Rev Author Line No. Line
250 kaklik 1 <?php
2 /* $Id: cookie.auth.lib.php,v 2.55.2.1.4.1 2006/08/21 11:45:16 lem9 Exp $ */
3 // vim: expandtab sw=4 ts=4 sts=4:
4  
5 // +--------------------------------------------------------------------------+
6 // | Set of functions used to run cookie based authentication. |
7 // | Thanks to Piotr Roszatycki <d3xter at users.sourceforge.net> and |
8 // | Dan Wilson who built this patch for the Debian package. |
9 // +--------------------------------------------------------------------------+
10  
11  
12 if (!isset($coming_from_common)) {
13 exit;
14 }
15  
16 // timestamp for login timeout
17 $current_time = time();
18  
19 // Uses faster mcrypt library if available
20 // (Note: mcrypt.lib.php needs $cookie_path and $is_https)
21 if (function_exists('mcrypt_encrypt') || PMA_dl('mcrypt')) {
22 require_once('./libraries/mcrypt.lib.php');
23 } else {
24 require_once('./libraries/blowfish.php');
25 }
26  
27 /**
28 * Sorts available languages by their true names
29 *
30 * @param array the array to be sorted
31 * @param mixed a required parameter
32 *
33 * @return the sorted array
34 *
35 * @access private
36 */
37 function PMA_cookie_cmp(&$a, $b)
38 {
39 return (strcmp($a[1], $b[1]));
40 } // end of the 'PMA_cmp()' function
41  
42  
43 /**
44 * Displays authentication form
45 *
46 * @global string the font face to use
47 * @global string the default font size to use
48 * @global string the big font size to use
49 * @global array the list of servers settings
50 * @global array the list of available translations
51 * @global string the current language
52 * @global integer the current server id
53 * @global string the currect charset for MySQL
54 * @global array the array of cookie variables if register_globals is
55 * off
56 *
57 * @return boolean always true (no return indeed)
58 *
59 * @access public
60 */
61 function PMA_auth()
62 {
63 global $cfg, $lang, $server, $convcharset, $conn_error;
64  
65 // Tries to get the username from cookie whatever are the values of the
66 // 'register_globals' and the 'variables_order' directives if last login
67 // should be recalled, else skip the IE autocomplete feature.
68 if ($cfg['LoginCookieRecall'] && !empty($GLOBALS['cfg']['blowfish_secret'])) {
69 // username
70 // do not try to use pma_cookie_username as it was encoded differently
71 // in previous versions and would produce an undefined offset in blowfish
72 if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_username-' . $server])) {
73 $default_user = $_COOKIE['pma_cookie_username-' . $server];
74 }
75 $decrypted_user = isset($default_user) ? PMA_blowfish_decrypt($default_user, $GLOBALS['cfg']['blowfish_secret']) : '';
76 if (!empty($decrypted_user)) {
77 $pos = strrpos($decrypted_user, ':');
78 $default_user = substr($decrypted_user, 0, $pos);
79 } else {
80 $default_user = '';
81 }
82 // server name
83 if (!empty($GLOBALS['pma_cookie_servername'])) {
84 $default_server = $GLOBALS['pma_cookie_servername'];
85 } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_servername-' . $server])) {
86 $default_server = $_COOKIE['pma_cookie_servername-' . $server];
87 }
88  
89 $autocomplete = '';
90 } else {
91 $default_user = '';
92 $autocomplete = ' autocomplete="off"';
93 }
94  
95 $cell_align = ($GLOBALS['text_dir'] == 'ltr') ? 'left' : 'right';
96  
97 // Defines the charset to be used
98 header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
99 // Defines the "item" image depending on text direction
100 $item_img = $GLOBALS['pmaThemeImage'] . 'item_ltr.png';
101  
102 /* HTML header */
