mirror/php-adminer
1
0
Fork 0
mirror of https://github.com/vrana/adminer.git synced 2025-08-07 23:27:17 +02:00
Code Issues Releases Wiki Activity

Delete $has_token

Browse Source
This commit is contained in:
Jakub Vrana
2025-03-28 20:40:28 +01:00
parent ff37ac1d35
commit d59830c7b2
3 changed files with 10 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
adminer/include/auth.inc.php
View File

@@ -3,11 +3,6 @@ namespace Adminer;
$connection = ''; $connection = '';
$has_token = $_SESSION["token"];
if (!$has_token) {
$_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
}
$permanent = array(); $permanent = array();
if ($_COOKIE["adminer_permanent"]) { if ($_COOKIE["adminer_permanent"]) {
foreach (explode(" ", $_COOKIE["adminer_permanent"]) as $val) { foreach (explode(" ", $_COOKIE["adminer_permanent"]) as $val) {
@@ -94,7 +89,7 @@ if ($auth) {
redirect(auth_url($vendor, $server, $username, $db)); redirect(auth_url($vendor, $server, $username, $db));
} }
} elseif ($_POST["logout"] && (!$has_token || verify_token())) { } elseif ($_POST["logout"] && (!$_SESSION["token"] || verify_token())) {
foreach (array("pwds", "db", "dbs", "queries") as $key) { foreach (array("pwds", "db", "dbs", "queries") as $key) {
set_session($key, null); set_session($key, null);
} }
@@ -128,11 +123,11 @@ function unset_permanent(): void {
* @return never * @return never
*/ */
function auth_error(string $error) { function auth_error(string $error) {
global $adminer, $has_token; global $adminer;
$session_name = session_name(); $session_name = session_name();
if (isset($_GET["username"])) { if (isset($_GET["username"])) {
header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header header("HTTP/1.1 403 Forbidden"); // 401 requires sending WWW-Authenticate header
if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$has_token) { if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$_SESSION["token"]) {
$error = lang('Session expired, please login again.'); $error = lang('Session expired, please login again.');
} else { } else {
restart_session(); restart_session();
@@ -173,8 +168,6 @@ if (isset($_GET["username"]) && !class_exists('Adminer\Db')) {
exit; exit;
} }
stop_session(true);
if (isset($_GET["username"]) && is_string(get_password())) { if (isset($_GET["username"]) && is_string(get_password())) {
list($host, $port) = explode(":", SERVER, 2); list($host, $port) = explode(":", SERVER, 2);
if (preg_match('~^\s*([-+]?\d+)~', $port, $match) && ($match[1] < 1024 || $match[1] > 65535)) { // is_numeric('80#') would still connect to port 80 if (preg_match('~^\s*([-+]?\d+)~', $port, $match) && ($match[1] < 1024 || $match[1] > 65535)) { // is_numeric('80#') would still connect to port 80
@@ -196,12 +189,16 @@ if (!is_object($connection) || ($login = $adminer->login($_GET["username"], get_
auth_error($error . (preg_match('~^ | $~', get_password()) ? '<br>' . lang('There is a space in the input password which might be the cause.') : '')); auth_error($error . (preg_match('~^ | $~', get_password()) ? '<br>' . lang('There is a space in the input password which might be the cause.') : ''));
} }
if ($_POST["logout"] && $has_token && !verify_token()) { if ($_POST["logout"] && $_SESSION["token"] && !verify_token()) {
page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.')); page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.'));
page_footer("db"); page_footer("db");
exit; exit;
} }
if (!$_SESSION["token"]) {
$_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
}
stop_session(true);
if ($auth && $_POST["token"]) { if ($auth && $_POST["token"]) {
$_POST["token"] = get_token(); // reset token after explicit login $_POST["token"] = get_token(); // reset token after explicit login
} }

2
adminer/include/bootstrap.inc.php
View File

@@ -39,7 +39,7 @@ if ($_GET["script"] == "version") {
exit; exit;
} }
global $adminer, $connection, $driver, $drivers, $permanent, $has_token, $translations; // allows including Adminer inside a function global $adminer, $connection, $driver, $drivers, $permanent, $translations; // allows including Adminer inside a function
if (!$_SERVER["REQUEST_URI"]) { // IIS 5 compatibility if (!$_SERVER["REQUEST_URI"]) { // IIS 5 compatibility
$_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"]; $_SERVER["REQUEST_URI"] = $_SERVER["ORIG_PATH_INFO"];

2
phpstan.neon
View File

@@ -12,7 +12,7 @@ parameters:
- identifier: includeOnce.fileNotFound # ./adminer-plugins.php - identifier: includeOnce.fileNotFound # ./adminer-plugins.php
- "~^Function (set_magic_quotes_runtime|mysql_)~" # PHP < 7 functions - "~^Function (set_magic_quotes_runtime|mysql_)~" # PHP < 7 functions
- "~an unknown class OCI-?Lob~" # this looks like PHPStan bug - "~an unknown class OCI-?Lob~" # this looks like PHPStan bug
- "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|has_token|translations) might not be defined~" # declared in bootstrap.inc.php - "~^Variable \\$(adminer|connection|driver|drivers|error|permanent|translations) might not be defined~" # declared in bootstrap.inc.php
- "~expects int, float given~" # this will work - "~expects int, float given~" # this will work
- "~expects bool~" # truthy values - "~expects bool~" # truthy values
- "~fread expects int<1, max>, 100000~" # 1e6 - "~fread expects int<1, max>, 100000~" # 1e6