mirror of
https://github.com/vrana/adminer.git
synced 2025-08-30 17:50:00 +02:00
Refactor generating of private key and random strings
Generating of private key is atomic now. More secure random strings on PHP 7+.
This commit is contained in:
Peter Knut
@@ -25,12 +25,16 @@ class Adminer {
|
||||
function connectSsl() {
|
||||
}
|
||||
|
||||
/** Get key used for permanent login
|
||||
* @param bool
|
||||
* @return string cryptic string which gets combined with password or false in case of an error
|
||||
*/
|
||||
/**
|
||||
* Gets a private key used for permanent login.
|
||||
*
|
||||
* @param bool $create
|
||||
*
|
||||
* @return string|false Cryptic string which gets combined with password or false in case of an error.
|
||||
* @throws \Random\RandomException
|
||||
*/
|
||||
function permanentLogin($create = false) {
|
||||
return password_file($create);
|
||||
return get_private_key($create);
|
||||
}
|
||||
|
||||
/** Return key used to group brute force attacks; behind a reverse proxy, you want to return the last part of X-Forwarded-For
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
<?php
|
||||
|
||||
$connection = '';
|
||||
|
||||
$has_token = $_SESSION["token"];
|
||||
@@ -171,9 +172,10 @@ function unset_permanent() {
|
||||
}
|
||||
|
||||
/** Renders an error message and a login form
|
||||
* @param string plain text
|
||||
* @return null exits
|
||||
*/
|
||||
* @param string plain text
|
||||
* @return null exits
|
||||
* @throws \Random\RandomException
|
||||
*/
|
||||
function auth_error($error) {
|
||||
global $adminer, $has_token;
|
||||
$session_name = session_name();
|
||||
@@ -198,7 +200,7 @@ function auth_error($error) {
|
||||
$error = lang('Session support must be enabled.');
|
||||
}
|
||||
$params = session_get_cookie_params();
|
||||
cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]);
|
||||
cookie("adminer_key", ($_COOKIE["adminer_key"] ?: get_random_string()), $params["lifetime"]);
|
||||
page_header(lang('Login'), $error, null);
|
||||
echo "<form action='' method='post'>\n";
|
||||
echo "<div>";
|
||||
|
||||
@@ -142,14 +142,20 @@ function csp() {
|
||||
);
|
||||
}
|
||||
|
||||
/** Get a CSP nonce
|
||||
* @return string Base64 value
|
||||
*/
|
||||
function get_nonce() {
|
||||
/**
|
||||
* Gets a CSP nonce.
|
||||
*
|
||||
* @return string Base64 value.
|
||||
* @throws \Random\RandomException
|
||||
*/
|
||||
function get_nonce()
|
||||
{
|
||||
static $nonce;
|
||||
|
||||
if (!$nonce) {
|
||||
$nonce = base64_encode(rand_string());
|
||||
$nonce = base64_encode(get_random_string(true));
|
||||
}
|
||||
|
||||
return $nonce;
|
||||
}
|
||||
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
<?php
|
||||
|
||||
/** Get database connection
|
||||
* @return Min_DB
|
||||
*/
|
||||
@@ -1249,6 +1250,17 @@ function write_and_unlock_file($file, $data)
|
||||
rewind($file);
|
||||
fwrite($file, $data);
|
||||
ftruncate($file, strlen($data));
|
||||
|
||||
unlock_file($file);
|
||||
}
|
||||
|
||||
/**
|
||||
* Unlocks and closes the file.
|
||||
*
|
||||
* @param resource $file
|
||||
*/
|
||||
function unlock_file($file)
|
||||
{
|
||||
flock($file, LOCK_UN);
|
||||
fclose($file);
|
||||
}
|
||||
@@ -1258,31 +1270,44 @@ function write_and_unlock_file($file, $data)
|
||||
*
|
||||
* @param $create bool
|
||||
* @return string|false Returns false if the file can not be created.
|
||||
* @throws \Random\RandomException
|
||||
*/
|
||||
function password_file($create) {
|
||||
function get_private_key($create)
|
||||
{
|
||||
$filename = get_temp_dir() . "/adminer.key";
|
||||
|
||||
$return = file_exists($filename) ? file_get_contents($filename) : false;
|
||||
if ($return || !$create) {
|
||||
return $return;
|
||||
if (!$create && !file_exists($filename)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$file = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic
|
||||
if ($file) {
|
||||
chmod($filename, 0660);
|
||||
$return = rand_string();
|
||||
fwrite($file, $return);
|
||||
fclose($file);
|
||||
$file = open_file_with_lock($filename);
|
||||
if (!$file) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $return;
|
||||
$key = stream_get_contents($file);
|
||||
if (!$key) {
|
||||
$key = get_random_string();
|
||||
write_and_unlock_file($file, $key);
|
||||
} else {
|
||||
unlock_file($file);
|
||||
}
|
||||
|
||||
return $key;
|
||||
}
|
||||
|
||||
/** Get a random string
|
||||
* @return string 32 hexadecimal characters
|
||||
*/
|
||||
function rand_string() {
|
||||
return md5(uniqid(mt_rand(), true));
|
||||
/**
|
||||
* Returns a random 32 characters long string.
|
||||
*
|
||||
* @param $binary bool
|
||||
* @return string
|
||||
* @throws \Random\RandomException
|
||||
*/
|
||||
function get_random_string($binary = false)
|
||||
{
|
||||
$bytes = function_exists('random_bytes') ? random_bytes(32) : uniqid(mt_rand(), true);
|
||||
|
||||
return $binary ? $bytes : md5($bytes);
|
||||
}
|
||||
|
||||
/** Format value to use in select
|
||||
|
||||
@@ -16,8 +16,11 @@ class Adminer {
|
||||
function connectSsl() {
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws \Random\RandomException
|
||||
*/
|
||||
function permanentLogin($create = false) {
|
||||
return password_file($create);
|
||||
return get_private_key($create);
|
||||
}
|
||||
|
||||
function bruteForceKey() {
|
||||
|
||||
Reference in New Issue
Block a user