aschwarz/Leitgedanken
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Alexander Schwarz
2022-11-21 09:47:28 +01:00
commit 76cec83d26
11652 changed files with 1980467 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

176
#pma/libraries/plugins/auth/AuthenticationConfig.php Normal file
View File

@ -0,0 +1,176 @@
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Config Authentication plugin for phpMyAdmin
*
* @package PhpMyAdmin-Authentication
* @subpackage Config
*/
namespace PMA\libraries\plugins\auth;
use PMA\libraries\plugins\AuthenticationPlugin;
use PMA;
/**
* Handles the config authentication method
*
* @package PhpMyAdmin-Authentication
*/
class AuthenticationConfig extends AuthenticationPlugin
{
/**
* Displays authentication form
*
* @return boolean always true
*/
public function auth()
{
$response = PMA\libraries\Response::getInstance();
if ($response->isAjax()) {
$response->setRequestStatus(false);
// reload_flag removes the token parameter from the URL and reloads
$response->addJSON('reload_flag', '1');
if (defined('TESTSUITE')) {
return true;
} else {
exit;
}
}
return true;
}
/**
* Gets advanced authentication settings
*
* @return boolean always true
*/
public function authCheck()
{
if ($GLOBALS['token_provided'] && $GLOBALS['token_mismatch']) {
return false;
}
return true;
}
/**
* Set the user and password after last checkings if required
*
* @return boolean always true
*/
public function authSetUser()
{
$this->setSessionAccessTime();
return true;
}
/**
* User is not allowed to login to MySQL -> authentication failed
*
* @return boolean always true (no return indeed)
*/
public function authFails()
{
$conn_error = $GLOBALS['dbi']->getError();
if (!$conn_error) {
$conn_error = __('Cannot connect: invalid settings.');
}
/* HTML header */
$response = PMA\libraries\Response::getInstance();
$response->getFooter()
->setMinimal();
$header = $response->getHeader();
$header->setBodyId('loginform');
$header->setTitle(__('Access denied!'));
$header->disableMenuAndConsole();
echo '<br /><br />
<center>
<h1>';
echo sprintf(__('Welcome to %s'), ' phpMyAdmin ');
echo '</h1>
</center>
<br />
<table cellpadding="0" cellspacing="3" style="margin: 0 auto" width="80%">
<tr>
<td>';
if (isset($GLOBALS['allowDeny_forbidden'])
&& $GLOBALS['allowDeny_forbidden']
) {
trigger_error(__('Access denied!'), E_USER_NOTICE);
} else {
// Check whether user has configured something
if ($GLOBALS['PMA_Config']->source_mtime == 0) {
echo '<p>' , sprintf(
__(
'You probably did not create a configuration file.'
. ' You might want to use the %1$ssetup script%2$s to'
. ' create one.'
),
'<a href="setup/">',
'</a>'
) , '</p>' , "\n";
} elseif (!isset($GLOBALS['errno'])
|| (isset($GLOBALS['errno']) && $GLOBALS['errno'] != 2002)
&& $GLOBALS['errno'] != 2003
) {
// if we display the "Server not responding" error, do not confuse
// users by telling them they have a settings problem
// (note: it's true that they could have a badly typed host name,
// but anyway the current message tells that the server
// rejected the connection, which is not really what happened)
// 2002 is the error given by mysqli
// 2003 is the error given by mysql
trigger_error(
__(
'phpMyAdmin tried to connect to the MySQL server, and the'
. ' server rejected the connection. You should check the'
. ' host, username and password in your configuration and'
. ' make sure that they correspond to the information given'
. ' by the administrator of the MySQL server.'
),
E_USER_WARNING
);
}
echo PMA\libraries\Util::mysqlDie(
$conn_error,
'',
true,
'',
false
);
}
$GLOBALS['error_handler']->dispUserErrors();
echo '</td>
</tr>
<tr>
<td>' , "\n";
echo '<a href="'
, PMA\libraries\Util::getScriptNameForOption(
$GLOBALS['cfg']['DefaultTabServer'],
'server'
)
, PMA_URL_getCommon(array()) , '" class="button disableAjax">'
, __('Retry to connect')
, '</a>' , "\n";
echo '</td>
</tr>' , "\n";
if (count($GLOBALS['cfg']['Servers']) > 1) {
// offer a chance to login to other servers if the current one failed
include_once './libraries/select_server.lib.php';
echo '<tr>' , "\n";
echo ' <td>' , "\n";
echo PMA_selectServer(true, true);
echo ' </td>' , "\n";
echo '</tr>' , "\n";
}
echo '</table>' , "\n";
if (!defined('TESTSUITE')) {
exit;
}
return true;
}
}

