beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Encrypt passwords stored in session by a key stored in cookie (thanks to Michal Spacek)

Browse source
This commit is contained in:
Jakub Vrana 2013-08-11 09:26:18 -07:00
parent 1bdb65c4dc
commit 6160604023
3 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
adminer/include/auth.inc.php
View file

@ -95,6 +95,8 @@ function auth_error($exception = null) {
unset_permanent(); unset_permanent();
} }
} }
$params = session_get_cookie_params();
cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);
page_header(lang('Login'), $error, null); page_header(lang('Login'), $error, null);
echo "<form action='' method='post'>\n"; echo "<form action='' method='post'>\n";
$adminer->loginForm(); $adminer->loginForm();
@ -106,11 +108,21 @@ function auth_error($exception = null) {
} }
function set_password($vendor, $server, $username, $password) { function set_password($vendor, $server, $username, $password) {
$_SESSION["pwds"][$vendor][$server][$username] = $password; $_SESSION["pwds"][$vendor][$server][$username] = ($_COOKIE["adminer_key"]
? array(encrypt_string($password, $_COOKIE["adminer_key"]))
: $password
);
} }
function get_password() { function get_password() {
return get_session("pwds"); $return = get_session("pwds");
if (is_array($return)) {
if (!$_COOKIE["adminer_key"]) {
return false;
}
$return = decrypt_string($return[0], $_COOKIE["adminer_key"]);
}
return $return;
} }
if (isset($_GET["username"])) { if (isset($_GET["username"])) {

16
adminer/include/functions.inc.php
View file

@ -408,17 +408,18 @@ function convert_fields($columns, $fields, $select = array()) {
return $return; return $return;
} }
/** Set cookie valid for 1 month /** Set cookie valid on current path
* @param string * @param string
* @param string * @param string
* @param int number of seconds, 0 for session cookie
* @return bool * @return bool
*/ */
function cookie($name, $value) { function cookie($name, $value, $lifetime = 2592000) { // 2592000 - 30 days
global $HTTPS; global $HTTPS;
$params = array( $params = array(
$name, $name,
(preg_match("~\n~", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2 (preg_match("~\n~", $value) ? "" : $value), // HTTP Response Splitting protection in PHP < 5.1.2
time() + 2592000, // 2592000 - 30 days ($lifetime ? time() + $lifetime : 0),
preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]),
"", "",
$HTTPS $HTTPS
@ -986,13 +987,20 @@ function password_file($create) {
} }
$fp = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic $fp = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic
if ($fp) { if ($fp) {
$return = md5(uniqid(mt_rand(), true)); $return = rand_string();
fwrite($fp, $return); fwrite($fp, $return);
fclose($fp); fclose($fp);
} }
return $return; return $return;
} }
/** Get a random string
* @return string 32 hexadecimal characters
*/
function rand_string() {
return md5(uniqid(mt_rand(), true));
}
/** Format value to use in select /** Format value to use in select
* @param string * @param string
* @param string * @param string

1
changes.txt
View file

@ -11,6 +11,7 @@ Add links to documentation
Disable underlining links Disable underlining links
Improve speed of CSV import Improve speed of CSV import
Keep form values after refresh in Firefox Keep form values after refresh in Firefox
Encrypt passwords stored in session by a key stored in cookie
Don't append newlines to uploaded files, bug since Adminer 3.7.0 Don't append newlines to uploaded files, bug since Adminer 3.7.0
Don't display SQL edit form on Ctrl+click on the select query, introduced in Adminer 3.6.4 Don't display SQL edit form on Ctrl+click on the select query, introduced in Adminer 3.6.4
Use MD5 for editing long keys only in supported drivers, bug since Adminer 3.6.4 Use MD5 for editing long keys only in supported drivers, bug since Adminer 3.6.4