New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warning: hash_equals(): Expected known_string to be a string, null given #13964

Closed
joximu opened this Issue Feb 2, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@joximu

joximu commented Feb 2, 2018

Steps to reproduce

  1. Use pma config like this: $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['user'] = $_POST['pma_username']; $cfg['Servers'][$i]['controluser'] = 'pma_user';

  2. Log in normally (not via Cookie, Post etc)

  3. See the warnings:
    Warning in ./libraries/plugins/auth/AuthenticationCookie.php#451 (and 457)
    hash_equals(): Expected known_string to be a string, null given
    Backtrace
    ./libraries/plugins/auth/AuthenticationCookie.php#451: hash_equals(
    NULL,
    string 'root',
    )
    ./libraries/common.inc.php#699: PMA\libraries\plugins\auth\AuthenticationCookie->authSetUser()
    ./index.php#20: require_once(./libraries/common.inc.php)

Expected behaviour

no warnings

Actual behaviour

warning about incorrect parameters for "hash_equals"

Server configuration

Debian 8.10
nginx
mysql 5.5.59
php 5.6.33
pma 4.6.5 (4.6.4 is ok) - 4.7.7 (and higher?)

Client configuration

Palemoon
Debian

Comments

From pma 4.6.4 to 4.6.5 the function authSetUser() was changed, The relevant 2 lines:
4.6.4:
if ($cfg['Server']['user'] != $GLOBALS['PHP_AUTH_USER']) { ...
... && $current['user'] == $GLOBALS['PHP_AUTH_USER']
4.6.5:
if (! hash_equals($cfg['Server']['user'], $GLOBALS['PHP_AUTH_USER'])) { ...
... && hash_equals($current['user'], $GLOBALS['PHP_AUTH_USER'])

With the normal login, the 'user' item in both arrays is NULL -> throws a warning when using this with "hash_equals"...

This is one method to solve:
if (is_null($cfg['Server']['user'])) $cfg['Server']['user'] = '';
if (is_null($current['user'])) $current['user'] = ''; # after/inside foreach...

Maybe the configuration is not common - it's the way i-mscp does it.

@nijel

This comment has been minimized.

Member

nijel commented Feb 20, 2018

Remove $cfg['Servers'][$i]['user'] = $_POST['pma_username']; and it will work. This line anyway doesn't do anything useful.

@nijel

This comment has been minimized.

Member

nijel commented Feb 20, 2018

Was already fixed by 4ca1f8b.

@nijel nijel closed this Feb 20, 2018

@nijel nijel self-assigned this Feb 20, 2018

@nijel nijel added the bug label Feb 20, 2018

@nijel nijel added this to the 4.8.0 milestone Feb 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment