From f29a7cb140987e32dfb24fa58daa68f7dcac2fb0 Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Tue, 11 Jun 2013 11:02:17 +0200 Subject: [PATCH] Notify user about expired master password for permanent login --- adminer/include/adminer.inc.php | 7 ++++--- adminer/include/auth.inc.php | 7 +++++-- adminer/include/functions.inc.php | 5 +++-- adminer/include/xxtea.inc.php | 3 +++ adminer/lang/cs.inc.php | 1 + adminer/lang/xx.inc.php | 1 + changes.txt | 1 + editor/include/adminer.inc.php | 4 ++-- 8 files changed, 20 insertions(+), 9 deletions(-) diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php index 4d665871..f170abac 100644 --- a/adminer/include/adminer.inc.php +++ b/adminer/include/adminer.inc.php @@ -20,10 +20,11 @@ class Adminer { } /** Get key used for permanent login - * @return string cryptic string which gets combined with password + * @param bool + * @return string cryptic string which gets combined with password or false in case of an error */ - function permanentLogin() { - return password_file(); + function permanentLogin($create = false) { + return password_file($create); } /** Identifier of selected database diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php index c289b906..e8d6c828 100644 --- a/adminer/include/auth.inc.php +++ b/adminer/include/auth.inc.php @@ -21,7 +21,7 @@ if ($auth) { $_SESSION["db"][$auth["driver"]][$auth["server"]][$auth["username"]][$auth["db"]] = true; if ($auth["permanent"]) { $key = base64_encode($auth["driver"]) . "-" . base64_encode($auth["server"]) . "-" . base64_encode($auth["username"]) . "-" . base64_encode($auth["db"]); - $private = $adminer->permanentLogin(); + $private = $adminer->permanentLogin(true); $permanent[$key] = "$key:" . base64_encode($private ? encrypt_string($auth["password"], $private) : ""); cookie("adminer_permanent", implode(" ", $permanent)); } @@ -49,7 +49,7 @@ if ($auth) { } elseif ($permanent && !$_SESSION["pwds"]) { session_regenerate_id(); - $private = $adminer->permanentLogin(); // try to decode even if not set + $private = $adminer->permanentLogin(); foreach ($permanent as $key => $val) { list(, $cipher) = explode(":", $val); list($driver, $server, $username, $db) = array_map('base64_decode', explode("-", $key)); @@ -82,6 +82,9 @@ function auth_error($exception = null) { $password = &get_session("pwds"); if ($password !== null) { $error = h($exception ? $exception->getMessage() : (is_string($connection) ? $connection : lang('Invalid credentials.'))); + if ($password === false) { + $error .= '
' . lang('Master password expired. Implement permanentLogin() method to make it permanent.'); + } $password = null; } unset_permanent(); diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php index c27ac330..f9918a6d 100644 --- a/adminer/include/functions.inc.php +++ b/adminer/include/functions.inc.php @@ -912,9 +912,10 @@ function apply_sql_function($function, $column) { } /** Read password from file adminer.key in temporary directory or create one +* @param bool * @return string or false if the file can not be created */ -function password_file() { +function password_file($create) { $dir = ini_get("upload_tmp_dir"); // session_save_path() may contain other storage path if (!$dir) { if (function_exists('sys_get_temp_dir')) { @@ -930,7 +931,7 @@ function password_file() { } $filename = "$dir/adminer.key"; $return = @file_get_contents($filename); // @ - can not exist - if ($return) { + if ($return || !$create) { return $return; } $fp = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic diff --git a/adminer/include/xxtea.inc.php b/adminer/include/xxtea.inc.php index 7467a0da..bc835803 100644 --- a/adminer/include/xxtea.inc.php +++ b/adminer/include/xxtea.inc.php @@ -79,6 +79,9 @@ function decrypt_string($str, $key) { if ($str == "") { return ""; } + if (!$key) { + return false; + } $key = array_values(unpack("V*", pack("H*", md5($key)))); $v = str2long($str, false); $n = count($v) - 1; diff --git a/adminer/lang/cs.inc.php b/adminer/lang/cs.inc.php index cb40f20e..eb09ca64 100644 --- a/adminer/lang/cs.inc.php +++ b/adminer/lang/cs.inc.php @@ -11,6 +11,7 @@ $translations = array( 'Logged as: %s' => 'Přihlášen jako: %s', 'Logout successful.' => 'Odhlášení proběhlo v pořádku.', 'Invalid credentials.' => 'Neplatné přihlašovací údaje.', + 'Master password expired. Implement permanentLogin() method to make it permanent.' => 'Platnost hlavního hesla vypršela. Implementujte metodu permanentLogin(), aby platilo stále.', 'Language' => 'Jazyk', 'Invalid CSRF token. Send the form again.' => 'Neplatný token CSRF. Odešlete formulář znovu.', 'No extension' => 'Žádné rozšíření', diff --git a/adminer/lang/xx.inc.php b/adminer/lang/xx.inc.php index a100759b..db2089df 100644 --- a/adminer/lang/xx.inc.php +++ b/adminer/lang/xx.inc.php @@ -11,6 +11,7 @@ $translations = array( 'Logged as: %s' => 'xx', 'Logout successful.' => 'xx', 'Invalid credentials.' => 'xx', + 'Master password expired. Implement permanentLogin() method to make it permanent.' => 'xx', 'Language' => 'xx', 'Invalid CSRF token. Send the form again.' => 'xx', 'No extension' => 'xx', diff --git a/changes.txt b/changes.txt index 9db1bb72..dff04124 100644 --- a/changes.txt +++ b/changes.txt @@ -5,6 +5,7 @@ Don't use LIMIT 1 if inline updating unique row Don't check previous checkbox on added column in create table (bug #3614245) Order table list by name Verify UTF-8 encoding of CSV import +Notify user about expired master password for permanent login MySQL: Speed up updating rows without numeric or UTF-8 primary key PostgreSQL: Fix detecting oid column in PDO PostgreSQL: Handle timestamp types (bug #3614086) diff --git a/editor/include/adminer.inc.php b/editor/include/adminer.inc.php index 81c92c1b..2e1acad6 100644 --- a/editor/include/adminer.inc.php +++ b/editor/include/adminer.inc.php @@ -13,8 +13,8 @@ class Adminer { return array(SERVER, $_GET["username"], get_session("pwds")); } - function permanentLogin() { - return password_file(); + function permanentLogin($create = false) { + return password_file($create); } function database() {