867
#pma/libraries/plugins/auth/AuthenticationCookie.php Normal file
View File

@ -0,0 +1,867 @@
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Cookie Authentication plugin for phpMyAdmin
*
* @package PhpMyAdmin-Authentication
* @subpackage Cookie
*/
namespace PMA\libraries\plugins\auth;
use phpseclib\Crypt;
use PMA\libraries\Message;
use PMA\libraries\plugins\AuthenticationPlugin;
use PMA\libraries\Response;
use PMA\libraries\Util;
use ReCaptcha\ReCaptcha;
require_once './libraries/session.lib.php';
/**
* Remember where to redirect the user
* in case of an expired session.
*/
if (! empty($_REQUEST['target'])) {
$GLOBALS['target'] = $_REQUEST['target'];
} else if (PMA_getenv('SCRIPT_NAME')) {
$GLOBALS['target'] = basename(PMA_getenv('SCRIPT_NAME'));
}
/**
* Handles the cookie authentication method
*
* @package PhpMyAdmin-Authentication
*/
class AuthenticationCookie extends AuthenticationPlugin
{
/**
* IV for encryption
*/
private $_cookie_iv = null;
/**
* Displays authentication form
*
* this function MUST exit/quit the application
*
* @global string $conn_error the last connection error
*
* @return boolean|void
*/
public function auth()
{
global $conn_error;
$response = Response::getInstance();
if ($response->isAjax()) {
$response->setRequestStatus(false);
// redirect_flag redirects to the login page
$response->addJSON('redirect_flag', '1');
if (defined('TESTSUITE')) {
return true;
} else {
exit;
}
}
// No recall if blowfish secret is not configured as it would produce
// garbage
if ($GLOBALS['cfg']['LoginCookieRecall']
&& ! empty($GLOBALS['cfg']['blowfish_secret'])
) {
$default_user = $GLOBALS['PHP_AUTH_USER'];
$default_server = $GLOBALS['pma_auth_server'];
$autocomplete = '';
} else {
$default_user = '';
$default_server = '';
// skip the IE autocomplete feature.
$autocomplete = ' autocomplete="off"';
}
$response->getFooter()->setMinimal();
$header = $response->getHeader();
$header->setBodyId('loginform');
$header->setTitle('phpMyAdmin');
$header->disableMenuAndConsole();
$header->disableWarnings();
if (@file_exists(CUSTOM_HEADER_FILE)) {
include CUSTOM_HEADER_FILE;
}
echo '
<div class="container">
<a href="';
echo PMA_linkURL('https://www.phpmyadmin.net/');
echo '" target="_blank" rel="noopener noreferrer" class="logo">';
$logo_image = $GLOBALS['pmaThemeImage'] . 'logo_right.png';
if (@file_exists($logo_image)) {
echo '<img src="' , $logo_image
, '" id="imLogo" name="imLogo" alt="phpMyAdmin" border="0" />';
} else {
echo '<img name="imLogo" id="imLogo" src="'
, $GLOBALS['pmaThemeImage'] , 'pma_logo.png' , '" '
, 'border="0" width="88" height="31" alt="phpMyAdmin" />';
}
echo '</a>
<h1>';
echo sprintf(
__('Welcome to %s'),
'<bdo dir="ltr" lang="en">phpMyAdmin</bdo>'
);
echo "</h1>";
// Show error message
if (! empty($conn_error)) {
Message::rawError($conn_error)->display();
} elseif (isset($_GET['session_expired'])
&& intval($_GET['session_expired']) == 1
) {
Message::rawError(
__('Your session has expired. Please log in again.')
)->display();
}
echo "<noscript>\n";
Message::error(
__("Javascript must be enabled past this point!")
)->display();
echo "</noscript>\n";
echo "<div class='hide js-show'>";
// Displays the languages form
if (empty($GLOBALS['cfg']['Lang'])) {
include_once './libraries/display_select_lang.lib.php';
// use fieldset, don't show doc link
echo PMA_getLanguageSelectorHtml(true, false);
}
echo '</div>
<br />
<!-- Login form -->
<form method="post" action="index.php" name="login_form"' , $autocomplete ,
' class="disableAjax login hide js-show">
<fieldset>
<legend>';
echo __('Log in');
echo Util::showDocu('index');
echo '</legend>';
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
echo '
<div class="item">
<label for="input_servername" title="';
echo __(
'You can enter hostname/IP address and port separated by space.'
);
echo '">';
echo __('Server:');
echo '</label>
<input type="text" name="pma_servername" id="input_servername"';
echo ' value="';
echo htmlspecialchars($default_server);
echo '" size="24" class="textfield" title="';
echo __(
'You can enter hostname/IP address and port separated by space.'
); echo '" />
</div>';
}
echo '<div class="item">
<label for="input_username">' , __('Username:') , '</label>
<input type="text" name="pma_username" id="input_username" '
, 'value="' , htmlspecialchars($default_user) , '" size="24"'
, ' class="textfield"/>
</div>
<div class="item">
<label for="input_password">' , __('Password:') , '</label>
<input type="password" name="pma_password" id="input_password"'
, ' value="" size="24" class="textfield" />
</div>';
if (count($GLOBALS['cfg']['Servers']) > 1) {
echo '<div class="item">
<label for="select_server">' . __('Server Choice:') . '</label>
<select name="server" id="select_server"';
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
echo ' onchange="document.forms[\'login_form\'].'
, 'elements[\'pma_servername\'].value = \'\'" ';
}
echo '>';
include_once './libraries/select_server.lib.php';
echo PMA_selectServer(false, false);
echo '</select></div>';
} else {
echo ' <input type="hidden" name="server" value="'
, $GLOBALS['server'] , '" />';
} // end if (server choice)
// Add captcha input field if reCaptcha is enabled
if (!empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
) {
// If enabled show captcha to the user on the login screen.
echo '<script src="https://www.google.com/recaptcha/api.js?hl='
, $GLOBALS['lang'] , '" async defer></script>';
echo '<div class="g-recaptcha" data-sitekey="'
, htmlspecialchars($GLOBALS['cfg']['CaptchaLoginPublicKey']) , '"></div>';
}
echo '</fieldset>
<fieldset class="tblFooters">
<input value="' , __('Go') , '" type="submit" id="input_go" />';
$_form_params = array();
if (! empty($GLOBALS['target'])) {
$_form_params['target'] = $GLOBALS['target'];
}
if (! empty($GLOBALS['db'])) {
$_form_params['db'] = $GLOBALS['db'];
}
if (! empty($GLOBALS['table'])) {
$_form_params['table'] = $GLOBALS['table'];
}
// do not generate a "server" hidden field as we want the "server"
// drop-down to have priority
echo PMA_URL_getHiddenInputs($_form_params, '', 0, 'server');
echo '</fieldset>
</form>';
if ($GLOBALS['error_handler']->hasDisplayErrors()) {
echo '<div id="pma_errors">';
$GLOBALS['error_handler']->dispErrors();
echo '</div>';
}
echo '</div>';
if (@file_exists(CUSTOM_FOOTER_FILE)) {
include CUSTOM_FOOTER_FILE;
}
if (! defined('TESTSUITE')) {
exit;
} else {
return true;
}
}
/**
* Gets advanced authentication settings
*
* this function DOES NOT check authentication - it just checks/provides
* authentication credentials required to connect to the MySQL server
* usually with $GLOBALS['dbi']->connect()
*
* it returns false if something is missing - which usually leads to
* auth() which displays login form
*
* it returns true if all seems ok which usually leads to auth_set_user()
*
