Skip to content

Commit

Permalink
Fix #14321 - leaked HTML on auth_type=signon before redirect occurs a…
Browse files Browse the repository at this point in the history 
…nd on error page when SignonURL is not set

This fix also fixes the display when SignonURL is empty at configuration time.

When the user was redirected there was HTML in the output that could leak some interesting details about the server or the user.

Signed-off-by: William Desportes <williamdes@wdes.fr>
  • Loading branch information
@williamdes
williamdes committed Aug 24, 2021
1 parent bde9b18 commit e3f4a57
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions libraries/classes/Plugins/Auth/AuthenticationSignon.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

use PhpMyAdmin\Core;
use PhpMyAdmin\Plugins\AuthenticationPlugin;
use PhpMyAdmin\Response;
use PhpMyAdmin\Util;

/**
Expand All @@ -26,6 +27,7 @@ class AuthenticationSignon extends AuthenticationPlugin
*/
public function showLoginForm()
{
Response::getInstance()->disable();
unset($_SESSION['LAST_SIGNON_URL']);
if (empty($GLOBALS['cfg']['Server']['SignonURL'])) {
Core::fatalError('You must set SignonURL!');
Expand Down

0 comments on commit e3f4a57

Please sign in to comment.