Adminer 3.7.0
|
Don't append newlines to uploaded files, bug since Adminer 3.7.0
|
||||||
Don't display SQL edit form on Ctrl+click on the select query, introduced in Adminer 3.6.4
|
Don't display SQL edit form on Ctrl+click on the select query, introduced in Adminer 3.6.4
|
||||||
Use MD5 for editing long keys only in supported drivers, bug since Adminer 3.6.4
|
Use MD5 for editing long keys only in supported drivers, bug since Adminer 3.6.4
|
||||||
|
|
Loading…
Reference in a new issue