* it directly switches to authFails() if user inactivity timeout is reached
*
* @return boolean whether we get authentication settings or not
*/
public function authCheck()
{
global $conn_error;
// Initialization
/**
* @global $GLOBALS['pma_auth_server'] the user provided server to
* connect to
*/
$GLOBALS['pma_auth_server'] = '';
$GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = '';
$GLOBALS['from_cookie'] = false;
if (! empty($_REQUEST['pma_username'])) {
// Verify Captcha if it is required.
if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& ! empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
) {
if (! empty($_POST["g-recaptcha-response"])) {
include_once 'libraries/plugins/auth/recaptcha/autoload.php';
$reCaptcha = new ReCaptcha(
$GLOBALS['cfg']['CaptchaLoginPrivateKey']
);
// verify captcha status.
$resp = $reCaptcha->verify(
$_POST["g-recaptcha-response"],
$_SERVER["REMOTE_ADDR"]
);
// Check if the captcha entered is valid, if not stop the login.
if ($resp == null || ! $resp->isSuccess()) {
$conn_error = __('Entered captcha is wrong, try again!');
return false;
}
} else {
$conn_error = __('Please enter correct captcha!');
return false;
}
}
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = PMA_sanitizeMySQLUser($_REQUEST['pma_username']);
$GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password'])
? ''
: $_REQUEST['pma_password'];
if ($GLOBALS['cfg']['AllowArbitraryServer']
&& isset($_REQUEST['pma_servername'])
) {
if ($GLOBALS['cfg']['ArbitraryServerRegexp']) {
$parts = explode(' ', $_REQUEST['pma_servername']);
if (count($parts) == 2) {
$tmp_host = $parts[0];
} else {
$tmp_host = $_REQUEST['pma_servername'];
}
$match = preg_match(
$GLOBALS['cfg']['ArbitraryServerRegexp'], $tmp_host
);
if (! $match) {
$conn_error = __(
'You are not allowed to log in to this MySQL server!'
);
return false;
}
}
$GLOBALS['pma_auth_server'] = PMA_sanitizeMySQLHost($_REQUEST['pma_servername']);
}
PMA_secureSession();
return true;
}
// At the end, try to set the $GLOBALS['PHP_AUTH_USER']
// and $GLOBALS['PHP_AUTH_PW'] variables from cookies
// check cookies
if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) {
return false;
}
$GLOBALS['PHP_AUTH_USER'] = $this->cookieDecrypt(
$_COOKIE['pmaUser-' . $GLOBALS['server']],
$this->_getEncryptionSecret()
);
// user was never logged in since session start
if (empty($_SESSION['last_access_time'])) {
return false;
}
// User inactive too long
$last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity'];
if ($_SESSION['last_access_time'] < $last_access_time) {
Util::cacheUnset('is_create_db_priv');
Util::cacheUnset('is_reload_priv');
Util::cacheUnset('db_to_create');
Util::cacheUnset('dbs_where_create_table_allowed');
Util::cacheUnset('dbs_to_test');
Util::cacheUnset('db_priv');
Util::cacheUnset('col_priv');
Util::cacheUnset('table_priv');
Util::cacheUnset('proc_priv');
$GLOBALS['no_activity'] = true;
$this->authFails();
if (! defined('TESTSUITE')) {
exit;
} else {
return false;
}
}
// check password cookie
if (empty($_COOKIE['pmaAuth-' . $GLOBALS['server']])) {
return false;
}
$auth_data = json_decode(
$this->cookieDecrypt(
$_COOKIE['pmaAuth-' . $GLOBALS['server']],
$this->_getSessionEncryptionSecret()
),
true
);
if (! is_array($auth_data) || ! isset($auth_data['password'])) {
return false;
}
$GLOBALS['PHP_AUTH_PW'] = $auth_data['password'];
if ($GLOBALS['cfg']['AllowArbitraryServer'] && ! empty($auth_data['server'])) {
$GLOBALS['pma_auth_server'] = $auth_data['server'];
}
$GLOBALS['from_cookie'] = true;
return true;
}
/**
* Set the user and password after last checkings if required
*
* @return boolean always true
*/
public function authSetUser()
{
global $cfg;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if (! hash_equals($cfg['Server']['user'], $GLOBALS['PHP_AUTH_USER'])) {
foreach ($cfg['Servers'] as $idx => $current) {
if ($current['host'] == $cfg['Server']['host']
&& $current['port'] == $cfg['Server']['port']
&& $current['socket'] == $cfg['Server']['socket']
&& $current['ssl'] == $cfg['Server']['ssl']
&& $current['connect_type'] == $cfg['Server']['connect_type']
&& hash_equals($current['user'], $GLOBALS['PHP_AUTH_USER'])
) {
$GLOBALS['server'] = $idx;
$cfg['Server'] = $current;
break;
}
} // end foreach
} // end if
if ($GLOBALS['cfg']['AllowArbitraryServer']
&& ! empty($GLOBALS['pma_auth_server'])
) {
/* Allow to specify 'host port' */
$parts = explode(' ', $GLOBALS['pma_auth_server']);
if (count($parts) == 2) {
$tmp_host = $parts[0];
$tmp_port = $parts[1];
} else {
$tmp_host = $GLOBALS['pma_auth_server'];
$tmp_port = '';
}
if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) {
$cfg['Server']['host'] = $tmp_host;
if (! empty($tmp_port)) {
$cfg['Server']['port'] = $tmp_port;
}
}
unset($tmp_host, $tmp_port, $parts);
}
$cfg['Server']['user'] = $GLOBALS['PHP_AUTH_USER'];
$cfg['Server']['password'] = $GLOBALS['PHP_AUTH_PW'];
// Avoid showing the password in phpinfo()'s output
unset($GLOBALS['PHP_AUTH_PW']);
unset($_SERVER['PHP_AUTH_PW']);
$this->setSessionAccessTime();
}
/**
* Stores user credentials after successful login.
*
* @return void|bool
*/
public function storeUserCredentials()
{
global $cfg;
// Name and password cookies need to be refreshed each time
// Duration = one month for username
$this->storeUsernameCookie($cfg['Server']['user']);
// Duration = as configured
// Do not store password cookie on password change as we will
// set the cookie again after password has been changed
if (! isset($_POST['change_pw'])) {
$this->storePasswordCookie($cfg['Server']['password']);
}
// Set server cookies if required (once per session) and, in this case,
// force reload to ensure the client accepts cookies
if (! $GLOBALS['from_cookie']) {
// URL where to go:
$redirect_url = './index.php';
// any parameters to pass?
$url_params = array();
if (mb_strlen($GLOBALS['db'])) {
$url_params['db'] = $GLOBALS['db'];
}
if (mb_strlen($GLOBALS['table'])) {
$url_params['table'] = $GLOBALS['table'];
}
// any target to pass?
if (! empty($GLOBALS['target'])
&& $GLOBALS['target'] != 'index.php'
) {
$url_params['target'] = $GLOBALS['target'];
}
/**
* Clear user cache.
*/
Util::clearUserCache();
Response::getInstance()
->disable();
PMA_sendHeaderLocation(
$redirect_url . PMA_URL_getCommon($url_params, 'text'),
true
);
if (! defined('TESTSUITE')) {
exit;
} else {
return false;
}
} // end if
return true;
}
/**
* Stores username in a cookie.
*
* @param string $username User name
*
* @return void
*/
public function storeUsernameCookie($username)
{
// Name and password cookies need to be refreshed each time
// Duration = one month for username
$GLOBALS['PMA_Config']->setCookie(
'pmaUser-' . $GLOBALS['server'],
$this->cookieEncrypt(
$username,
$this->_getEncryptionSecret()
)
);
}
/**
* Stores password in a cookie.
*
* @param string $password Password
*
* @return void
*/
