diff options
| author | William Desportes <williamdes@wdes.fr> | 2019-06-13 21:04:54 +0300 |
|---|---|---|
| committer | William Desportes <williamdes@wdes.fr> | 2019-06-13 21:05:11 +0300 |
| commit | fc014c5b727d45508f248313dd241ba9ae1a84cb (patch) | |
| tree | 4e4f2aa2ae37229618beeab3cb42f9f0cede6eaf /test | |
| parent | 80a7f0a75c72ec2b92216647ac66890ff58002f8 (diff) | |
Harden the HMAC secret by using the blowfish_secret
Signed-off-by: William Desportes <williamdes@wdes.fr>
Diffstat (limited to 'test')
| -rw-r--r-- | test/classes/CoreTest.php | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/test/classes/CoreTest.php b/test/classes/CoreTest.php index 7f508f525a..26b1de9a88 100644 --- a/test/classes/CoreTest.php +++ b/test/classes/CoreTest.php @@ -1203,4 +1203,28 @@ class CoreTest extends PmaTestCase // Try to use the token (hmac) from the previous session $this->assertFalse(Core::checkSqlQuerySignature($sqlQuery, $hmac)); } + + /** + * Test for Core::checkSqlQuerySignature + * + * @return void + */ + function testCheckSqlQuerySignatureFailsBlowfishSecretChanged() + { + $GLOBALS['cfg']['blowfish_secret'] = ''; + $_SESSION[' HMAC_secret '] = hash('sha1', 'firstSession'); + $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;'; + $hmac = Core::signSqlQuery($sqlQuery); + $this->assertTrue(Core::checkSqlQuerySignature($sqlQuery, $hmac)); + $GLOBALS['cfg']['blowfish_secret'] = '32154987zd'; + // Try to use the previous HMAC signature + $this->assertFalse(Core::checkSqlQuerySignature($sqlQuery, $hmac)); + + $GLOBALS['cfg']['blowfish_secret'] = '32154987zd'; + // Generate the HMAC signature to check that it works + $hmac = Core::signSqlQuery($sqlQuery); + // Must work now, (good secret and blowfish_secret) + $this->assertTrue(Core::checkSqlQuerySignature($sqlQuery, $hmac)); + } + } |