Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

file 262 lines (242 sloc) 9.547 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* HTTP Authentication plugin for phpMyAdmin.
* NOTE: Requires PHP loaded as a Apache module.
*
* @package PhpMyAdmin-Authentication
* @subpackage HTTP
*/
if (! defined('PHPMYADMIN')) {
    exit;
}

/* Get the authentication interface */
require_once 'libraries/plugins/AuthenticationPlugin.class.php';

/**
* Handles the HTTP authentication methods
*
* @package PhpMyAdmin-Authentication
*/
class AuthenticationHttp extends AuthenticationPlugin
{
    /**
* Displays authentication form
*
* @global string the font face to use in case of failure
* @global string the default font size to use in case of failure
* @global string the big font size to use in case of failure
*
* @return boolean always true (no return indeed)
*/
    public function auth()
    {
        /* Perform logout to custom URL */
        if (! empty($_REQUEST['old_usr'])
            && ! empty($GLOBALS['cfg']['Server']['LogoutURL'])
        ) {
            PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['LogoutURL']);
            if (! defined('TESTSUITE')) {
                exit;
            } else {
                return false;
            }
        }

        if (empty($GLOBALS['cfg']['Server']['auth_http_realm'])) {
            if (empty($GLOBALS['cfg']['Server']['verbose'])) {
                $server_message = $GLOBALS['cfg']['Server']['host'];
            } else {
                $server_message = $GLOBALS['cfg']['Server']['verbose'];
            }
            $realm_message = 'phpMyAdmin ' . $server_message;
        } else {
            $realm_message = $GLOBALS['cfg']['Server']['auth_http_realm'];
        }
        // remove non US-ASCII to respect RFC2616
        $realm_message = preg_replace('/[^\x20-\x7e]/i', '', $realm_message);
        header('WWW-Authenticate: Basic realm="' . $realm_message . '"');
        header('HTTP/1.0 401 Unauthorized');
        if (php_sapi_name() !== 'cgi-fcgi') {
            header('status: 401 Unauthorized');
        }

        /* HTML header */
        $response = PMA_Response::getInstance();
        $response->getFooter()->setMinimal();
        $header = $response->getHeader();
        $header->setTitle(__('Access denied!'));
        $header->disableMenu();
        $header->setBodyId('loginform');

        $response->addHTML('<h1>');
        $response->addHTML(sprintf(__('Welcome to %s'), ' phpMyAdmin'));
        $response->addHTML('</h1>');
        $response->addHTML('<h3>');
        $response->addHTML(
            PMA_Message::error(
                __('Wrong username/password. Access denied.')
            )
        );
        $response->addHTML('</h3>');

        if (file_exists(CUSTOM_FOOTER_FILE)) {
            include CUSTOM_FOOTER_FILE;
        }

        if (! defined('TESTSUITE')) {
            exit;
        } else {
            return false;
        }
    }

    /**
* Gets advanced authentication settings
*
* @global string $PHP_AUTH_USER the username if register_globals is on
* @global string $PHP_AUTH_PW the password if register_globals is on
* @global array the array of server variables if
* register_globals is off
* @global array the array of environment variables if
* register_globals is off
* @global string the username for the ? server
* @global string the password for the ? server
* @global string the username for the WebSite Professional
* server
* @global string the password for the WebSite Professional
* server
* @global string the username of the user who logs out
*
* @return boolean whether we get authentication settings or not
*/
    public function authCheck()
    {
        global $PHP_AUTH_USER, $PHP_AUTH_PW;

