Retrieve parameters from $_POST in AuthenticationCookie plugin

Retrieves pma_username and pma_password parameters from $_POST instead of $_REQUEST Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
phpmyadmin · Jun 1, 2019 · 015c404 · 015c404
1 parent 7923567
commit 015c404
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 16 deletions.
diff --git a/libraries/classes/Plugins/Auth/AuthenticationCookie.php b/libraries/classes/Plugins/Auth/AuthenticationCookie.php
@@ -275,7 +275,7 @@ public function readCredentials()
         $this->user = $this->password = '';
         $GLOBALS['from_cookie'] = false;
 
-        if (isset($_REQUEST['pma_username']) && strlen($_REQUEST['pma_username']) > 0) {
+        if (isset($_POST['pma_username']) && strlen($_POST['pma_username']) > 0) {
 
             // Verify Captcha if it is required.
             if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
@@ -323,8 +323,8 @@ public function readCredentials()
             }
 
             // The user just logged in
-            $this->user = Core::sanitizeMySQLUser($_REQUEST['pma_username']);
-            $this->password = isset($_REQUEST['pma_password']) ? $_REQUEST['pma_password'] : '';
+            $this->user = Core::sanitizeMySQLUser($_POST['pma_username']);
+            $this->password = isset($_POST['pma_password']) ? $_POST['pma_password'] : '';
             if ($GLOBALS['cfg']['AllowArbitraryServer']
                 && isset($_REQUEST['pma_servername'])
             ) {

diff --git a/libraries/common.inc.php b/libraries/common.inc.php
@@ -343,8 +343,8 @@
                 . ' ' . $cfg['Server']['auth_type']
             );
         }
-        if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) {
-            $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256);
+        if (isset($_POST['pma_password']) && strlen($_POST['pma_password']) > 256) {
+            $_POST['pma_password'] = substr($_POST['pma_password'], 0, 256);
         }
         $auth_plugin = new $auth_class();
 

diff --git a/test/classes/Plugins/Auth/AuthenticationCookieTest.php b/test/classes/Plugins/Auth/AuthenticationCookieTest.php
@@ -42,7 +42,7 @@ function setup()
         $GLOBALS['text_dir'] = 'ltr';
         $GLOBALS['db'] = 'db';
         $GLOBALS['table'] = 'table';
-        $_REQUEST['pma_password'] = '';
+        $_POST['pma_password'] = '';
         $this->object = new AuthenticationCookie();
         $GLOBALS['PMA_PHP_SELF'] = '/phpmyadmin/';
     }
@@ -388,7 +388,7 @@ public function testAuthCheckCaptcha()
         $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
         $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
         $_POST["g-recaptcha-response"] = '';
-        $_REQUEST['pma_username'] = 'testPMAUser';
+        $_POST['pma_username'] = 'testPMAUser';
 
         $this->assertFalse(
             $this->object->readCredentials()
@@ -462,9 +462,9 @@ public function testAuthCheckArbitrary()
         $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
         $GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
         $_REQUEST['old_usr'] = '';
-        $_REQUEST['pma_username'] = 'testPMAUser';
+        $_POST['pma_username'] = 'testPMAUser';
         $_REQUEST['pma_servername'] = 'testPMAServer';
-        $_REQUEST['pma_password'] = 'testPMAPSWD';
+        $_POST['pma_password'] = 'testPMAPSWD';
         $GLOBALS['cfg']['AllowArbitraryServer'] = true;
 
         $this->assertTrue(
@@ -501,8 +501,8 @@ public function testAuthCheckInvalidCookie()
     {
         $GLOBALS['cfg']['AllowArbitraryServer'] = true;
         $_REQUEST['pma_servername'] = 'testPMAServer';
-        $_REQUEST['pma_password'] = 'testPMAPSWD';
-        $_REQUEST['pma_username'] = '';
+        $_POST['pma_password'] = 'testPMAPSWD';
+        $_POST['pma_username'] = '';
         $GLOBALS['server'] = 1;
         $_COOKIE['pmaUser-1'] = '';
         $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
@@ -542,7 +542,7 @@ public function testAuthCheckDecryptUser()
     {
         $GLOBALS['server'] = 1;
         $_REQUEST['old_usr'] = '';
-        $_REQUEST['pma_username'] = '';
+        $_POST['pma_username'] = '';
         $_COOKIE['pmaServer-1'] = 'pmaServ1';
         $_COOKIE['pmaUser-1'] = 'pmaUser1';
         $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
@@ -580,7 +580,7 @@ public function testAuthCheckDecryptPassword()
     {
         $GLOBALS['server'] = 1;
         $_REQUEST['old_usr'] = '';
-        $_REQUEST['pma_username'] = '';
+        $_POST['pma_username'] = '';
         $_COOKIE['pmaServer-1'] = 'pmaServ1';
         $_COOKIE['pmaUser-1'] = 'pmaUser1';
         $_COOKIE['pmaAuth-1'] = 'pmaAuth1';
@@ -625,7 +625,7 @@ public function testAuthCheckAuthFails()
     {
         $GLOBALS['server'] = 1;
         $_REQUEST['old_usr'] = '';
-        $_REQUEST['pma_username'] = '';
+        $_POST['pma_username'] = '';
         $_COOKIE['pmaServer-1'] = 'pmaServ1';
         $_COOKIE['pmaUser-1'] = 'pmaUser1';
         $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
@@ -1143,8 +1143,8 @@ public function testAuthenticate()
         $GLOBALS['cfg']['Server']['AllowRoot'] = false;
         $GLOBALS['cfg']['Server']['AllowNoPassword'] = false;
         $_REQUEST['old_usr'] = '';
-        $_REQUEST['pma_username'] = 'testUser';
-        $_REQUEST['pma_password'] = 'testPassword';
+        $_POST['pma_username'] = 'testUser';
+        $_POST['pma_password'] = 'testPassword';
 
         ob_start();
         $this->object->authenticate();