public function storePasswordCookie($password)
{
$payload = array('password' => $password);
if ($GLOBALS['cfg']['AllowArbitraryServer'] && ! empty($GLOBALS['pma_auth_server'])) {
$payload['server'] = $GLOBALS['pma_auth_server'];
}
// Duration = as configured
$GLOBALS['PMA_Config']->setCookie(
'pmaAuth-' . $GLOBALS['server'],
$this->cookieEncrypt(
json_encode($payload),
$this->_getSessionEncryptionSecret()
),
null,
$GLOBALS['cfg']['LoginCookieStore']
);
}
/**
* User is not allowed to login to MySQL -> authentication failed
*
* prepares error message and switches to auth() which display the error
* and the login form
*
* this function MUST exit/quit the application,
* currently done by call to auth()
*
* @return void
*/
public function authFails()
{
global $conn_error;
// Deletes password cookie and displays the login form
$GLOBALS['PMA_Config']->removeCookie('pmaAuth-' . $GLOBALS['server']);
$conn_error = $this->getErrorMessage();
$response = Response::getInstance();
// needed for PHP-CGI (not need for FastCGI or mod-php)
$response->header('Cache-Control: no-store, no-cache, must-revalidate');
$response->header('Pragma: no-cache');
$this->auth();
}
/**
* Returns blowfish secret or generates one if needed.
*
* @return string
*/
private function _getEncryptionSecret()
{
if (empty($GLOBALS['cfg']['blowfish_secret'])) {
return $this->_getSessionEncryptionSecret();
} else {
return $GLOBALS['cfg']['blowfish_secret'];
}
}
/**
* Returns blowfish secret or generates one if needed.
*
* @return string
*/
private function _getSessionEncryptionSecret()
{
if (empty($_SESSION['encryption_key'])) {
if (self::useOpenSSL()) {
$_SESSION['encryption_key'] = openssl_random_pseudo_bytes(32);
} else {
$_SESSION['encryption_key'] = Crypt\Random::string(32);
}
}
return $_SESSION['encryption_key'];
}
/**
* Checks whether we should use openssl for encryption.
*
* @return boolean
*/
public static function useOpenSSL()
{
return (
function_exists('openssl_encrypt')
&& function_exists('openssl_decrypt')
&& function_exists('openssl_random_pseudo_bytes')
);
}
/**
* Concatenates secret in order to make it 16 bytes log
*
* This doesn't add any security, just ensures the secret
* is long enough by copying it.
*
* @param string $secret Original secret
*
* @return string
*/
public function enlargeSecret($secret)
{
while (strlen($secret) < 16) {
$secret .= $secret;
}
return substr($secret, 0, 16);
}
/**
* Derives MAC secret from encryption secret.
*
* @param string $secret the secret
*
* @return string the MAC secret
*/
public function getMACSecret($secret)
{
// Grab first part, up to 16 chars
// The MAC and AES secrets can overlap if original secret is short
$length = strlen($secret);
if ($length > 16) {
return substr($secret, 0, 16);
}
return $this->enlargeSecret(
$length == 1 ? $secret : substr($secret, 0, -1)
);
}
/**
* Derives AES secret from encryption secret.
*
* @param string $secret the secret
*
* @return string the AES secret
*/
public function getAESSecret($secret)
{
// Grab second part, up to 16 chars
// The MAC and AES secrets can overlap if original secret is short
$length = strlen($secret);
if ($length > 16) {
return substr($secret, -16);
}
return $this->enlargeSecret(
$length == 1 ? $secret : substr($secret, 1)
);
}
/**
* Encryption using openssl's AES or phpseclib's AES
* (phpseclib uses mcrypt when it is available)
*
* @param string $data original data
* @param string $secret the secret
*
* @return string the encrypted result
*/
public function cookieEncrypt($data, $secret)
{
$mac_secret = $this->getMACSecret($secret);
$aes_secret = $this->getAESSecret($secret);
$iv = $this->createIV();
if (self::useOpenSSL()) {
$result = openssl_encrypt(
$data,
'AES-128-CBC',
$secret,
0,
$iv
);
} else {
$cipher = new Crypt\AES(Crypt\Base::MODE_CBC);
$cipher->setIV($iv);
$cipher->setKey($aes_secret);
$result = base64_encode($cipher->encrypt($data));
}
$iv = base64_encode($iv);
return json_encode(
array(
'iv' => $iv,
'mac' => hash_hmac('sha1', $iv . $result, $mac_secret),
'payload' => $result,
)
);
}
/**
* Decryption using openssl's AES or phpseclib's AES
* (phpseclib uses mcrypt when it is available)
*
* @param string $encdata encrypted data
* @param string $secret the secret
*
* @return string|bool original data, false on error
*/
public function cookieDecrypt($encdata, $secret)
{
$data = json_decode($encdata, true);
if (! is_array($data) || ! isset($data['mac']) || ! isset($data['iv']) || ! isset($data['payload'])
|| ! is_string($data['mac']) || ! is_string($data['iv']) || ! is_string($data['payload'])
) {
return false;
}
$mac_secret = $this->getMACSecret($secret);
$aes_secret = $this->getAESSecret($secret);
$newmac = hash_hmac('sha1', $data['iv'] . $data['payload'], $mac_secret);
if (! hash_equals($data['mac'], $newmac)) {
return false;
}
if (self::useOpenSSL()) {
return openssl_decrypt(
$data['payload'],
'AES-128-CBC',
$secret,
0,
base64_decode($data['iv'])
);
} else {
$cipher = new Crypt\AES(Crypt\Base::MODE_CBC);
$cipher->setIV(base64_decode($data['iv']));
$cipher->setKey($aes_secret);
return $cipher->decrypt(base64_decode($data['payload']));
}
}
/**
* Returns size of IV for encryption.
*
* @return int
*/
public function getIVSize()
{
if (self::useOpenSSL()) {
return openssl_cipher_iv_length('AES-128-CBC');
}
$cipher = new Crypt\AES(Crypt\Base::MODE_CBC);
return $cipher->block_size;
}
/**
* Initialization
* Store the initialization vector because it will be needed for
* further decryption. I don't think necessary to have one iv
* per server so I don't put the server number in the cookie name.
*
* @return void
*/
public function createIV()
{
/* Testsuite shortcut only to allow predictable IV */
if (! is_null($this->_cookie_iv)) {
return $this->_cookie_iv;
}
if (self::useOpenSSL()) {
return openssl_random_pseudo_bytes(
$this->getIVSize()
);
} else {
return Crypt\Random::string(
$this->getIVSize()
);
}
}
/**
* Sets encryption IV to use
*
* This is for testing only!
*
* @param string $vector The IV
*
* @return void
*/
public function setIV($vector)
{
$this->_cookie_iv = $vector;
}
/**
* Callback when user changes password.
*
* @param string $password New password to set
*
* @return void
*/
public function handlePasswordChange($password)
{
$this->storePasswordCookie($password);
}
/**
* Perform logout
*
* @return void
*/
public function logOut()
{
// -> delete password cookie(s)
if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
foreach ($GLOBALS['cfg']['Servers'] as $key => $val) {
$GLOBALS['PMA_Config']->removeCookie('pmaAuth-' . $key);
if (isset($_COOKIE['pmaAuth-' . $key])) {
unset($_COOKIE['pmaAuth-' . $key]);
}
}
} else {
$GLOBALS['PMA_Config']->removeCookie(
'pmaAuth-' . $GLOBALS['server']
);
if (isset($_COOKIE['pmaAuth-' . $GLOBALS['server']])) {
unset($_COOKIE['pmaAuth-' . $GLOBALS['server']]);
}
}
parent::logOut();
}
}

