diff options
-rw-r--r-- | doc/config.rst | 5 | ||||
-rw-r--r-- | libraries/classes/Controllers/HomeController.php | 14 | ||||
-rw-r--r-- | libraries/classes/Plugins/Auth/AuthenticationCookie.php | 13 | ||||
-rw-r--r-- | psalm-baseline.xml | 4 |
4 files changed, 25 insertions, 11 deletions
diff --git a/doc/config.rst b/doc/config.rst index 11f5b1d893..27d9500311 100644 --- a/doc/config.rst +++ b/doc/config.rst @@ -1913,8 +1913,9 @@ Cookie authentication options .. warning:: - The encryption key must be 32 bytes long. If it has a different length of bytes, a new key will be automatically - generated for you. However it will only last for the duration of the session. + The encryption key must be 32 bytes long. If it is longer than the length of bytes, only the first 32 bytes will + be used, and if it is shorter, a new temporary key will be automatically generated for you. However, this + temporary key will only last for the duration of the session. .. note:: diff --git a/libraries/classes/Controllers/HomeController.php b/libraries/classes/Controllers/HomeController.php index 998cc3b4ce..39235fdc06 100644 --- a/libraries/classes/Controllers/HomeController.php +++ b/libraries/classes/Controllers/HomeController.php @@ -311,19 +311,23 @@ class HomeController extends AbstractController * Check if user does not have defined blowfish secret and it is being used. */ if (! empty($_SESSION['encryption_key'])) { - if (empty($cfg['blowfish_secret'])) { + $encryptionKeyLength = mb_strlen($cfg['blowfish_secret'], '8bit'); + if ($encryptionKeyLength < SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { $this->errors[] = [ 'message' => __( - 'The configuration file now needs a secret passphrase (blowfish_secret).' + 'The configuration file needs a valid key for cookie encryption.' + . ' A temporary key was automatically generated for you.' + . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].' ), 'severity' => 'warning', ]; - } elseif (mb_strlen($cfg['blowfish_secret'], '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { + } elseif ($encryptionKeyLength > SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { $this->errors[] = [ 'message' => sprintf( __( - 'The secret passphrase in configuration (blowfish_secret) is not the correct length.' - . ' It should be %d bytes long.' + 'The cookie encryption key in the configuration file is longer than necessary.' + . ' It should only be %d bytes long.' + . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].' ), SODIUM_CRYPTO_SECRETBOX_KEYBYTES ), diff --git a/libraries/classes/Plugins/Auth/AuthenticationCookie.php b/libraries/classes/Plugins/Auth/AuthenticationCookie.php index 33faf56b34..e083ddf19a 100644 --- a/libraries/classes/Plugins/Auth/AuthenticationCookie.php +++ b/libraries/classes/Plugins/Auth/AuthenticationCookie.php @@ -597,11 +597,21 @@ class AuthenticationCookie extends AuthenticationPlugin */ private function getEncryptionSecret(): string { + /** @var mixed $key */ $key = $GLOBALS['cfg']['blowfish_secret'] ?? null; - if (is_string($key) && mb_strlen($key, '8bit') === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { + if (! is_string($key)) { + return $this->getSessionEncryptionSecret(); + } + + $length = mb_strlen($key, '8bit'); + if ($length === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { return $key; } + if ($length > SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { + return mb_substr($key, 0, SODIUM_CRYPTO_SECRETBOX_KEYBYTES, '8bit'); + } + return $this->getSessionEncryptionSecret(); } @@ -610,6 +620,7 @@ class AuthenticationCookie extends AuthenticationPlugin */ private function getSessionEncryptionSecret(): string { + /** @var mixed $key */ $key = $_SESSION['encryption_key'] ?? null; if (is_string($key) && mb_strlen($key, '8bit') === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) { return $key; diff --git a/psalm-baseline.xml b/psalm-baseline.xml index be2ba27d96..874757e842 100644 --- a/psalm-baseline.xml +++ b/psalm-baseline.xml @@ -9042,14 +9042,12 @@ <MixedArrayOffset occurrences="1"> <code>$_SESSION['browser_access_time'][$key]</code> </MixedArrayOffset> - <MixedAssignment occurrences="14"> + <MixedAssignment occurrences="12"> <code>$GLOBALS['pma_auth_server']</code> <code>$_form_params['route']</code> <code>$captchaSiteVerifyURL</code> <code>$captchaSiteVerifyURL</code> <code>$key</code> - <code>$key</code> - <code>$key</code> <code>$password</code> <code>$serverCookie</code> <code>$serverCookie</code> |