103 $page_title = 'phpMyAdmin ' . PMA_VERSION;
104 require('./libraries/header_meta_style.inc.php');
105 ?>
106 <script type="text/javascript" language="javascript">
107 //<![CDATA[
108 // show login form in top frame
109 if (top != self) {
110 window.top.location.href=location;
111 }
112 //]]>
113 </script>
114 </head>
115  
116 <body class="loginform">
117  
118 <?php require('./libraries/header_custom.inc.php'); ?>
119  
120 <a href="http://www.phpmyadmin.net" target="_blank" class="logo"><?php
121 $logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png';
122 if (@file_exists($logo_image)) {
123 echo '<img src="' . $logo_image . '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />';
124 } else {
125 echo '<img name="imLogo" id="imLogo" src="' . $GLOBALS['pmaThemeImage'] . 'pma_logo.png' . '" '
126 . 'border="0" width="88" height="31" alt="phpMyAdmin" />';
127 }
128 ?></a>
129 <h1>
130 <?php
131 echo sprintf( $GLOBALS['strWelcome'],
132 '<bdo dir="ltr" xml:lang="en">phpMyAdmin ' . PMA_VERSION . '</bdo>');
133 ?>
134 </h1>
135 <?php
136  
137 // Show error message
138 if ( !empty($conn_error)) {
139 echo '<div class="error"><h1>' . $GLOBALS['strError'] . '</h1>' . "\n";
140 echo $conn_error . '</div>' . "\n";
141 }
142  
143 // Displays the languages form
144 if (empty($cfg['Lang'])) {
145 echo "\n";
146 require_once('./libraries/display_select_lang.lib.php');
147 PMA_select_language(TRUE);
148 }
149 echo "\n\n";
150  
151 // Displays the warning message and the login form
152  
153 if (empty($GLOBALS['cfg']['blowfish_secret'])) {
154 ?>
155 <div class="error"><h1><?php echo $GLOBALS['strError']; ?></h1>
156 <?php echo $GLOBALS['strSecretRequired']; ?>
157 </div>
158 <?php
159 require('./libraries/footer_custom.inc.php');
160 echo ' </body>' . "\n"
161 . '</html>';
162 exit();
163 }
164 ?>
165 <br />
166 <!-- Login form -->
167 <form method="post" action="index.php" name="login_form"<?php echo $autocomplete; ?> target="_top" class="login">
168 <fieldset>
169 <legend><?php echo $GLOBALS['strLogin']; ?></legend>
170  
171 <?php if ($GLOBALS['cfg']['AllowArbitraryServer']) { ?>
172 <div class="item">
173 <label for="input_servername"><?php echo $GLOBALS['strLogServer']; ?></label>
174 <input type="text" name="pma_servername" id="input_servername" value="<?php echo (isset($default_server) ? htmlspecialchars($default_server) : ''); ?>" size="24" class="textfield" />
175 </div>
176 <?php } ?>
177 <div class="item">
178 <label for="input_username"><?php echo $GLOBALS['strLogUsername']; ?></label>
179 <input type="text" name="pma_username" id="input_username" value="<?php echo (isset($default_user) ? htmlspecialchars($default_user) : ''); ?>" size="24" class="textfield" />
180 </div>
181 <div class="item">
182 <label for="input_password"><?php echo $GLOBALS['strLogPassword']; ?></label>
183 <input type="password" name="pma_password" id="input_password" value="" size="24" class="textfield" />
184 </div>
185 <?php
186 if (count($cfg['Servers']) > 1) {
187 echo "\n";
188 ?>
189 <div class="item">
190 <label for="select_server"><?php echo $GLOBALS['strServerChoice']; ?>:</label>
191 <select name="server" id="select_server"
192 <?php
193 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
194 echo ' onchange="document.forms[\'login_form\'].elements[\'pma_servername\'].value = \'\'" ';
195 }
196 ?>
197 >
198 <?php
199 require_once('./libraries/select_server.lib.php');
200 PMA_select_server(FALSE, FALSE);
201 ?>
202 </select>
203 </div>
204 <?php
205 } else {
206 echo ' <input type="hidden" name="server" value="' . $server . '" />';
