diff options
| author | Isaac Bennetch <bennetch@gmail.com> | 2019-06-04 17:41:26 +0300 |
|---|---|---|
| committer | Isaac Bennetch <bennetch@gmail.com> | 2019-06-04 17:41:26 +0300 |
| commit | 8108eb7ded1b60863d5fa2d4125fcb805f6e0ae6 (patch) | |
| tree | 554d6048e2d0ed131c30693cf610fdb0fa1788f7 | |
| parent | 914212f61789acec3640795ed80e818b2e8c8358 (diff) | |
| parent | 4b5e04d0a1ab0956d21ede85b6c1faf517b555b3 (diff) | |
Merge remote-tracking branch 'security/QA_4_8-security' into QA_4_8
| -rw-r--r-- | doc/faq.rst | 18 | ||||
| -rw-r--r-- | libraries/classes/Plugins/Auth/AuthenticationCookie.php | 6 | ||||
| -rw-r--r-- | libraries/common.inc.php | 4 | ||||
| -rw-r--r-- | test/classes/Plugins/Auth/AuthenticationCookieTest.php | 22 |
4 files changed, 24 insertions, 26 deletions
diff --git a/doc/faq.rst b/doc/faq.rst index 1beb140931..87c35a91e0 100644 --- a/doc/faq.rst +++ b/doc/faq.rst @@ -1167,20 +1167,18 @@ name is defined in the config file. 4.8 Which parameters can I use in the URL that starts phpMyAdmin? ----------------------------------------------------------------- -When starting phpMyAdmin, you can use the ``db``, ``pma_username``, -``pma_password`` and ``server`` parameters. This last one can contain +When starting phpMyAdmin, you can use the ``db`` +and ``server`` parameters. This last one can contain either the numeric host index (from ``$i`` of the configuration file) -or one of the host names present in the configuration file. Using -``pma_username`` and ``pma_password`` has been tested along with the -usage of 'cookie' ``auth_type``. +or one of the host names present in the configuration file. -For example direct login URL can be constructed as -``https://example.com/phpmyadmin/?pma_username=user&pma_password=password``. +For example, to jump directly to a particular database, a URL can be constructed as +``https://example.com/phpmyadmin/?db=sakila``. -.. warning:: +.. versionchanged:: 4.9.0 - Passing password and username in URL is insecure and should not be used in - production environments. + Support for using the ``pma_username`` and ``pma_password`` parameters was removed + in phpMyAdmin 4.9.0 (see `PMASA-2019-4 <https://www.phpmyadmin.net/security/PMASA-2019-4/>`_). .. _faqbrowsers: diff --git a/libraries/classes/Plugins/Auth/AuthenticationCookie.php b/libraries/classes/Plugins/Auth/AuthenticationCookie.php index 51e738f74d..a681f60db3 100644 --- a/libraries/classes/Plugins/Auth/AuthenticationCookie.php +++ b/libraries/classes/Plugins/Auth/AuthenticationCookie.php @@ -275,7 +275,7 @@ class AuthenticationCookie extends AuthenticationPlugin $this->user = $this->password = ''; $GLOBALS['from_cookie'] = false; - if (isset($_REQUEST['pma_username']) && strlen($_REQUEST['pma_username']) > 0) { + if (isset($_POST['pma_username']) && strlen($_POST['pma_username']) > 0) { // Verify Captcha if it is required. if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) @@ -323,8 +323,8 @@ class AuthenticationCookie extends AuthenticationPlugin } // The user just logged in - $this->user = Core::sanitizeMySQLUser($_REQUEST['pma_username']); - $this->password = isset($_REQUEST['pma_password']) ? $_REQUEST['pma_password'] : ''; + $this->user = Core::sanitizeMySQLUser($_POST['pma_username']); + $this->password = isset($_POST['pma_password']) ? $_POST['pma_password'] : ''; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername']) ) { diff --git a/libraries/common.inc.php b/libraries/common.inc.php index a969fd135a..ed92fea624 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -343,8 +343,8 @@ if (! defined('PMA_MINIMUM_COMMON')) { . ' ' . $cfg['Server']['auth_type'] ); } - if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { - $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); + if (isset($_POST['pma_password']) && strlen($_POST['pma_password']) > 256) { + $_POST['pma_password'] = substr($_POST['pma_password'], 0, 256); } $auth_plugin = new $auth_class(); diff --git a/test/classes/Plugins/Auth/AuthenticationCookieTest.php b/test/classes/Plugins/Auth/AuthenticationCookieTest.php index 48f18966ed..6aab175b27 100644 --- a/test/classes/Plugins/Auth/AuthenticationCookieTest.php +++ b/test/classes/Plugins/Auth/AuthenticationCookieTest.php @@ -42,7 +42,7 @@ class AuthenticationCookieTest extends PmaTestCase $GLOBALS['text_dir'] = 'ltr'; $GLOBALS['db'] = 'db'; $GLOBALS['table'] = 'table'; - $_REQUEST['pma_password'] = ''; + $_POST['pma_password'] = ''; $this->object = new AuthenticationCookie(); $GLOBALS['PMA_PHP_SELF'] = '/phpmyadmin/'; } @@ -388,7 +388,7 @@ class AuthenticationCookieTest extends PmaTestCase $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; $_POST["g-recaptcha-response"] = ''; - $_REQUEST['pma_username'] = 'testPMAUser'; + $_POST['pma_username'] = 'testPMAUser'; $this->assertFalse( $this->object->readCredentials() @@ -462,9 +462,9 @@ class AuthenticationCookieTest extends PmaTestCase $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $_REQUEST['old_usr'] = ''; - $_REQUEST['pma_username'] = 'testPMAUser'; + $_POST['pma_username'] = 'testPMAUser'; $_REQUEST['pma_servername'] = 'testPMAServer'; - $_REQUEST['pma_password'] = 'testPMAPSWD'; + $_POST['pma_password'] = 'testPMAPSWD'; $GLOBALS['cfg']['AllowArbitraryServer'] = true; $this->assertTrue( @@ -501,8 +501,8 @@ class AuthenticationCookieTest extends PmaTestCase { $GLOBALS['cfg']['AllowArbitraryServer'] = true; $_REQUEST['pma_servername'] = 'testPMAServer'; - $_REQUEST['pma_password'] = 'testPMAPSWD'; - $_REQUEST['pma_username'] = ''; + $_POST['pma_password'] = 'testPMAPSWD'; + $_POST['pma_username'] = ''; $GLOBALS['server'] = 1; $_COOKIE['pmaUser-1'] = ''; $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09'); @@ -542,7 +542,7 @@ class AuthenticationCookieTest extends PmaTestCase { $GLOBALS['server'] = 1; $_REQUEST['old_usr'] = ''; - $_REQUEST['pma_username'] = ''; + $_POST['pma_username'] = ''; $_COOKIE['pmaServer-1'] = 'pmaServ1'; $_COOKIE['pmaUser-1'] = 'pmaUser1'; $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09'); @@ -580,7 +580,7 @@ class AuthenticationCookieTest extends PmaTestCase { $GLOBALS['server'] = 1; $_REQUEST['old_usr'] = ''; - $_REQUEST['pma_username'] = ''; + $_POST['pma_username'] = ''; $_COOKIE['pmaServer-1'] = 'pmaServ1'; $_COOKIE['pmaUser-1'] = 'pmaUser1'; $_COOKIE['pmaAuth-1'] = 'pmaAuth1'; @@ -625,7 +625,7 @@ class AuthenticationCookieTest extends PmaTestCase { $GLOBALS['server'] = 1; $_REQUEST['old_usr'] = ''; - $_REQUEST['pma_username'] = ''; + $_POST['pma_username'] = ''; $_COOKIE['pmaServer-1'] = 'pmaServ1'; $_COOKIE['pmaUser-1'] = 'pmaUser1'; $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09'); @@ -1143,8 +1143,8 @@ class AuthenticationCookieTest extends PmaTestCase $GLOBALS['cfg']['Server']['AllowRoot'] = false; $GLOBALS['cfg']['Server']['AllowNoPassword'] = false; $_REQUEST['old_usr'] = ''; - $_REQUEST['pma_username'] = 'testUser'; - $_REQUEST['pma_password'] = 'testPassword'; + $_POST['pma_username'] = 'testUser'; + $_POST['pma_password'] = 'testPassword'; ob_start(); $this->object->authenticate(); |