mirror/php-adminer
1
0
Fork 0
mirror of https://github.com/vrana/adminer.git synced 2025-09-01 10:23:28 +02:00
Code Issues Releases Wiki Activity

Refactor generating of private key and random strings

Browse Source 
Generating of private key is atomic now.
More secure random strings on PHP 7+.
This commit is contained in:
Peter Knut
2024-10-07 23:37:33 +02:00
parent a63fadd503
commit 2d4b73653b
5 changed files with 71 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
adminer/include/adminer.inc.php
View File

@@ -25,12 +25,16 @@ class Adminer {
function connectSsl() { function connectSsl() {
} }
/** Get key used for permanent login /**
* @param bool * Gets a private key used for permanent login.
* @return string cryptic string which gets combined with password or false in case of an error *
*/ * @param bool $create
*
* @return string|false Cryptic string which gets combined with password or false in case of an error.
* @throws \Random\RandomException
*/
function permanentLogin($create = false) { function permanentLogin($create = false) {
return password_file($create); return get_private_key($create);
} }
/** Return key used to group brute force attacks; behind a reverse proxy, you want to return the last part of X-Forwarded-For /** Return key used to group brute force attacks; behind a reverse proxy, you want to return the last part of X-Forwarded-For

10
adminer/include/auth.inc.php
View File

@@ -1,4 +1,5 @@
<?php <?php
$connection = ''; $connection = '';
$has_token = $_SESSION["token"]; $has_token = $_SESSION["token"];
@@ -171,9 +172,10 @@ function unset_permanent() {
} }
/** Renders an error message and a login form /** Renders an error message and a login form
* @param string plain text * @param string plain text
* @return null exits * @return null exits
*/ * @throws \Random\RandomException
*/
function auth_error($error) { function auth_error($error) {
global $adminer, $has_token; global $adminer, $has_token;
$session_name = session_name(); $session_name = session_name();
@@ -198,7 +200,7 @@ function auth_error($error) {
$error = lang('Session support must be enabled.'); $error = lang('Session support must be enabled.');
} }
$params = session_get_cookie_params(); $params = session_get_cookie_params();
cookie("adminer_key", ($_COOKIE["adminer_key"] ? $_COOKIE["adminer_key"] : rand_string()), $params["lifetime"]); cookie("adminer_key", ($_COOKIE["adminer_key"] ?: get_random_string()), $params["lifetime"]);
page_header(lang('Login'), $error, null); page_header(lang('Login'), $error, null);
echo "<form action='' method='post'>\n"; echo "<form action='' method='post'>\n";
echo "<div>"; echo "<div>";

16
adminer/include/design.inc.php
View File

@@ -142,14 +142,20 @@ function csp() {
); );
} }
/** Get a CSP nonce /**
* @return string Base64 value * Gets a CSP nonce.
*/ *
function get_nonce() { * @return string Base64 value.
* @throws \Random\RandomException
*/
function get_nonce()
{
static $nonce; static $nonce;
if (!$nonce) { if (!$nonce) {
$nonce = base64_encode(rand_string()); $nonce = base64_encode(get_random_string(true));
} }
return $nonce; return $nonce;
} }

57
adminer/include/functions.inc.php
View File

@@ -1,4 +1,5 @@
<?php <?php
/** Get database connection /** Get database connection
* @return Min_DB * @return Min_DB
*/ */
@@ -1249,6 +1250,17 @@ function write_and_unlock_file($file, $data)
rewind($file); rewind($file);
fwrite($file, $data); fwrite($file, $data);
ftruncate($file, strlen($data)); ftruncate($file, strlen($data));
unlock_file($file);
}
/**
* Unlocks and closes the file.
*
* @param resource $file
*/
function unlock_file($file)
{
flock($file, LOCK_UN); flock($file, LOCK_UN);
fclose($file); fclose($file);
} }
@@ -1258,31 +1270,44 @@ function write_and_unlock_file($file, $data)
* *
* @param $create bool * @param $create bool
* @return string|false Returns false if the file can not be created. * @return string|false Returns false if the file can not be created.
* @throws \Random\RandomException
*/ */
function password_file($create) { function get_private_key($create)
{
$filename = get_temp_dir() . "/adminer.key"; $filename = get_temp_dir() . "/adminer.key";
$return = file_exists($filename) ? file_get_contents($filename) : false; if (!$create && !file_exists($filename)) {
if ($return || !$create) { return false;
return $return;
} }
$file = @fopen($filename, "w"); // @ - can have insufficient rights //! is not atomic $file = open_file_with_lock($filename);
if ($file) { if (!$file) {
chmod($filename, 0660); return false;
$return = rand_string();
fwrite($file, $return);
fclose($file);
} }
return $return; $key = stream_get_contents($file);
if (!$key) {
$key = get_random_string();
write_and_unlock_file($file, $key);
} else {
unlock_file($file);
}
return $key;
} }
/** Get a random string /**
* @return string 32 hexadecimal characters * Returns a random 32 characters long string.
*/ *
function rand_string() { * @param $binary bool
return md5(uniqid(mt_rand(), true)); * @return string
* @throws \Random\RandomException
*/
function get_random_string($binary = false)
{
$bytes = function_exists('random_bytes') ? random_bytes(32) : uniqid(mt_rand(), true);
return $binary ? $bytes : md5($bytes);
} }
/** Format value to use in select /** Format value to use in select

5
editor/include/adminer.inc.php
View File

@@ -16,8 +16,11 @@ class Adminer {
function connectSsl() { function connectSsl() {
} }
/**
* @throws \Random\RandomException
*/
function permanentLogin($create = false) { function permanentLogin($create = false) {
return password_file($create); return get_private_key($create);
} }
function bruteForceKey() { function bruteForceKey() {