rpms/phpMyAdmin/EL-4 phpMyAdmin-2.11.9.6-blowfish.patch, NONE, 1.1 phpMyAdmin-config.inc.php, 1.1, 1.2 phpMyAdmin.spec, 1.37, 1.38
Robert Scheck
robert at fedoraproject.org
Mon Jan 4 00:14:01 UTC 2010
Author: robert
Update of /cvs/pkgs/rpms/phpMyAdmin/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16491/EL-4
Modified Files:
phpMyAdmin-config.inc.php phpMyAdmin.spec
Added Files:
phpMyAdmin-2.11.9.6-blowfish.patch
Log Message:
- Added missing blowfish secret entry in default config (#540871)
- Backported patch to hash blowfish secret for cookie auth (#540891)
phpMyAdmin-2.11.9.6-blowfish.patch:
Documentation.html | 4 ++--
libraries/auth/cookie.auth.lib.php | 32 +++++++++++++++++++++++++++-----
2 files changed, 29 insertions(+), 7 deletions(-)
--- NEW FILE phpMyAdmin-2.11.9.6-blowfish.patch ---
Patch by Robert Scheck <robert at fedoraproject.org> for phpMyAdmin >= 2.11.9.6, which backports a fix to
hash the blowfish secret for cookie authentication and avoid failing if blowfish secret size is too long.
For further information, please have a look to the following bug reports:
- http://sourceforge.net/tracker/?func=detail&atid=377408&aid=2905629&group_id=23067
- https://bugzilla.redhat.com/show_bug.cgi?id=540891
--- phpMyAdmin-2.11.9.6/libraries/auth/cookie.auth.lib.php 2009-10-13 00:28:01.000000000 +0200
+++ phpMyAdmin-2.11.9.6/libraries/auth/cookie.auth.lib.php.blowfish 2009-12-03 23:31:28.000000000 +0100
@@ -27,6 +27,27 @@
/**
+ * Returns blowfish secret or generates one if needed.
+ * @uses $cfg['blowfish_secret']
+ * @uses $_SESSION['auto_blowfish_secret']
+ *
+ * @access public
+ */
+function PMA_get_blowfish_secret() {
+ if (empty($GLOBALS['cfg']['blowfish_secret'])) {
+ if (empty($_SESSION['auto_blowfish_secret'])) {
+ // this returns 23 characters
+ $_SESSION['auto_blowfish_secret'] = uniqid('', true);
+ }
+ return $_SESSION['auto_blowfish_secret'];
+ } else {
+ // apply md5() to work around too long secrets (returns 32 characters)
+ return md5($GLOBALS['cfg']['blowfish_secret']);
+ }
+}
+
+
+/**
* Displays authentication form
*
* this function MUST exit/quit the application
@@ -159,7 +180,8 @@
}
// Displays the warning message and the login form
- if (empty($GLOBALS['cfg']['blowfish_secret'])) {
+ if (!empty($_SESSION['auto_blowfish_secret']) &&
+ empty($GLOBALS['cfg']['blowfish_secret'])) {
?>
<div class="error"><h1><?php echo $GLOBALS['strError']; ?></h1>
<?php echo $GLOBALS['strSecretRequired']; ?>
@@ -395,7 +417,7 @@
$GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt(
$_COOKIE['pmaUser-' . $GLOBALS['server']],
- $GLOBALS['cfg']['blowfish_secret']);
+ PMA_get_blowfish_secret());
// user was never logged in since session start
if (empty($_SESSION['last_access_time'])) {
@@ -416,7 +438,7 @@
$GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt(
$_COOKIE['pmaPass-' . $GLOBALS['server']],
- $GLOBALS['cfg']['blowfish_secret'] /* . $_SESSION['last_access_time'] */);
+ PMA_get_blowfish_secret() /* . $_SESSION['last_access_time'] */);
if ($GLOBALS['PHP_AUTH_PW'] == "\xff(blank)") {
$GLOBALS['PHP_AUTH_PW'] = '';
@@ -490,12 +512,12 @@
// Duration = one month for username
PMA_setCookie('pmaUser-' . $GLOBALS['server'],
PMA_blowfish_encrypt($cfg['Server']['user'],
- $GLOBALS['cfg']['blowfish_secret']));
+ PMA_get_blowfish_secret()));
// Duration = as configured
PMA_setCookie('pmaPass-' . $GLOBALS['server'],
PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "\xff(blank)",
- $GLOBALS['cfg']['blowfish_secret'] /* . $_SESSION['last_access_time'] */),
+ PMA_get_blowfish_secret() /* . $_SESSION['last_access_time'] */),
null,
$GLOBALS['cfg']['LoginCookieStore']);
--- phpMyAdmin-2.11.9.6/Documentation.html 2009-10-13 00:28:01.000000000 +0200
+++ phpMyAdmin-2.11.9.6/Documentation.html.blowfish 2009-12-03 23:33:07.000000000 +0100
@@ -594,8 +594,8 @@
algorithm to encrypt the password.<br />
If you are using the "cookie" auth_type, enter here a random
passphrase of your choice. It will be used internally by the blowfish
- algorithm: you won’t be prompted for this passphrase. The maximum
- number of characters for this parameter seems to be 46.</dd>
+ algorithm: you won’t be prompted for this passphrase. There is
+ no maximum length for this secret.</dd>
<dt id="cfg_Servers">$cfg['Servers'] array</dt>
<dd>Since version 1.4.2, phpMyAdmin supports the administration of multiple
Index: phpMyAdmin-config.inc.php
===================================================================
RCS file: /cvs/pkgs/rpms/phpMyAdmin/EL-4/phpMyAdmin-config.inc.php,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- phpMyAdmin-config.inc.php 10 Nov 2006 16:15:50 -0000 1.1
+++ phpMyAdmin-config.inc.php 4 Jan 2010 00:14:01 -0000 1.2
@@ -1,5 +1,11 @@
<?php
+/*
+ * This is needed for cookie based authentication to encrypt password in
+ * cookie
+ */
+$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
+
/**
* Server(s) configuration
*/
@@ -24,8 +30,8 @@ $cfg['Servers'][$i]['controlpass'] = '
// The controluser is also
// used for all relational
// features (pmadb)
-$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)?
-$cfg['Servers'][$i]['user'] = ''; // MySQL user
+$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)?
+$cfg['Servers'][$i]['user'] = ''; // MySQL user
$cfg['Servers'][$i]['password'] = ''; // MySQL password (only needed
// with 'config' auth_type)
$cfg['Servers'][$i]['only_db'] = ''; // If set to a db-name, only
Index: phpMyAdmin.spec
===================================================================
RCS file: /cvs/pkgs/rpms/phpMyAdmin/EL-4/phpMyAdmin.spec,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -p -r1.37 -r1.38
--- phpMyAdmin.spec 13 Oct 2009 21:41:22 -0000 1.37
+++ phpMyAdmin.spec 4 Jan 2010 00:14:01 -0000 1.38
@@ -1,6 +1,6 @@
Name: phpMyAdmin
Version: 2.11.9.6
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Web based MySQL browser written in php
Group: Applications/Internet
@@ -9,6 +9,7 @@ URL: http://www.phpmyadmin.net/
Source0: http://downloads.sourceforge.net/sourceforge/%{name}/%{name}-%{version}-all-languages.tar.bz2
Source1: phpMyAdmin-config.inc.php
Source2: phpMyAdmin.htaccess
+Patch0: phpMyAdmin-2.11.9.6-blowfish.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -27,6 +28,7 @@ is available in 50 languages
%prep
%setup -qn phpMyAdmin-%{version}-all-languages
+%patch0 -p1
%install
rm -rf %{buildroot}
@@ -54,6 +56,10 @@ rm -rf %{buildroot}
%config(noreplace) %{_sysconfdir}/%{name}
%changelog
+* Mon Jan 04 2010 Robert Scheck <robert at fedoraproject.org> 2.11.9.6-2
+- Added missing blowfish secret entry in default config (#540871)
+- Backported patch to hash blowfish secret for cookie auth (#540891)
+
* Tue Oct 13 2009 Robert Scheck <robert at fedoraproject.org> 2.11.9.6-1
- Upstream released 2.11.9.6 (#528769)
More information about the fedora-extras-commits
mailing list