262
#pma/libraries/plugins/auth/AuthenticationHttp.php Normal file
View File

@ -0,0 +1,262 @@
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* HTTP Authentication plugin for phpMyAdmin.
* NOTE: Requires PHP loaded as a Apache module.
*
* @package PhpMyAdmin-Authentication
* @subpackage HTTP
*/
namespace PMA\libraries\plugins\auth;
use PMA\libraries\plugins\AuthenticationPlugin;
use PMA\libraries\Message;
use PMA\libraries\Response;
/**
* Handles the HTTP authentication methods
*
* @package PhpMyAdmin-Authentication
*/
class AuthenticationHttp extends AuthenticationPlugin
{
/**
* Displays authentication form and redirect as necessary
*
* @return boolean always true (no return indeed)
*/
public function auth()
{
$response = Response::getInstance();
if ($response->isAjax()) {
$response->setRequestStatus(false);
// reload_flag removes the token parameter from the URL and reloads
$response->addJSON('reload_flag', '1');
if (defined('TESTSUITE')) {
return true;
} else {
exit;
}
}
return $this->authForm();
}
/**
* Displays authentication form
*
* @return boolean
*/
public function authForm()
{
if (empty($GLOBALS['cfg']['Server']['auth_http_realm'])) {
if (empty($GLOBALS['cfg']['Server']['verbose'])) {
$server_message = $GLOBALS['cfg']['Server']['host'];
} else {
$server_message = $GLOBALS['cfg']['Server']['verbose'];
}
$realm_message = 'phpMyAdmin ' . $server_message;
} else {
$realm_message = $GLOBALS['cfg']['Server']['auth_http_realm'];
}
$response = Response::getInstance();
// remove non US-ASCII to respect RFC2616
$realm_message = preg_replace('/[^\x20-\x7e]/i', '', $realm_message);
$response->header('WWW-Authenticate: Basic realm="' . $realm_message . '"');
$response->header('HTTP/1.0 401 Unauthorized');
if (php_sapi_name() !== 'cgi-fcgi') {
$response->header('status: 401 Unauthorized');
}
/* HTML header */
$footer = $response->getFooter();
$footer->setMinimal();
$header = $response->getHeader();
$header->setTitle(__('Access denied!'));
$header->disableMenuAndConsole();
$header->setBodyId('loginform');
$response->addHTML('<h1>');
$response->addHTML(sprintf(__('Welcome to %s'), ' phpMyAdmin'));
$response->addHTML('</h1>');
$response->addHTML('<h3>');
$response->addHTML(
Message::error(
__('Wrong username/password. Access denied.')
)
);
$response->addHTML('</h3>');
if (@file_exists(CUSTOM_FOOTER_FILE)) {
include CUSTOM_FOOTER_FILE;
}
if (!defined('TESTSUITE')) {
exit;
} else {
return false;
}
}
/**
* Gets advanced authentication settings
*
* @global string $PHP_AUTH_USER the username if register_globals is
* on
* @global string $PHP_AUTH_PW the password if register_globals is
* on
*
* @return boolean whether we get authentication settings or not
*/
public function authCheck()
{
global $PHP_AUTH_USER, $PHP_AUTH_PW;
// Grabs the $PHP_AUTH_USER variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
if (empty($PHP_AUTH_USER)) {
if (PMA_getenv('PHP_AUTH_USER')) {
$PHP_AUTH_USER = PMA_getenv('PHP_AUTH_USER');
} elseif (PMA_getenv('REMOTE_USER')) {
// CGI, might be encoded, see below
$PHP_AUTH_USER = PMA_getenv('REMOTE_USER');
} elseif (PMA_getenv('REDIRECT_REMOTE_USER')) {
// CGI, might be encoded, see below
$PHP_AUTH_USER = PMA_getenv('REDIRECT_REMOTE_USER');
} elseif (PMA_getenv('AUTH_USER')) {
// WebSite Professional
$PHP_AUTH_USER = PMA_getenv('AUTH_USER');
} elseif (PMA_getenv('HTTP_AUTHORIZATION')) {
// IIS, might be encoded, see below
$PHP_AUTH_USER = PMA_getenv('HTTP_AUTHORIZATION');
} elseif (PMA_getenv('Authorization')) {
// FastCGI, might be encoded, see below
$PHP_AUTH_USER = PMA_getenv('Authorization');
}
}
// Grabs the $PHP_AUTH_PW variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
if (empty($PHP_AUTH_PW)) {
if (PMA_getenv('PHP_AUTH_PW')) {
$PHP_AUTH_PW = PMA_getenv('PHP_AUTH_PW');
} elseif (PMA_getenv('REMOTE_PASSWORD')) {
// Apache/CGI
$PHP_AUTH_PW = PMA_getenv('REMOTE_PASSWORD');
} elseif (PMA_getenv('AUTH_PASSWORD')) {
// WebSite Professional
$PHP_AUTH_PW = PMA_getenv('AUTH_PASSWORD');
}
}
// Decode possibly encoded information (used by IIS/CGI/FastCGI)
// (do not use explode() because a user might have a colon in his password
if (strcmp(substr($PHP_AUTH_USER, 0, 6), 'Basic ') == 0) {
$usr_pass = base64_decode(substr($PHP_AUTH_USER, 6));
if (!empty($usr_pass)) {
$colon = strpos($usr_pass, ':');
if ($colon) {
$PHP_AUTH_USER = substr($usr_pass, 0, $colon);
$PHP_AUTH_PW = substr($usr_pass, $colon + 1);
}
unset($colon);
}
unset($usr_pass);
}
// sanitize username
$PHP_AUTH_USER = PMA_sanitizeMySQLUser($PHP_AUTH_USER);
// User logged out -> ensure the new username is not the same
$old_usr = isset($_REQUEST['old_usr']) ? $_REQUEST['old_usr'] : '';
if (! empty($old_usr)
&& (isset($PHP_AUTH_USER) && hash_equals($old_usr, $PHP_AUTH_USER))
) {
$PHP_AUTH_USER = '';
// -> delete user's choices that were stored in session
if (!defined('TESTSUITE')) {
session_destroy();
}
}
// Returns whether we get authentication settings or not
if (empty($PHP_AUTH_USER)) {
return false;
} else {
return true;
}
}
/**
* Set the user and password after last checkings if required
*
* @global array $cfg the valid servers settings
* @global integer $server the id of the current server
* @global string $PHP_AUTH_USER the current username
* @global string $PHP_AUTH_PW the current password
*
* @return boolean always true
*/
public function authSetUser()
{
global $cfg, $server;
global $PHP_AUTH_USER, $PHP_AUTH_PW;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if (! hash_equals($cfg['Server']['user'], $PHP_AUTH_USER)) {
$servers_cnt = count($cfg['Servers']);
for ($i = 1; $i <= $servers_cnt; $i++) {
if (isset($cfg['Servers'][$i])
&& ($cfg['Servers'][$i]['host'] == $cfg['Server']['host']
&& hash_equals($cfg['Servers'][$i]['user'], $PHP_AUTH_USER))
) {
$server = $i;
$cfg['Server'] = $cfg['Servers'][$i];
break;
}
} // end for
} // end if
$cfg['Server']['user'] = $PHP_AUTH_USER;
$cfg['Server']['password'] = $PHP_AUTH_PW;
// Avoid showing the password in phpinfo()'s output
unset($GLOBALS['PHP_AUTH_PW']);
unset($_SERVER['PHP_AUTH_PW']);
$this->setSessionAccessTime();
return true;
}
/**
* User is not allowed to login to MySQL -> authentication failed
*
* @return bool true
*/
public function authFails()
{
$error = $GLOBALS['dbi']->getError();
if ($error && $GLOBALS['errno'] != 1045) {
PMA_fatalError($error);
return true;
}
$this->authForm();
return true;
}
/**
* Returns URL for login form.
*
* @return string
*/
public function getLoginFormURL()
{
return './index.php?old_usr=' . $GLOBALS['PHP_AUTH_USER'];
}
}

