1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Session handling
*
* @package PhpMyAdmin
*
* @see https://secure.php.net/session
*/
namespace PhpMyAdmin;
use PhpMyAdmin\Config;
use PhpMyAdmin\Core;
use PhpMyAdmin\ErrorHandler;
use PhpMyAdmin\Util;
/**
* Session class
*
* @package PhpMyAdmin
*/
class Session
{
/**
* Generates PMA_token session variable.
*
* @return void
*/
private static function generateToken()
{
$_SESSION[' PMA_token '] = Util::generateRandom(16);
/**
* Check if token is properly generated (the generation can fail, for example
* due to missing /dev/random for openssl).
*/
if (empty($_SESSION[' PMA_token '])) {
Core::fatalError(
'Failed to generate random CSRF token!'
);
}
}
/**
* tries to secure session from hijacking and fixation
* should be called before login and after successful login
* (only required if sensitive information stored in session)
*
* @return void
*/
public static function secure()
{
// prevent session fixation and XSS
if (session_status() === PHP_SESSION_ACTIVE && ! defined('TESTSUITE')) {
session_regenerate_id(true);
}
// continue with empty session
session_unset();
self::generateToken();
}
/**
* Session failed function
*
* @param array $errors PhpMyAdmin\ErrorHandler array
*
* @return void
*/
private static function sessionFailed(array $errors)
{
$messages = array();
foreach ($errors as $error) {
/*
* Remove path from open() in error message to avoid path disclossure
*
* This can happen with PHP 5 when nonexisting session ID is provided,
* since PHP 7, session existence is checked first.
*
* This error can also happen in case of session backed error (eg.
* read only filesystem) on any PHP version.
*
* The message string is currently hardcoded in PHP, so hopefully it
* will not change in future.
*/
$messages[] = preg_replace(
'/open\(.*, O_RDWR\)/',
'open(SESSION_FILE, O_RDWR)',
htmlspecialchars($error->getMessage())
);
}
/*
* Session initialization is done before selecting language, so we
* can not use translations here.
*/
Core::fatalError(
'Error during session start; please check your PHP and/or '
. 'webserver log file and configure your PHP '
. 'installation properly. Also ensure that cookies are enabled '
. 'in your browser.'
. '<br /><br />'
. implode('<br /><br />', $messages)
);
}
/**
* Set up session
*
* @param PhpMyAdmin\Config $config Configuration handler
* @param PhpMyAdmin\ErrorHandler $errorHandler Error handler
* @return void
*/
public static function setUp(Config $config, ErrorHandler $errorHandler)
{
// verify if PHP supports session, die if it does not
if (!@function_exists('session_name')) {
Core::warnMissingExtension('session', true);
} elseif (! empty(ini_get('session.auto_start'))
&& session_name() != 'phpMyAdmin'
&& !empty(session_id())) {
// Do not delete the existing non empty session, it might be used by
// other applications; instead just close it.
if (empty($_SESSION)) {
// Ignore errors as this might have been destroyed in other
// request meanwhile
@session_destroy();
} elseif (function_exists('session_abort')) {
// PHP 5.6 and newer
session_abort();
} else {
session_write_close();
}
}
// session cookie settings
session_set_cookie_params(
0, $config->getRootPath(),
'', $config->isHttps(), true
);
// cookies are safer (use @ini_set() in case this function is disabled)
@ini_set('session.use_cookies', 'true');
// optionally set session_save_path
$path = $config->get('SessionSavePath');
if (!empty($path)) {
session_save_path($path);
// We can not do this unconditionally as this would break
// any more complex setup (eg. cluster), see
// https://github.com/phpmyadmin/phpmyadmin/issues/8346
ini_set('session.save_handler', 'files');
}
// use cookies only
@ini_set('session.use_only_cookies', '1');
// strict session mode (do not accept random string as session ID)
@ini_set('session.use_strict_mode', '1');
// make the session cookie HttpOnly
@ini_set('session.cookie_httponly', '1');
// do not force transparent session ids
@ini_set('session.use_trans_sid', '0');
// delete session/cookies when browser is closed
@ini_set('session.cookie_lifetime', '0');
// warn but don't work with bug
@ini_set('session.bug_compat_42', 'false');
@ini_set('session.bug_compat_warn', 'true');
// use more secure session ids
@ini_set('session.hash_function', '1');
// some pages (e.g. stylesheet) may be cached on clients, but not in shared
// proxy servers
session_cache_limiter('private');
$session_name = 'phpMyAdmin';
@session_name($session_name);
// Restore correct sesion ID (it might have been reset by auto started session
if (isset($_COOKIE['phpMyAdmin'])) {
session_id($_COOKIE['phpMyAdmin']);
}
// on first start of session we check for errors
// f.e. session dir cannot be accessed - session file not created
$orig_error_count = $errorHandler->countErrors(false);
$session_result = session_start();
if ($session_result !== true
|| $orig_error_count != $errorHandler->countErrors(false)
) {
setcookie($session_name, '', 1);
$errors = $errorHandler->sliceErrors($orig_error_count);
self::sessionFailed($errors);
}
unset($orig_error_count, $session_result);
/**
* Disable setting of session cookies for further session_start() calls.
*/
@ini_set('session.use_cookies', 'true');
/**
* Token which is used for authenticating access queries.
* (we use "space PMA_token space" to prevent overwriting)
*/
if (empty($_SESSION[' PMA_token '])) {
self::generateToken();
/**
* Check for disk space on session storage by trying to write it.
*
* This seems to be most reliable approach to test if sessions are working,
* otherwise the check would fail with custom session backends.
*/
$orig_error_count = $errorHandler->countErrors();
session_write_close();
if ($errorHandler->countErrors() > $orig_error_count) {
$errors = $errorHandler->sliceErrors($orig_error_count);
self::sessionFailed($errors);
}
session_start();
if (empty($_SESSION[' PMA_token '])) {
Core::fatalError(
'Failed to store CSRF token in session! ' .
'Probably sessions are not working properly.'
);
}
}
}
}
|
