Blowfish secret auto-generated by setup script includes non-printable characters #17054
Description
Describe the bug
When the phpMyAdmin setup script (/phpmyadmin/setup) generated $cfg['blowfish_secret'], the DEL character (ASCII code 127, Wikipedia) was included as one of the 32 characters. When I attempted to copy the contents of the file from Windows to my server through SSH instead of transferring the config file itself, this character was automatically stripped, causing the secret to now only be 31 characters and too short. When I discovered that this was the cause of the issue, I transferred the file to the server instead of copying the contents (leaving the DEL character intact), and phpMyAdmin treats the secret as valid. However, I don't think that the inclusion of the non-printable DEL character is intended behavior.
To Reproduce
- Go to the phpMyAdmin setup script at /phpmyadmin/setup
- Create a new server having authentication type 'cookie'
Once the server settings are saved, the secret will be automatically generated and viewable in 'Features' under the 'Security' tab. If the DEL character is included, it appears as a wide space in Google Chrome, DEL in Notepad++, and ^? in nano.
Expected behavior
The secret should be limited to printable characters.
Screenshots
(The space in the secret is the DEL character.)
Generated line in config.inc.php: generated_secret.txt (file attached because GitHub replaces the character)
Server configuration
- Operating system: Ubuntu Server 21.04 (GNU/Linux 5.11.0-25-generic x86_64)
- Web server: Apache/2.4.46 (Ubuntu)
- Database version: MySQL 8.0.26-0ubuntu0.21.04.3
- PHP version: 8.0.9
- phpMyAdmin version: 5.1.1 (downloaded from phpmyadmin.net)
Client configuration
- Browser: Vivaldi 4.1.2369.11
- Operating system: Windows 10 Education version 1909
Additional context
I have not tried to see if the DEL character in the secret causes any problems with phpMyAdmin functionality.