243
#pma/libraries/plugins/auth/AuthenticationSignon.php Normal file
View File

@ -0,0 +1,243 @@
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* SignOn Authentication plugin for phpMyAdmin
*
* @package PhpMyAdmin-Authentication
* @subpackage SignOn
*/
namespace PMA\libraries\plugins\auth;
use PMA\libraries\plugins\AuthenticationPlugin;
use PMA;
/**
* Handles the SignOn authentication method
*
* @package PhpMyAdmin-Authentication
*/
class AuthenticationSignon extends AuthenticationPlugin
{
/**
* Displays authentication form
*
* @return boolean always true (no return indeed)
*/
public function auth()
{
unset($_SESSION['LAST_SIGNON_URL']);
if (empty($GLOBALS['cfg']['Server']['SignonURL'])) {
PMA_fatalError('You must set SignonURL!');
} else {
PMA_sendHeaderLocation($GLOBALS['cfg']['Server']['SignonURL']);
}
if (!defined('TESTSUITE')) {
exit();
} else {
return false;
}
}
/**
* Gets advanced authentication settings
*
* @global string $PHP_AUTH_USER the username if register_globals is on
* @global string $PHP_AUTH_PW the password if register_globals is on
*
* @return boolean whether we get authentication settings or not
*/
public function authCheck()
{
global $PHP_AUTH_USER, $PHP_AUTH_PW;
/* Check if we're using same signon server */
$signon_url = $GLOBALS['cfg']['Server']['SignonURL'];
if (isset($_SESSION['LAST_SIGNON_URL'])
&& $_SESSION['LAST_SIGNON_URL'] != $signon_url
) {
return false;
}
/* Script name */
$script_name = $GLOBALS['cfg']['Server']['SignonScript'];
/* Session name */
$session_name = $GLOBALS['cfg']['Server']['SignonSession'];
/* Login URL */
$signon_url = $GLOBALS['cfg']['Server']['SignonURL'];
/* Current host */
$single_signon_host = $GLOBALS['cfg']['Server']['host'];
/* Current port */
$single_signon_port = $GLOBALS['cfg']['Server']['port'];
/* No configuration updates */
$single_signon_cfgupdate = array();
/* Handle script based auth */
if (!empty($script_name)) {
if (!file_exists($script_name)) {
PMA_fatalError(
__('Can not find signon authentication script:')
. ' ' . $script_name
);
}
include $script_name;
list ($PHP_AUTH_USER, $PHP_AUTH_PW)
= get_login_credentials($GLOBALS['cfg']['Server']['user']);
} elseif (isset($_COOKIE[$session_name])) { /* Does session exist? */
/* End current session */
$old_session = session_name();
$old_id = session_id();
if (!defined('TESTSUITE')) {
session_write_close();
}
/* Load single signon session */
session_name($session_name);
session_id($_COOKIE[$session_name]);
if (!defined('TESTSUITE')) {
session_start();
}
/* Clear error message */
unset($_SESSION['PMA_single_signon_error_message']);
/* Grab credentials if they exist */
if (isset($_SESSION['PMA_single_signon_user'])) {
$PHP_AUTH_USER = $_SESSION['PMA_single_signon_user'];
}
if (isset($_SESSION['PMA_single_signon_password'])) {
$PHP_AUTH_PW = $_SESSION['PMA_single_signon_password'];
}
if (isset($_SESSION['PMA_single_signon_host'])) {
$single_signon_host = $_SESSION['PMA_single_signon_host'];
}
if (isset($_SESSION['PMA_single_signon_port'])) {
$single_signon_port = $_SESSION['PMA_single_signon_port'];
}
if (isset($_SESSION['PMA_single_signon_cfgupdate'])) {
$single_signon_cfgupdate = $_SESSION['PMA_single_signon_cfgupdate'];
}
/* Also get token as it is needed to access subpages */
if (isset($_SESSION['PMA_single_signon_token'])) {
/* No need to care about token on logout */
$pma_token = $_SESSION['PMA_single_signon_token'];
}
/* End single signon session */
if (!defined('TESTSUITE')) {
session_write_close();
}
/* Restart phpMyAdmin session */
session_name($old_session);
if (!empty($old_id)) {
session_id($old_id);
}
if (!defined('TESTSUITE')) {
session_start();
}
/* Set the single signon host */
$GLOBALS['cfg']['Server']['host'] = $single_signon_host;
/* Set the single signon port */
$GLOBALS['cfg']['Server']['port'] = $single_signon_port;
/* Configuration update */
$GLOBALS['cfg']['Server'] = array_merge(
$GLOBALS['cfg']['Server'],
$single_signon_cfgupdate
);
/* Restore our token */
if (!empty($pma_token)) {
$_SESSION[' PMA_token '] = $pma_token;
}
/**
* Clear user cache.
*/
PMA\libraries\Util::clearUserCache();
}
// Returns whether we get authentication settings or not
if (empty($PHP_AUTH_USER)) {
unset($_SESSION['LAST_SIGNON_URL']);
return false;
} else {
$_SESSION['LAST_SIGNON_URL'] = $GLOBALS['cfg']['Server']['SignonURL'];
return true;
}
}
/**
* Set the user and password after last checkings if required
*
* @global array $cfg the valid servers settings
* @global string $PHP_AUTH_USER the current username
* @global string $PHP_AUTH_PW the current password
*
* @return boolean always true
*/
public function authSetUser()
{
global $cfg;
global $PHP_AUTH_USER, $PHP_AUTH_PW;
$cfg['Server']['user'] = $PHP_AUTH_USER;
$cfg['Server']['password'] = $PHP_AUTH_PW;
return true;
}
/**
* User is not allowed to login to MySQL -> authentication failed
*
* @return boolean always true (no return indeed)
*/
public function authFails()
{
/* Session name */
$session_name = $GLOBALS['cfg']['Server']['SignonSession'];
/* Does session exist? */
if (isset($_COOKIE[$session_name])) {
/* End current session */
if (!defined('TESTSUITE')) {
session_write_close();
}
/* Load single signon session */
session_name($session_name);
session_id($_COOKIE[$session_name]);
if (!defined('TESTSUITE')) {
session_start();
}
/* Set error message */
$_SESSION['PMA_single_signon_error_message'] = $this->getErrorMessage();
}
$this->auth();
}
/**
* Returns URL for login form.
*
* @return string
*/
public function getLoginFormURL()
{
return $GLOBALS['cfg']['Server']['SignonURL'];
}
}