207 } // end if (server choice)
208 ?>
209 </fieldset>
210 <fieldset class="tblFooters">
211 <input value="<?php echo $GLOBALS['strGo']; ?>" type="submit" />
212 <input type="hidden" name="lang" value="<?php echo $lang; ?>" />
213 <input type="hidden" name="convcharset" value="<?php echo $convcharset; ?>" />
214 <?php
215 if (isset($GLOBALS['target'])) {
216 echo ' <input type="hidden" name="target" value="' . htmlspecialchars($GLOBALS['target']) . '" />' . "\n";
217 }
218 if (isset($GLOBALS['db'])) {
219 echo ' <input type="hidden" name="db" value="' . htmlspecialchars($GLOBALS['db']) . '" />' . "\n";
220 }
221 if (isset($GLOBALS['table'])) {
222 echo ' <input type="hidden" name="table" value="' . htmlspecialchars($GLOBALS['table']) . '" />' . "\n";
223 }
224 ?>
225 </fieldset>
226 </form>
227  
228 <div class="notice"><?php echo $GLOBALS['strCookiesRequired']; ?></div>
229  
230 <?php
231 if ( ! empty( $GLOBALS['PMA_errors'] ) && is_array( $GLOBALS['PMA_errors'] ) ) {
232 foreach ( $GLOBALS['PMA_errors'] as $error ) {
233 echo '<div class="error">' . $error . '</div>' . "\n";
234 }
235 }
236 ?>
237  
238 <script type="text/javascript" language="javascript">
239 <!--
240 var uname = document.forms['login_form'].elements['pma_username'];
241 var pword = document.forms['login_form'].elements['pma_password'];
242 if (uname.value == '') {
243 uname.focus();
244 } else {
245 pword.focus();
246 }
247 //-->
248 </script>
249  
250 <?php require('./libraries/footer_custom.inc.php'); ?>
251  
252 </body>
253  
254 </html>
255 <?php
256 exit();
257  
258 return TRUE;
259 } // end of the 'PMA_auth()' function
260  
261  
262 /**
263 * Gets advanced authentication settings
264 *
265 * @global string the username if register_globals is on
266 * @global string the password if register_globals is on
267 * @global array the array of cookie variables if register_globals is
268 * off
269 * @global string the servername sent by the login form
270 * @global string the username sent by the login form
271 * @global string the password sent by the login form
272 * @global string the username of the user who logs out
273 * @global boolean whether the login/password pair is grabbed from a
274 * cookie or not
275 *
276 * @return boolean whether we get authentication settings or not
277 *
278 * @access public
279 */
280 function PMA_auth_check()
281 {
282 global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
283 global $pma_servername, $pma_username, $pma_password, $old_usr, $server;
284 global $from_cookie;
285  
286 // avoid an error in mcrypt
287 if (empty($GLOBALS['cfg']['blowfish_secret'])) {
288 return FALSE;
289 }
290  
291 // Initialization
292 $PHP_AUTH_USER = $PHP_AUTH_PW = '';
293 $from_cookie = FALSE;
294 $from_form = FALSE;
295  
296 // The user wants to be logged out -> delete password cookie
297 if (!empty($old_usr)) {
298 setcookie('pma_cookie_password-' . $server, '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
299 }
300  
301 // The user just logged in
302 elseif (!empty($pma_username)) {
303 $PHP_AUTH_USER = $pma_username;
304 $PHP_AUTH_PW = (empty($pma_password)) ? '' : $pma_password;
305 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
306 $pma_auth_server = $pma_servername;
307 }
308 $from_form = TRUE;
309 }
310  
311 // At the end, try to set the $PHP_AUTH_USER & $PHP_AUTH_PW variables
312 // from cookies whatever are the values of the 'register_globals' and
313 // the 'variables_order' directives
314 else {
315 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
316 // servername
317 if (!empty($pma_cookie_servername)) {