        // Grabs the $PHP_AUTH_USER variable whatever are the values of the
        // 'register_globals' and the 'variables_order' directives
        if (empty($PHP_AUTH_USER)) {
            if (PMA_getenv('PHP_AUTH_USER')) {
                $PHP_AUTH_USER = PMA_getenv('PHP_AUTH_USER');
            } elseif (PMA_getenv('REMOTE_USER')) {
                // CGI, might be encoded, see below
                $PHP_AUTH_USER = PMA_getenv('REMOTE_USER');
            } elseif (PMA_getenv('REDIRECT_REMOTE_USER')) {
                // CGI, might be encoded, see below
                $PHP_AUTH_USER = PMA_getenv('REDIRECT_REMOTE_USER');
            } elseif (PMA_getenv('AUTH_USER')) {
                // WebSite Professional
                $PHP_AUTH_USER = PMA_getenv('AUTH_USER');
            } elseif (PMA_getenv('HTTP_AUTHORIZATION')
                && false === strpos(PMA_getenv('HTTP_AUTHORIZATION'), '<')
            ) {
                // IIS, might be encoded, see below; also prevent XSS
                $PHP_AUTH_USER = PMA_getenv('HTTP_AUTHORIZATION');
            } elseif (PMA_getenv('Authorization')) {
                // FastCGI, might be encoded, see below
                $PHP_AUTH_USER = PMA_getenv('Authorization');
            }
        }
        // Grabs the $PHP_AUTH_PW variable whatever are the values of the
        // 'register_globals' and the 'variables_order' directives
        if (empty($PHP_AUTH_PW)) {
            if (PMA_getenv('PHP_AUTH_PW')) {
                $PHP_AUTH_PW = PMA_getenv('PHP_AUTH_PW');
            } elseif (PMA_getenv('REMOTE_PASSWORD')) {
                // Apache/CGI
                $PHP_AUTH_PW = PMA_getenv('REMOTE_PASSWORD');
            } elseif (PMA_getenv('AUTH_PASSWORD')) {
                // WebSite Professional
                $PHP_AUTH_PW = PMA_getenv('AUTH_PASSWORD');
            }
        }

        // Decode possibly encoded information (used by IIS/CGI/FastCGI)
        // (do not use explode() because a user might have a colon in his password
        if (strcmp(substr($PHP_AUTH_USER, 0, 6), 'Basic ') == 0) {
            $usr_pass = base64_decode(substr($PHP_AUTH_USER, 6));
            if (! empty($usr_pass)) {
                $colon = strpos($usr_pass, ':');
                if ($colon) {
                    $PHP_AUTH_USER = substr($usr_pass, 0, $colon);
                    $PHP_AUTH_PW = substr($usr_pass, $colon + 1);
                }
                unset($colon);
            }
            unset($usr_pass);
        }

        // User logged out -> ensure the new username is not the same
        $old_usr = isset($_REQUEST['old_usr']) ? $_REQUEST['old_usr'] : '';
        if (! empty($old_usr)
            && (isset($PHP_AUTH_USER) && $old_usr == $PHP_AUTH_USER)
        ) {
            $PHP_AUTH_USER = '';
            // -> delete user's choices that were stored in session
            if (! defined('TESTSUITE')) {
                session_destroy();
            }
        }

        // Returns whether we get authentication settings or not
        if (empty($PHP_AUTH_USER)) {
            return false;
        } else {
            return true;
        }
    }

    /**
* Set the user and password after last checkings if required
*
* @global array $cfg the valid servers settings
* @global integer $server the id of the current server
* @global array the current server settings
* @global string $PHP_AUTH_USER the current username
* @global string $PHP_AUTH_PW the current password
*
* @return boolean always true
*/
    public function authSetUser()
    {
        global $cfg, $server;
        global $PHP_AUTH_USER, $PHP_AUTH_PW;

        // Ensures valid authentication mode, 'only_db', bookmark database and
        // table names and relation table name are used
        if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
            $servers_cnt = count($cfg['Servers']);
            for ($i = 1; $i <= $servers_cnt; $i++) {
                if (isset($cfg['Servers'][$i])
                    && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host']
                    && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)
                ) {
                    $server = $i;
                    $cfg['Server'] = $cfg['Servers'][$i];
                    break;
                }
            } // end for
        } // end if

        $cfg['Server']['user'] = $PHP_AUTH_USER;
        $cfg['Server']['password'] = $PHP_AUTH_PW;

        // Avoid showing the password in phpinfo()'s output
        unset($GLOBALS['PHP_AUTH_PW']);
        unset($_SERVER['PHP_AUTH_PW']);

        return true;
    }

    /**
* User is not allowed to login to MySQL -> authentication failed
*
* @return boolean always true (no return indeed)
*/
    public function authFails()
    {
        $error = $GLOBALS['dbi']->getError();
        if ($error && $GLOBALS['errno'] != 1045) {
            PMA_fatalError($error);
        } else {
            $this->auth();
            return true;
        }
    }

    /**
* This method is called when any PluginManager to which the observer
* is attached calls PluginManager::notify()
*
* @param SplSubject $subject The PluginManager notifying the observer
* of an update.
*
* @return void
*/
    public function update (SplSubject $subject)
    {
    }
}
Something went wrong with that request. Please try again.