29
#pma/libraries/plugins/auth/recaptcha/LICENSE Normal file
View File

@ -0,0 +1,29 @@
Copyright 2014, Google Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
* Neither the name of Google Inc. nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

97
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/ReCaptcha.php Normal file
View File

@ -0,0 +1,97 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha;
/**
* reCAPTCHA client.
*/
class ReCaptcha
{
/**
* Version of this client library.
* @const string
*/
const VERSION = 'php_1.1.2';
/**
* Shared secret for the site.
* @var type string
*/
private $secret;
/**
* Method used to communicate with service. Defaults to POST request.
* @var RequestMethod
*/
private $requestMethod;
/**
* Create a configured instance to use the reCAPTCHA service.
*
* @param string $secret shared secret between site and reCAPTCHA server.
* @param RequestMethod $requestMethod method used to send the request. Defaults to POST.
*/
public function __construct($secret, RequestMethod $requestMethod = null)
{
if (empty($secret)) {
throw new \RuntimeException('No secret provided');
}
if (!is_string($secret)) {
throw new \RuntimeException('The provided secret must be a string');
}
$this->secret = $secret;
if (!is_null($requestMethod)) {
$this->requestMethod = $requestMethod;
} else {
$this->requestMethod = new RequestMethod\Post();
}
}
/**
* Calls the reCAPTCHA siteverify API to verify whether the user passes
* CAPTCHA test.
*
* @param string $response The value of 'g-recaptcha-response' in the submitted form.
* @param string $remoteIp The end user's IP address.
* @return Response Response from the service.
*/
public function verify($response, $remoteIp = null)
{
// Discard empty solution submissions
if (empty($response)) {
$recaptchaResponse = new Response(false, array('missing-input-response'));
return $recaptchaResponse;
}
$params = new RequestParameters($this->secret, $response, $remoteIp, self::VERSION);
$rawResponse = $this->requestMethod->submit($params);
return Response::fromJson($rawResponse);
}
}

42
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/RequestMethod.php Normal file
View File

@ -0,0 +1,42 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha;
/**
* Method used to send the request to the service.
*/
interface RequestMethod
{
/**
* Submit the request with the specified parameters.
*
* @param RequestParameters $params Request parameters
* @return string Body of the reCAPTCHA response
*/
public function submit(RequestParameters $params);
}

74
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/RequestMethod/Curl.php Normal file
View File

@ -0,0 +1,74 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha\RequestMethod;
/**
* Convenience wrapper around the cURL functions to allow mocking.
*/
class Curl
{
/**
* @see http://php.net/curl_init
* @param string $url
* @return resource cURL handle
*/
public function init($url = null)
{
return curl_init($url);
}
/**
* @see http://php.net/curl_setopt_array
* @param resource $ch
* @param array $options
* @return bool
*/
public function setoptArray($ch, array $options)
{
return curl_setopt_array($ch, $options);
}
/**
* @see http://php.net/curl_exec
* @param resource $ch
* @return mixed
*/
public function exec($ch)
{
return curl_exec($ch);
}
/**
* @see http://php.net/curl_close
* @param resource $ch
*/
public function close($ch)
{
curl_close($ch);
}
}

88
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/RequestMethod/CurlPost.php Normal file
View File

@ -0,0 +1,88 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha\RequestMethod;
use ReCaptcha\RequestMethod;
use ReCaptcha\RequestParameters;
/**
* Sends cURL request to the reCAPTCHA service.
* Note: this requires the cURL extension to be enabled in PHP
* @see http://php.net/manual/en/book.curl.php
*/
class CurlPost implements RequestMethod
{
/**
* URL to which requests are sent via cURL.
* @const string
*/
const SITE_VERIFY_URL = 'https://www.google.com/recaptcha/api/siteverify';
/**
* Curl connection to the reCAPTCHA service
* @var Curl
*/
private $curl;
public function __construct(Curl $curl = null)
{
if (!is_null($curl)) {
$this->curl = $curl;
} else {
$this->curl = new Curl();
}
}
/**
* Submit the cURL request with the specified parameters.
*
* @param RequestParameters $params Request parameters
* @return string Body of the reCAPTCHA response
*/
public function submit(RequestParameters $params)
{
$handle = $this->curl->init(self::SITE_VERIFY_URL);
$options = array(
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $params->toQueryString(),
CURLOPT_HTTPHEADER => array(
'Content-Type: application/x-www-form-urlencoded'
),
CURLINFO_HEADER_OUT => false,
CURLOPT_HEADER => false,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => true
);
$this->curl->setoptArray($handle, $options);
$response = $this->curl->exec($handle);
$this->curl->close($handle);
return $response;
}
}

70
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/RequestMethod/Post.php Normal file
View File

@ -0,0 +1,70 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha\RequestMethod;
use ReCaptcha\RequestMethod;
use ReCaptcha\RequestParameters;
/**
* Sends POST requests to the reCAPTCHA service.
*/
class Post implements RequestMethod
{
/**
* URL to which requests are POSTed.
* @const string
*/
const SITE_VERIFY_URL = 'https://www.google.com/recaptcha/api/siteverify';
/**
* Submit the POST request with the specified parameters.
*
* @param RequestParameters $params Request parameters
* @return string Body of the reCAPTCHA response
*/
public function submit(RequestParameters $params)
{
/**
* PHP 5.6.0 changed the way you specify the peer name for SSL context options.
* Using "CN_name" will still work, but it will raise deprecated errors.
*/
$peer_key = version_compare(PHP_VERSION, '5.6.0', '<') ? 'CN_name' : 'peer_name';
$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => $params->toQueryString(),
// Force the peer to validate (not needed in 5.6.0+, but still works
'verify_peer' => true,
// Force the peer validation to use www.google.com
$peer_key => 'www.google.com',
),
);
$context = stream_context_create($options);
return file_get_contents(self::SITE_VERIFY_URL, false, $context);
}
}

105
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/RequestMethod/Socket.php Normal file
View File

@ -0,0 +1,105 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha\RequestMethod;
/**
* Convenience wrapper around native socket and file functions to allow for
* mocking.
*/
class Socket
{
private $handle = null;
/**
* fsockopen
*
* @see http://php.net/fsockopen
* @param string $hostname
* @param int $port
* @param int $errno
* @param string $errstr
* @param float $timeout
* @return resource
*/
public function fsockopen($hostname, $port = -1, &$errno = 0, &$errstr = '', $timeout = null)
{
$this->handle = fsockopen($hostname, $port, $errno, $errstr, (is_null($timeout) ? ini_get("default_socket_timeout") : $timeout));
if ($this->handle != false && $errno === 0 && $errstr === '') {
return $this->handle;
} else {
return false;
}
}
/**
* fwrite
*
* @see http://php.net/fwrite
* @param string $string
* @param int $length
* @return int | bool
*/
public function fwrite($string, $length = null)
{
return fwrite($this->handle, $string, (is_null($length) ? strlen($string) : $length));
}
/**
* fgets
*
* @see http://php.net/fgets
* @param int $length
* @return string
*/
public function fgets($length = null)
{
return fgets($this->handle, $length);
}
/**
* feof
*
* @see http://php.net/feof
* @return bool
*/
public function feof()
{
return feof($this->handle);
}
/**
* fclose
*
* @see http://php.net/fclose
* @return bool
*/
public function fclose()
{
return fclose($this->handle);
}
}