318 $pma_auth_server = $pma_cookie_servername;
319 $from_cookie = TRUE;
320 } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_servername-' . $server])) {
321 $pma_auth_server = $_COOKIE['pma_cookie_servername-' . $server];
322 $from_cookie = TRUE;
323 }
324 }
325  
326 // username
327 if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_username-' . $server])) {
328 $PHP_AUTH_USER = $_COOKIE['pma_cookie_username-' . $server];
329 $from_cookie = TRUE;
330 }
331 $decrypted_user = PMA_blowfish_decrypt($PHP_AUTH_USER, $GLOBALS['cfg']['blowfish_secret']);
332 if (!empty($decrypted_user)) {
333 $pos = strrpos($decrypted_user, ':');
334 $PHP_AUTH_USER = substr($decrypted_user, 0, $pos);
335 $decrypted_time = (int)substr($decrypted_user, $pos + 1);
336 } else {
337 $decrypted_time = 0;
338 }
339  
340 // User inactive too long
341 if ($decrypted_time > 0 && $decrypted_time < $GLOBALS['current_time'] - $GLOBALS['cfg']['LoginCookieValidity']) {
342 // Display an error message only if the inactivity has lasted
343 // less than 4 times the timeout value. This is to avoid
344 // alerting users with a error after "much" time has passed,
345 // for example next morning.
346 if ($decrypted_time > $GLOBALS['current_time'] - ($GLOBALS['cfg']['LoginCookieValidity'] * 4)) {
347 $GLOBALS['no_activity'] = TRUE;
348 PMA_auth_fails();
349 }
350 return FALSE;
351 }
352  
353 // password
354 if (!empty($pma_cookie_password)) {
355 $PHP_AUTH_PW = $pma_cookie_password;
356 } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_password-' . $server])) {
357 $PHP_AUTH_PW = $_COOKIE['pma_cookie_password-' . $server];
358 } else {
359 $from_cookie = FALSE;
360 }
361 $PHP_AUTH_PW = PMA_blowfish_decrypt($PHP_AUTH_PW, $GLOBALS['cfg']['blowfish_secret'] . $decrypted_time);
362  
363 if ($PHP_AUTH_PW == "\xff(blank)") {
364 $PHP_AUTH_PW = '';
365 }
366 }
367  
368 // Returns whether we get authentication settings or not
369 if (!$from_cookie && !$from_form) {
370 return FALSE;
371 } elseif ($from_cookie) {
372 return TRUE;
373 } else {
374 // we don't need to strip here, it is done in grab_globals
375 return TRUE;
376 }
377 } // end of the 'PMA_auth_check()' function
378  
379  
380 /**
381 * Set the user and password after last checkings if required
382 *
383 * @global array the valid servers settings
384 * @global integer the id of the current server
385 * @global array the current server settings
386 * @global string the current username
387 * @global string the current password
388 * @global boolean whether the login/password pair has been grabbed from
389 * a cookie or not
390 *
391 * @return boolean always true
392 *
393 * @access public
394 */
395 function PMA_auth_set_user()
396 {
397 global $cfg, $server;
398 global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
399 global $from_cookie;
400  
401 // Ensures valid authentication mode, 'only_db', bookmark database and
402 // table names and relation table name are used
403 if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
404 $servers_cnt = count($cfg['Servers']);
405 for ($i = 1; $i <= $servers_cnt; $i++) {
406 if (isset($cfg['Servers'][$i])
407 && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) {
408 $server = $i;
409 $cfg['Server'] = $cfg['Servers'][$i];
410 break;
411 }
412 } // end for
413 } // end if
414  
415 $pma_server_changed = FALSE;
416 if ($GLOBALS['cfg']['AllowArbitraryServer']
417 && isset($pma_auth_server) && !empty($pma_auth_server)
418 && ($cfg['Server']['host'] != $pma_auth_server)
419 ) {
420 $cfg['Server']['host'] = $pma_auth_server;
421 $pma_server_changed = TRUE;
422 }
