Do not attempt logging in without password (bug #676)

diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php
index fef6b62902b05063a133436be035d413ce4b3457..f8a5a3993cea4bc29cbad9c1ba585302c2909e27 100644 (file)
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -160,7 +160,7 @@ if (isset($_GET["username"]) && !class_exists("Min_DB")) {
 
 stop_session(true);
 
-if (isset($_GET["username"])) {
+if (isset($_GET["username"]) && is_string(get_password())) {
        list($host, $port) = explode(":", SERVER, 2);
        if (is_numeric($port) && $port < 1024) {
                auth_error(lang('Connecting to privileged ports is not allowed.'));

diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
index 02fa0e523487b69ed9516030e2565c6cd7212ab9..d208e0b2a69ef3299c414b046e3fc80bafe2a305 100644 (file)
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@@ -351,7 +351,7 @@ function set_password($vendor, $server, $username, $password) {
 }
 
 /** Get password from session
-* @return string
+* @return string or null for missing password or false for expired password
 */
 function get_password() {
        $return = get_session("pwds");

diff --git a/changes.txt b/changes.txt
index 81034969eff4bbfeb4165bf68183bbbb2301d56c..ff511b6d30029eaef940bbe226cb4352f0dc4b71 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.7.2-dev:
+Do not attempt logging in without password (bug #676)
 MySQL: Fix creating users and changing password in MySQL 8 (bug #663)
 
 Adminer 4.7.1 (released 2019-01-24):