$connection = '';
-$has_token = $_SESSION["token"];
-if (!$has_token) {
- $_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
-}
-
$permanent = array();
if ($_COOKIE["adminer_permanent"]) {
foreach (explode(" ", $_COOKIE["adminer_permanent"]) as $val) {
redirect(auth_url($vendor, $server, $username, $db));
}
-} elseif ($_POST["logout"] && (!$has_token || verify_token())) {
+} elseif ($_POST["logout"] && (!$_SESSION["token"] || verify_token())) {
foreach (array("pwds", "db", "dbs", "queries") as $key) {
set_session($key, null);
}
* @return never
*/
function auth_error(string $error) {
- global $adminer, $has_token;
+ global $adminer;
$session_name = session_name();
if (isset($_GET["username"])) {
header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header
- if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$has_token) {
+ if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$_SESSION["token"]) {
$error = lang('Session expired, please login again.');
} else {
restart_session();
exit;
}
-stop_session(true);
-
if (isset($_GET["username"]) && is_string(get_password())) {
list($host, $port) = explode(":", SERVER, 2);
if (preg_match('~^\s*([-+]?\d+)~', $port, $match) && ($match[1] < 1024 || $match[1] > 65535)) { // is_numeric('80#') would still connect to port 80
auth_error($error . (preg_match('~^ | $~', get_password()) ? '<br>' . lang('There is a space in the input password which might be the cause.') : ''));
}
-if ($_POST["logout"] && $has_token && !verify_token()) {
+if ($_POST["logout"] && $_SESSION["token"] && !verify_token()) {
page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.'));
page_footer("db");
exit;
}
+if (!$_SESSION["token"]) {
+ $_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
+}
+stop_session(true);
if ($auth && $_POST["token"]) {
$_POST["token"] = get_token(); // reset token after explicit login
}
exit;
}
-global $adminer, $connection, $driver, $drivers, $permanent, $has_token, $translations; // allows including Adminer inside a function
+global $adminer, $connection, $driver, $drivers, $permanent, $translations; // allows including Adminer inside a function
if (!$_SERVER["REQUEST_URI"]) { // IIS 5 compatibility
$_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"];
- identifier: includeOnce.fileNotFound # ./adminer-plugins.php
- "~^Function (set_magic_quotes_runtime|mysql_)~" # PHP < 7 functions
- "~an unknown class OCI-?Lob~" # this looks like PHPStan bug
- - "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|has_token|translations) might not be defined~" # declared in bootstrap.inc.php
+ - "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|translations) might not be defined~" # declared in bootstrap.inc.php
- "~expects int, float given~" # this will work
- "~expects bool~" # truthy values
- "~fread expects int<1, max>, 100000~" # 1e6
projects / adminer.git / commitdiff