Merge remote-tracking branch 'security/QA_4_6-security' into QA_4_6

.scrutinizer.yml

@@ -3,7 +3,7 @@ imports:
     - javascript
     - php
 filter:
-    excluded_paths: [libraries/php-gettext/*, libraries/tcpdf/*, libraries/bfShapeFiles/*, libraries/phpseclib/*, libraries/plugins/auth/recaptchalib.php, libraries/plugins/auth/swekey/swekey.php, libraries/sql-formatter/*, js/jquery/*, js/jqplot/*, js/openlayers/*, js/codemirror/*, js/canvg/*, js/tracekit/*, js/OpenStreetMap.js, js/sprintf.js, test/libraries/php-gettext/*, test/libraries/sql-formatter/*]
+    excluded_paths: [libraries/php-gettext/*, libraries/tcpdf/*, libraries/bfShapeFiles/*, libraries/phpseclib/*, libraries/plugins/auth/recaptchalib.php, libraries/sql-formatter/*, js/jquery/*, js/jqplot/*, js/openlayers/*, js/codemirror/*, js/canvg/*, js/tracekit/*, js/OpenStreetMap.js, js/sprintf.js, test/libraries/php-gettext/*, test/libraries/sql-formatter/*]
 tools:
     php_code_sniffer:
         config:

build.xml

@@ -55,7 +55,7 @@
    <arg line="${source_comma_sep}
               xml
               codesize,design,naming,unusedcode
-              --exclude test,build,tcpdf,php-gettext,bfShapeFiles,phpseclib,recaptchalib.php,swekey.php,vendor,sql-parser
+              --exclude test,build,tcpdf,php-gettext,bfShapeFiles,phpseclib,recaptchalib.php,vendor,sql-parser
               --reportfile '${basedir}/build/logs/pmd.xml'" />
   </exec>
  </target>
@@ -71,7 +71,6 @@
               --exclude libraries/bfShapeFiles
               --exclude libraries/phpseclib
               --exclude libraries/plugins/auth/recaptcha/recaptchalib.php
-              --exclude libraries/plugins/auth/swekey/swekey.php
               --exclude libraries/sql-parser
               ${source}" />
   </exec>
@@ -88,7 +87,6 @@
               --exclude libraries/bfShapeFiles
               --exclude libraries/phpseclib
               --exclude libraries/plugins/auth/recaptcha/recaptchalib.php
-              --exclude libraries/plugins/auth/swekey/swekey.php
               --exclude libraries/sql-parser
               ${source}" />
   </exec>
@@ -103,7 +101,7 @@
  <target name="phpcs" description="Generate checkstyle.xml using PHP_CodeSniffer excluding third party libraries" depends="phpcs-config">
   <exec executable="phpcs">
    <arg line="
-              --ignore=*/php-gettext/*,*/vendor/*,*/tcpdf/*,*/canvg/*,*/codemirror/*,*/openlayers/*,*/jquery/*,*/jqplot/*,*/build/*,*/bfShapeFiles/*,*/phpseclib/*,*/recaptcha/*,*/swekey/*,*/sql-parser/*
+              --ignore=*/php-gettext/*,*/vendor/*,*/tcpdf/*,*/canvg/*,*/codemirror/*,*/openlayers/*,*/jquery/*,*/jqplot/*,*/build/*,*/bfShapeFiles/*,*/phpseclib/*,*/recaptcha/*,*/sql-parser/*
               --report=checkstyle
               --extensions=php
               --report-file='${basedir}/build/logs/checkstyle.xml'

changelog.php

@@ -13,6 +13,7 @@
 
 $response = PMA\libraries\Response::getInstance();
 $response->disable();
+$response->getHeader()->sendHttpHeaders();
 
 $filename = CHANGELOG_FILE;
 
@@ -154,6 +155,7 @@
 var links = document.getElementsByTagName("a");
 for(var i = 0; i < links.length; i++) {
     links[i].target = "_blank";
+    links[i].rel = "noopener noreferrer";
 }
 </script>
 </body>

config.sample.inc.php

@@ -12,7 +12,7 @@
 
 /**
  * This is needed for cookie based authentication to encrypt password in
- * cookie
+ * cookie. Needs to be 32 chars long.
  */
 $cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
 
@@ -64,8 +64,6 @@
 // $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
 // $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
 // $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
-/* Contrib / Swekey authentication */
-// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
 
 /**
  * End of servers configuration

doc/config.rst

@@ -414,15 +414,6 @@ Server connection settings
     "phpMyAdmin " and either :config:option:`$cfg['Servers'][$i]['verbose']` or
     :config:option:`$cfg['Servers'][$i]['host']` will be used.
 
-.. _servers_auth_swekey_config:
-.. config:option:: $cfg['Servers'][$i]['auth_swekey_config']
-
-    :type: string
-    :default: ``''``
-
-    The name of the file containing :ref:`swekey` ids and login names for hardware
-    authentication. Leave empty to deactivate this feature.
-
 .. _servers_user:
 .. config:option:: $cfg['Servers'][$i]['user']
 
@@ -1473,7 +1464,10 @@ Cookie authentication options
     The "cookie" auth\_type uses AES algorithm to encrypt the password. If you
     are using the "cookie" auth\_type, enter here a random passphrase of your
     choice. It will be used internally by the AES algorithm: you won’t be
-    prompted for this passphrase. There is no maximum length for this secret.
+    prompted for this passphrase. 
+
+    The secret should be 32 characters long. Using shorter will lead to weaker security
+    of encrypted cookies, using longer will cause no harm.
 
     .. note::
 
@@ -1833,11 +1827,6 @@ Main panel
     You can additionally hide more information by using
     :config:option:`$cfg['Servers'][$i]['verbose']`.
 
-.. config:option:: $cfg['ShowPhpInfo']
-
-    :type: boolean
-    :default: false
-
 .. config:option:: $cfg['ShowChgPassword']
 
     :type: boolean
@@ -1848,18 +1837,11 @@ Main panel
     :type: boolean
     :default: true
 
-    Defines whether to display the :guilabel:`PHP information` and
+    Defines whether to display the 
     :guilabel:`Change password` links and form for creating database or not at
     the starting main (right) frame. This setting does not check MySQL commands
     entered directly.
 
-    Please note that to block the usage of ``phpinfo()`` in scripts, you have to
-    put this in your :file:`php.ini`:
-
-    .. code-block:: ini
-
-        disable_functions = phpinfo()
-
     Also note that enabling the :guilabel:`Change password` link has no effect
     with config authentication mode: because of the hard coded password value
     in the configuration file, end users can't be allowed to change their

doc/setup.rst

@@ -248,7 +248,8 @@ simple configuration may look like this:
 
 
     <?php
-    $cfg['blowfish_secret'] = 'ba17c1ec07d65003';  // use here a value of your choice
+    // use here a value of your choice at least 32 chars long
+    $cfg['blowfish_secret'] = '1{dd0`<Q),5XP_:R9UK%%8\"EEcyH#{o';
 
     $i=0;
     $i++;
@@ -738,40 +739,6 @@ Config authentication mode
   of which are beyond the scope of this manual but easily searchable
   with Google).
 
-.. index:: pair: Swekey; Authentication mode
-
-.. _swekey:
-
-Swekey authentication mode
---------------------------
-
-The Swekey is a low cost authentication USB key that can be used in
-web applications. When Swekey authentication is activated, phpMyAdmin
-requires the users's Swekey to be plugged before entering the login
-page (currently supported for cookie authentication mode only). Swekey
-Authentication is disabled by default. To enable it, add the following
-line to :file:`config.inc.php`:
-
-.. code-block:: php
-
-    $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey.conf';
-
-You then have to create the ``swekey.conf`` file that will associate
-each user with their Swekey Id. It is important to place this file
-outside of your web server's document root (in the example, it is
-located in ``/etc``). Feel free to use it with your own users'
-information. If you want to purchase a Swekey please visit
-`https://www.phpmyadmin.net/auth\_key/ <https://www.phpmyadmin.net/auth_key/>`_
-since this link provides funding for phpMyAdmin.
-
-A self documented sample file is provided in the
-file :file:`examples/swekey.sample.conf`:
-
-.. literalinclude:: ../examples/swekey.sample.conf
-    :language: sh
-
-.. seealso:: :config:option:`$cfg['Servers'][$i]['auth_swekey_config']`
-
 
 Securing your phpMyAdmin installation
 +++++++++++++++++++++++++++++++++++++

examples/openid.php

@@ -74,11 +74,11 @@ function Die_error($e)
 
 
 /* Need to have cookie visible from parent directory */
-session_set_cookie_params(0, '/', '', false);
+session_set_cookie_params(0, '/', '', true, true);
 /* Create signon session */
 $session_name = 'SignonSession';
 session_name($session_name);
-session_start();
+@session_start();
 
 // Determine realm and return_to
 $base = 'http';

examples/signon.php

@@ -12,13 +12,13 @@
  */
 
 /* Need to have cookie visible from parent directory */
-session_set_cookie_params(0, '/', '', false);
+session_set_cookie_params(0, '/', '', true, true);
 /* Create signon session */
 $session_name = 'SignonSession';
 session_name($session_name);
 // Uncomment and change the following line to match your $cfg['SessionSavePath']
 //session_save_path('/foobar');
-session_start();
+@session_start();
 
 /* Was data posted? */
 if (isset($_POST['user'])) {
@@ -31,7 +31,7 @@
     $_SESSION['PMA_single_signon_cfgupdate'] = array('verbose' => 'Signon test');
     $id = session_id();
     /* Close that session */
-    session_write_close();
+    @session_write_close();
     /* Redirect to phpMyAdmin (should use absolute URL here!) */
     header('Location: ../index.php');
 } else {

file_echo.php

@@ -10,59 +10,7 @@
 define('PMA_MINIMUM_COMMON', true);
 require_once 'libraries/common.inc.php';
 
-/* For chart exporting */
-if (isset($_REQUEST['filename']) && isset($_REQUEST['image'])) {
-    $allowed = array(
-        'image/png'     => 'png',
-        'image/svg+xml' => 'svg',
-    );
-
-    /* Check whether MIME type is allowed */
-    if (! isset($allowed[$_REQUEST['type']])) {
-        PMA_fatalError(__('Invalid export type'));
-    }
-
-    /*
-     * Check file name to match mime type and not contain new lines
-     * to prevent response splitting.
-     */
-    $extension = $allowed[$_REQUEST['type']];
-    $valid_match = '/^[^\n\r]*\.' . $extension . '$/';
-    if (! preg_match($valid_match, $_REQUEST['filename'])) {
-        if (! preg_match('/^[^\n\r]*$/', $_REQUEST['filename'])) {
-            /* Filename is unsafe, discard it */
-            $filename = 'download.' . $extension;
-        } else {
-            /* Add extension */
-            $filename = $_REQUEST['filename'] . '.' . $extension;
-        }
-    } else {
-        /* Filename from request should be safe here */
-        $filename = $_REQUEST['filename'];
-    }
-
-    /* Decode data */
-    if ($extension != 'svg') {
-        $data = mb_substr(
-            $_REQUEST['image'],
-            mb_strpos($_REQUEST['image'], ',') + 1
-        );
-        $data = base64_decode($data);
-    } else {
-        $data = $_REQUEST['image'];
-    }
-
-    /* Send download header */
-    PMA_downloadHeader(
-        $filename,
-        $_REQUEST['type'],
-        strlen($data)
-    );
-
-    /* Send data */
-    echo $data;
-
-} else if (isset($_REQUEST['monitorconfig'])) {
+if (isset($_REQUEST['monitorconfig'])) {
     /* For monitor chart config export */
     PMA_downloadHeader('monitor.cfg', 'application/json; charset=UTF-8');
     header('X-Content-Type-Options: nosniff');

import.php

@@ -7,6 +7,11 @@
  */
 use PMA\libraries\plugins\ImportPlugin;
 
+/* Enable LOAD DATA LOCAL INFILE for LDI plugin */
+if (isset($_POST['format']) && $_POST['format'] == 'ldi') {
+    define('PMA_ENABLE_LDI', 1);
+}
+
 /**
  * Get the variables sent or posted to this script and a core script
  */
@@ -435,6 +440,15 @@
     $import_file = PMA\libraries\Util::userDir($cfg['UploadDir'])
         . $local_import_file;
 
+    /*
+     * Do not allow symlinks to avoid security issues
+     * (user can create symlink to file he can not access,
+     * but phpMyAdmin can).
+     */
+    if (@is_link($import_file)) {
+        $import_file  = 'none';
+    }
+
 } elseif (empty($import_file) || ! is_uploaded_file($import_file)) {
     $import_file  = 'none';
 }