From d59830c7b2df854685d064c3139ef0f1eb25545e Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Fri, 28 Mar 2025 20:40:28 +0100 Subject: [PATCH] Delete $has_token --- adminer/include/auth.inc.php | 19 ++++++++----------- adminer/include/bootstrap.inc.php | 2 +- phpstan.neon | 2 +- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php index 048266ed..060b7df2 100644 --- a/adminer/include/auth.inc.php +++ b/adminer/include/auth.inc.php @@ -3,11 +3,6 @@ namespace Adminer; $connection = ''; -$has_token = $_SESSION["token"]; -if (!$has_token) { - $_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery -} - $permanent = array(); if ($_COOKIE["adminer_permanent"]) { foreach (explode(" ", $_COOKIE["adminer_permanent"]) as $val) { @@ -94,7 +89,7 @@ if ($auth) { redirect(auth_url($vendor, $server, $username, $db)); } -} elseif ($_POST["logout"] && (!$has_token || verify_token())) { +} elseif ($_POST["logout"] && (!$_SESSION["token"] || verify_token())) { foreach (array("pwds", "db", "dbs", "queries") as $key) { set_session($key, null); } @@ -128,11 +123,11 @@ function unset_permanent(): void { * @return never */ function auth_error(string $error) { - global $adminer, $has_token; + global $adminer; $session_name = session_name(); if (isset($_GET["username"])) { header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header - if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$has_token) { + if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$_SESSION["token"]) { $error = lang('Session expired, please login again.'); } else { restart_session(); @@ -173,8 +168,6 @@ if (isset($_GET["username"]) && !class_exists('Adminer\Db')) { exit; } -stop_session(true); - if (isset($_GET["username"]) && is_string(get_password())) { list($host, $port) = explode(":", SERVER, 2); if (preg_match('~^\s*([-+]?\d+)~', $port, $match) && ($match[1] < 1024 || $match[1] > 65535)) { // is_numeric('80#') would still connect to port 80 @@ -196,12 +189,16 @@ if (!is_object($connection) || ($login = $adminer->login($_GET["username"], get_ auth_error($error . (preg_match('~^ | $~', get_password()) ? '
' . lang('There is a space in the input password which might be the cause.') : '')); } -if ($_POST["logout"] && $has_token && !verify_token()) { +if ($_POST["logout"] && $_SESSION["token"] && !verify_token()) { page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.')); page_footer("db"); exit; } +if (!$_SESSION["token"]) { + $_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery +} +stop_session(true); if ($auth && $_POST["token"]) { $_POST["token"] = get_token(); // reset token after explicit login } diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php index dcb5bef1..2fc9515a 100644 --- a/adminer/include/bootstrap.inc.php +++ b/adminer/include/bootstrap.inc.php @@ -39,7 +39,7 @@ if ($_GET["script"] == "version") { exit; } -global $adminer, $connection, $driver, $drivers, $permanent, $has_token, $translations; // allows including Adminer inside a function +global $adminer, $connection, $driver, $drivers, $permanent, $translations; // allows including Adminer inside a function if (!$_SERVER["REQUEST_URI"]) { // IIS 5 compatibility $_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"]; diff --git a/phpstan.neon b/phpstan.neon index de880356..0f3e1910 100644 --- a/phpstan.neon +++ b/phpstan.neon @@ -12,7 +12,7 @@ parameters: - identifier: includeOnce.fileNotFound # ./adminer-plugins.php - "~^Function (set_magic_quotes_runtime|mysql_)~" # PHP < 7 functions - "~an unknown class OCI-?Lob~" # this looks like PHPStan bug - - "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|has_token|translations) might not be defined~" # declared in bootstrap.inc.php + - "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|translations) might not be defined~" # declared in bootstrap.inc.php - "~expects int, float given~" # this will work - "~expects bool~" # truthy values - "~fread expects int<1, max>, 100000~" # 1e6