121
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/RequestMethod/SocketPost.php Normal file
View File

@ -0,0 +1,121 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha\RequestMethod;
use ReCaptcha\RequestMethod;
use ReCaptcha\RequestParameters;
/**
* Sends a POST request to the reCAPTCHA service, but makes use of fsockopen()
* instead of get_file_contents(). This is to account for people who may be on
* servers where allow_furl_open is disabled.
*/
class SocketPost implements RequestMethod
{
/**
* reCAPTCHA service host.
* @const string
*/
const RECAPTCHA_HOST = 'www.google.com';
/**
* @const string reCAPTCHA service path
*/
const SITE_VERIFY_PATH = '/recaptcha/api/siteverify';
/**
* @const string Bad request error
*/
const BAD_REQUEST = '{"success": false, "error-codes": ["invalid-request"]}';
/**
* @const string Bad response error
*/
const BAD_RESPONSE = '{"success": false, "error-codes": ["invalid-response"]}';
/**
* Socket to the reCAPTCHA service
* @var Socket
*/
private $socket;
/**
* Constructor
*
* @param \ReCaptcha\RequestMethod\Socket $socket optional socket, injectable for testing
*/
public function __construct(Socket $socket = null)
{
if (!is_null($socket)) {
$this->socket = $socket;
} else {
$this->socket = new Socket();
}
}
/**
* Submit the POST request with the specified parameters.
*
* @param RequestParameters $params Request parameters
* @return string Body of the reCAPTCHA response
*/
public function submit(RequestParameters $params)
{
$errno = 0;
$errstr = '';
if (false === $this->socket->fsockopen('ssl://' . self::RECAPTCHA_HOST, 443, $errno, $errstr, 30)) {
return self::BAD_REQUEST;
}
$content = $params->toQueryString();
$request = "POST " . self::SITE_VERIFY_PATH . " HTTP/1.1\r\n";
$request .= "Host: " . self::RECAPTCHA_HOST . "\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-length: " . strlen($content) . "\r\n";
$request .= "Connection: close\r\n\r\n";
$request .= $content . "\r\n\r\n";
$this->socket->fwrite($request);
$response = '';
while (!$this->socket->feof()) {
$response .= $this->socket->fgets(4096);
}
$this->socket->fclose();
if (0 !== strpos($response, 'HTTP/1.1 200 OK')) {
return self::BAD_RESPONSE;
}
$parts = preg_split("#\n\s*\n#Uis", $response);
return $parts[1];
}
}

103
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/RequestParameters.php Normal file
View File

@ -0,0 +1,103 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha;
/**
* Stores and formats the parameters for the request to the reCAPTCHA service.
*/
class RequestParameters
{
/**
* Site secret.
* @var string
*/
private $secret;
/**
* Form response.
* @var string
*/
private $response;
/**
* Remote user's IP address.
* @var string
*/
private $remoteIp;
/**
* Client version.
* @var string
*/
private $version;
/**
* Initialise parameters.
*
* @param string $secret Site secret.
* @param string $response Value from g-captcha-response form field.
* @param string $remoteIp User's IP address.
* @param string $version Version of this client library.
*/
public function __construct($secret, $response, $remoteIp = null, $version = null)
{
$this->secret = $secret;
$this->response = $response;
$this->remoteIp = $remoteIp;
$this->version = $version;
}
/**
* Array representation.
*
* @return array Array formatted parameters.
*/
public function toArray()
{
$params = array('secret' => $this->secret, 'response' => $this->response);
if (!is_null($this->remoteIp)) {
$params['remoteip'] = $this->remoteIp;
}
if (!is_null($this->version)) {
$params['version'] = $this->version;
}
return $params;
}
/**
* Query string representation for HTTP request.
*
* @return string Query string formatted parameters.
*/
public function toQueryString()
{
return http_build_query($this->toArray(), '', '&');
}
}

102
#pma/libraries/plugins/auth/recaptcha/ReCaptcha/Response.php Normal file
View File

@ -0,0 +1,102 @@
<?php
/**
* This is a PHP library that handles calling reCAPTCHA.
*
* @copyright Copyright (c) 2015, Google Inc.
* @link http://www.google.com/recaptcha
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
namespace ReCaptcha;
/**
* The response returned from the service.
*/
class Response
{
/**
* Succes or failure.
* @var boolean
*/
private $success = false;
/**
* Error code strings.
* @var array
*/
private $errorCodes = array();
/**
* Build the response from the expected JSON returned by the service.
*
* @param string $json
* @return \ReCaptcha\Response
*/
public static function fromJson($json)
{
$responseData = json_decode($json, true);
if (!$responseData) {
return new Response(false, array('invalid-json'));
}
if (isset($responseData['success']) && $responseData['success'] == true) {
return new Response(true);
}
if (isset($responseData['error-codes']) && is_array($responseData['error-codes'])) {
return new Response(false, $responseData['error-codes']);
}
return new Response(false);
}
/**
* Constructor.
*
* @param boolean $success
* @param array $errorCodes
*/
public function __construct($success, array $errorCodes = array())
{
$this->success = $success;
$this->errorCodes = $errorCodes;
}
/**
* Is success?
*
* @return boolean
*/
public function isSuccess()
{
return $this->success;
}
/**
* Get error codes.
*
* @return array
*/
public function getErrorCodes()
{
return $this->errorCodes;
}
}

38
#pma/libraries/plugins/auth/recaptcha/autoload.php Normal file
View File

@ -0,0 +1,38 @@
<?php
/* An autoloader for ReCaptcha\Foo classes. This should be require()d
* by the user before attempting to instantiate any of the ReCaptcha
* classes.
*/
spl_autoload_register(function ($class) {
if (substr($class, 0, 10) !== 'ReCaptcha\\') {
/* If the class does not lie under the "ReCaptcha" namespace,
* then we can exit immediately.
*/
return;
}
/* All of the classes have names like "ReCaptcha\Foo", so we need
* to replace the backslashes with frontslashes if we want the
* name to map directly to a location in the filesystem.
*/
$class = str_replace('\\', '/', $class);
/* First, check under the current directory. It is important that
* we look here first, so that we don't waste time searching for
* test classes in the common case.
*/
$path = dirname(__FILE__).'/'.$class.'.php';
if (is_readable($path)) {
require_once $path;
}
/* If we didn't find what we're looking for already, maybe it's
* a test class?
*/
$path = dirname(__FILE__).'/../tests/'.$class.'.php';
if (is_readable($path)) {
require_once $path;
}
});