From c0fe3a6ff7f6347045d8b231831cc5ad0c8f6e62 Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Sat, 10 Aug 2013 19:06:21 -0700 Subject: [PATCH] Prepare for crypting passwords stored in session --- adminer/include/adminer.inc.php | 2 +- adminer/include/auth.inc.php | 18 +++++++++++++----- editor/include/adminer.inc.php | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php index b6dcd325..25ef3196 100644 --- a/adminer/include/adminer.inc.php +++ b/adminer/include/adminer.inc.php @@ -16,7 +16,7 @@ class Adminer { * @return array ($server, $username, $password) */ function credentials() { - return array(SERVER, $_GET["username"], get_session("pwds")); + return array(SERVER, $_GET["username"], get_password()); } /** Get key used for permanent login diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php index 260b377c..0666644d 100644 --- a/adminer/include/auth.inc.php +++ b/adminer/include/auth.inc.php @@ -17,7 +17,7 @@ if ($_COOKIE["adminer_permanent"]) { $auth = $_POST["auth"]; if ($auth) { session_regenerate_id(); // defense against session fixation - $_SESSION["pwds"][$auth["driver"]][$auth["server"]][$auth["username"]] = $auth["password"]; + set_password($auth["driver"], $auth["server"], $auth["username"], $auth["password"]); $_SESSION["db"][$auth["driver"]][$auth["server"]][$auth["username"]][$auth["db"]] = true; if ($auth["permanent"]) { $key = base64_encode($auth["driver"]) . "-" . base64_encode($auth["server"]) . "-" . base64_encode($auth["username"]) . "-" . base64_encode($auth["db"]); @@ -53,7 +53,7 @@ if ($auth) { foreach ($permanent as $key => $val) { list(, $cipher) = explode(":", $val); list($vendor, $server, $username, $db) = array_map('base64_decode', explode("-", $key)); - $_SESSION["pwds"][$vendor][$server][$username] = decrypt_string(base64_decode($cipher), $private); + set_password($vendor, $server, $username, decrypt_string(base64_decode($cipher), $private)); $_SESSION["db"][$vendor][$server][$username][$db] = true; } } @@ -79,13 +79,13 @@ function auth_error($exception = null) { if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$token) { $error = lang('Session expired, please login again.'); } else { - $password = &get_session("pwds"); + $password = get_password(); if ($password !== null) { $error = h($exception ? $exception->getMessage() : (is_string($connection) ? $connection : lang('Invalid credentials.'))); if ($password === false) { $error .= '
' . lang('Master password expired. Implement %s method to make it permanent.', 'permanentLogin()'); } - $password = null; + set_password(DRIVER, SERVER, $_GET["username"], null); } unset_permanent(); } @@ -100,6 +100,14 @@ function auth_error($exception = null) { page_footer("auth"); } +function set_password($vendor, $server, $username, $password) { + $_SESSION["pwds"][$vendor][$server][$username] = $password; +} + +function get_password() { + return get_session("pwds"); +} + if (isset($_GET["username"])) { if (!class_exists("Min_DB")) { unset($_SESSION["pwds"][DRIVER]); @@ -111,7 +119,7 @@ if (isset($_GET["username"])) { $connection = connect(); } -if (is_string($connection) || !$adminer->login($_GET["username"], get_session("pwds"))) { +if (is_string($connection) || !$adminer->login($_GET["username"], get_password())) { auth_error(); exit; } diff --git a/editor/include/adminer.inc.php b/editor/include/adminer.inc.php index 6f93a487..94c9b749 100644 --- a/editor/include/adminer.inc.php +++ b/editor/include/adminer.inc.php @@ -10,7 +10,7 @@ class Adminer { //! driver, ns function credentials() { - return array(SERVER, $_GET["username"], get_session("pwds")); + return array(SERVER, $_GET["username"], get_password()); } function permanentLogin($create = false) {