423 $cfg['Server']['user'] = $PHP_AUTH_USER;
424 $cfg['Server']['password'] = $PHP_AUTH_PW;
425  
426 // Name and password cookies needs to be refreshed each time
427 // Duration = one month for username
428 setcookie('pma_cookie_username-' . $server,
429 PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'],
430 $GLOBALS['cfg']['blowfish_secret']),
431 time() + (60 * 60 * 24 * 30),
432 $GLOBALS['cookie_path'], '',
433 $GLOBALS['is_https']);
434  
435 // Duration = till the browser is closed for password (we don't want this to be saved)
436 setcookie('pma_cookie_password-' . $server,
437 PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "\xff(blank)",
438 $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']),
439 0,
440 $GLOBALS['cookie_path'], '',
441 $GLOBALS['is_https']);
442  
443 // Set server cookies if required (once per session) and, in this case, force
444 // reload to ensure the client accepts cookies
445 if (!$from_cookie) {
446 if ($GLOBALS['cfg']['AllowArbitraryServer']) {
447 if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) {
448 // Duration = one month for serverrname
449 setcookie('pma_cookie_servername-' . $server,
450 $cfg['Server']['host'],
451 time() + (60 * 60 * 24 * 30),
452 $GLOBALS['cookie_path'], '',
453 $GLOBALS['is_https']);
454 } else {
455 // Delete servername cookie
456 setcookie('pma_cookie_servername-' . $server, '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
457 }
458 }
459  
460 // URL where to go:
461 $redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
462  
463 // any parameters to pass?
464 $url_params = array();
465 if ( isset($GLOBALS['db']) && strlen($GLOBALS['db']) ) {
466 $url_params['db'] = $GLOBALS['db'];
467 }
468 if ( isset($GLOBALS['table']) && strlen($GLOBALS['table']) ) {
469 $url_params['table'] = $GLOBALS['table'];
470 }
471 // Language change from the login panel needs to be remembered
472 if ( ! empty($GLOBALS['lang']) ) {
473 $url_params['lang'] = $GLOBALS['lang'];
474 }
475 // any target to pass?
476 if ( ! empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php' ) {
477 $url_params['target'] = $GLOBALS['target'];
478 }
479  
480 define('PMA_COMING_FROM_COOKIE_LOGIN',1);
481 PMA_sendHeaderLocation( $redirect_url . PMA_generate_common_url( $url_params, '&' ) );
482 exit();
483 } // end if
484  
485 return TRUE;
486 } // end of the 'PMA_auth_set_user()' function
487  
488  
489 /**
490 * User is not allowed to login to MySQL -> authentication failed
491 *
492 * @return boolean always true (no return indeed)
493 *
494 * @access public
495 */
496 function PMA_auth_fails()
497 {
498 global $conn_error, $server;
499  
500 // Deletes password cookie and displays the login form
501 setcookie('pma_cookie_password-' . $server, '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
502  
503 if (isset($GLOBALS['allowDeny_forbidden']) && $GLOBALS['allowDeny_forbidden']) {
504 $conn_error = $GLOBALS['strAccessDenied'];
505 } elseif (isset($GLOBALS['no_activity']) && $GLOBALS['no_activity']) {
506 $conn_error = sprintf($GLOBALS['strNoActivity'], $GLOBALS['cfg']['LoginCookieValidity']);
507 // Remember where we got timeout to return on same place
508 if (PMA_getenv('SCRIPT_NAME')) {
509 $GLOBALS['target'] = basename(PMA_getenv('SCRIPT_NAME'));
510 }
511 } elseif (PMA_DBI_getError()) {
512 $conn_error = PMA_sanitize(PMA_DBI_getError());
513 } elseif (isset($php_errormsg)) {
514 $conn_error = $php_errormsg;
515 } else {
516 $conn_error = $GLOBALS['strCannotLogin'];
517 }
518  
519 PMA_auth();
520  
521 return TRUE;
522 } // end of the 'PMA_auth_fails()' function
523  
524 ?>