Prepare for crypting passwords stored in session

author Jakub Vrana <jakub@vrana.cz>

Sun, 11 Aug 2013 02:06:21 +0000 (19:06 -0700)

committer Jakub Vrana <jakub@vrana.cz>

Sun, 11 Aug 2013 02:21:18 +0000 (19:21 -0700)
author Jakub Vrana <jakub@vrana.cz>
Sun, 11 Aug 2013 02:06:21 +0000 (19:06 -0700)
committer Jakub Vrana <jakub@vrana.cz>
Sun, 11 Aug 2013 02:21:18 +0000 (19:21 -0700)
diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php

index b6dcd32555475b3e3bd05a27d866ab8f7d6b92da..25ef31962a42b027dd643f8a9ae23ed335cd40e7 100644 (file)
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@@ -16,7 +16,7 @@ class Adminer {
         * @return array ($server, $username, $password)
         */
         function credentials() {
-               return array(SERVER, $_GET["username"], get_session("pwds"));
+               return array(SERVER, $_GET["username"], get_password());
         }
  
         /** Get key used for permanent login
diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php

index 260b377cababb3e6dee64727dd9cac78b46d90e2..0666644d9611f2f10bed02d748984eebd9858a77 100644 (file)
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -17,7 +17,7 @@ if ($_COOKIE["adminer_permanent"]) {
  $auth = $_POST["auth"];
  if ($auth) {
         session_regenerate_id(); // defense against session fixation
-       $_SESSION["pwds"][$auth["driver"]][$auth["server"]][$auth["username"]] = $auth["password"];
+       set_password($auth["driver"], $auth["server"], $auth["username"], $auth["password"]);
         $_SESSION["db"][$auth["driver"]][$auth["server"]][$auth["username"]][$auth["db"]] = true;
         if ($auth["permanent"]) {
                 $key = base64_encode($auth["driver"]) . "-" . base64_encode($auth["server"]) . "-" . base64_encode($auth["username"]) . "-" . base64_encode($auth["db"]);
@@ -53,7 +53,7 @@ if ($auth) {
         foreach ($permanent as $key => $val) {
                 list(, $cipher) = explode(":", $val);
                 list($vendor, $server, $username, $db) = array_map('base64_decode', explode("-", $key));
-               $_SESSION["pwds"][$vendor][$server][$username] = decrypt_string(base64_decode($cipher), $private);
+               set_password($vendor, $server, $username, decrypt_string(base64_decode($cipher), $private));
                 $_SESSION["db"][$vendor][$server][$username][$db] = true;
         }
  }
@@ -79,13 +79,13 @@ function auth_error($exception = null) {
                 if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$token) {
                         $error = lang('Session expired, please login again.');
                 } else {
-                       $password = &get_session("pwds");
+                       $password = get_password();
                         if ($password !== null) {
                                 $error = h($exception ? $exception->getMessage() : (is_string($connection) ? $connection : lang('Invalid credentials.')));
                                 if ($password === false) {
                                         $error .= '<br>' . lang('Master password expired. <a href="http://www.adminer.org/en/extension/" target="_blank">Implement</a> %s method to make it permanent.', '<code>permanentLogin()</code>');
                                 }
-                               $password = null;
+                               set_password(DRIVER, SERVER, $_GET["username"], null);
                         }
                         unset_permanent();
                 }
@@ -100,6 +100,14 @@ function auth_error($exception = null) {
         page_footer("auth");
  }
  
+function set_password($vendor, $server, $username, $password) {
+       $_SESSION["pwds"][$vendor][$server][$username] = $password;
+}
+
+function get_password() {
+       return get_session("pwds");
+}
+
  if (isset($_GET["username"])) {
         if (!class_exists("Min_DB")) {
                 unset($_SESSION["pwds"][DRIVER]);
@@ -111,7 +119,7 @@ if (isset($_GET["username"])) {
         $connection = connect();
  }
  
-if (is_string($connection) || !$adminer->login($_GET["username"], get_session("pwds"))) {
+if (is_string($connection) || !$adminer->login($_GET["username"], get_password())) {
         auth_error();
         exit;
  }
diff --git a/editor/include/adminer.inc.php b/editor/include/adminer.inc.php

index 6f93a4876cf6d0cc4fc9ec0be1509c033e7b2baa..94c9b749de04ba721450dc0cc002b2e963440ba2 100644 (file)
--- a/editor/include/adminer.inc.php
+++ b/editor/include/adminer.inc.php
@@ -10,7 +10,7 @@ class Adminer {
         //! driver, ns
  
         function credentials() {
-               return array(SERVER, $_GET["username"], get_session("pwds"));
+               return array(SERVER, $_GET["username"], get_password());
         }
  
         function permanentLogin($create = false) {
author	Jakub Vrana <jakub@vrana.cz>
	Sun, 11 Aug 2013 02:06:21 +0000 (19:06 -0700)
committer	Jakub Vrana <jakub@vrana.cz>
	Sun, 11 Aug 2013 02:21:18 +0000 (19:21 -0700)
adminer/include/adminer.inc.php		patch \| blob \| history
adminer/include/auth.inc.php		patch \| blob \| history
editor/include/adminer.inc.php		patch \| blob \| history