2 /* vim: set expandtab sw=4 ts=4 sts=4: */
4 * Various checks and message functions used on index page.
6 * Security checks are the idea of Aung Khant <aungkhant[at]yehg.net>, http://yehg.net/lab
7 * Version check taken from the old setup script by Michal Čihař <michal@cihar.com>
9 * @package PhpMyAdmin-setup
12 if (!defined('PHPMYADMIN')) {
17 * Initializes message list
19 function messages_begin()
21 if (! isset($_SESSION['messages']) ||
!is_array($_SESSION['messages'])) {
22 $_SESSION['messages'] = array('error' => array(), 'notice' => array());
24 // reset message states
25 foreach ($_SESSION['messages'] as &$messages) {
26 foreach ($messages as &$msg) {
27 $msg['fresh'] = false;
28 $msg['active'] = false;
35 * Adds a new message to message list
37 * @param string $type one of: notice, error
38 * @param string $id unique message identifier
39 * @param string $title language string id (in $str array)
40 * @param string $message message text
42 function messages_set($type, $id, $title, $message)
44 $fresh = ! isset($_SESSION['messages'][$type][$id]);
45 $_SESSION['messages'][$type][$id] = array(
49 'message' => $message);
53 * Cleans up message list
55 function messages_end()
57 foreach ($_SESSION['messages'] as &$messages) {
58 $remove_ids = array();
59 foreach ($messages as $id => &$msg) {
60 if ($msg['active'] == false) {
64 foreach ($remove_ids as $id) {
65 unset($messages[$id]);
71 * Prints message list, must be called after messages_end()
73 function messages_show_html()
76 foreach ($_SESSION['messages'] as $type => $messages) {
77 foreach ($messages as $id => $msg) {
78 echo '<div class="' . $type . '" id="' . $id . '">' . '<h4>' . $msg['title'] . '</h4>' . $msg['message'] . '</div>';
79 if (!$msg['fresh'] && $type != 'error') {
85 echo "\n" . '<script type="text/javascript">';
86 foreach ($old_ids as $id) {
87 echo "\nhiddenMessages.push('$id');";
93 * Checks for newest phpMyAdmin version and sets result as a new notice
95 function PMA_version_check()
97 // version check messages should always be visible so let's make
98 // a unique message id each time we run it
99 $message_id = uniqid('version_check');
100 // wait 3s at most for server response, it's enough to get information
101 // from a working server
102 $connection_timeout = 3;
104 $url = 'http://phpmyadmin.net/home_page/version.php';
105 $context = stream_context_create(array(
107 'timeout' => $connection_timeout)));
108 $data = @file_get_contents
($url, null, $context);
109 if ($data === false) {
110 if (function_exists('curl_init')) {
111 $ch = curl_init($url);
112 curl_setopt($ch, CURLOPT_HEADER
, false);
113 curl_setopt($ch, CURLOPT_RETURNTRANSFER
, true);
114 curl_setopt($ch, CURLOPT_TIMEOUT
, $connection_timeout);
115 $data = curl_exec($ch);
122 __('Neither URL wrapper nor CURL is available. Version check is not possible.'));
132 __('Reading of version failed. Maybe you\'re offline or the upgrade server does not respond.'));
136 /* Format: version\ndate\n(download\n)* */
137 $data_list = explode("\n", $data);
139 if (count($data_list) > 1) {
140 $version = $data_list[0];
141 $date = $data_list[1];
143 $version = $date = '';
146 $version_upstream = version_to_int($version);
147 if ($version_upstream === false) {
152 __('Got invalid version string from server'));
156 $version_local = version_to_int($GLOBALS['PMA_Config']->get('PMA_VERSION'));
157 if ($version_local === false) {
162 __('Unparsable version string'));
166 if ($version_upstream > $version_local) {
167 $version = htmlspecialchars($version);
168 $date = htmlspecialchars($date);
173 sprintf(__('A newer version of phpMyAdmin is available and you should consider upgrading. The newest version is %s, released on %s.'), $version, $date));
175 if ($version_local %
100 == 0) {
180 PMA_sanitize(sprintf(__('You are using Git version, run [kbd]git pull[/kbd] :-)[br]The latest stable version is %s, released on %s.'), $version, $date)));
186 __('No newer stable version is available'));
192 * Calculates numerical equivalent of phpMyAdmin version string
194 * @param string $version
195 * @return mixed false on failure, integer on success
197 function version_to_int($version)
200 if (!preg_match('/^(\d+)\.(\d+)\.(\d+)((\.|-(pl|rc|dev|beta|alpha))(\d+)?(-dev)?)?$/', $version, $matches)) {
203 if (!empty($matches[6])) {
204 switch ($matches[6]) {
225 'Unknown version part: ' . htmlspecialchars($matches[6]));
230 $added = 50; // for final
232 if (!empty($matches[7])) {
233 $added = $added +
$matches[7];
235 return $matches[1] * 1000000 +
$matches[2] * 10000 +
$matches[3] * 100 +
$added;
239 * Checks whether config file is readable/writable
241 * @param bool &$is_readable
242 * @param bool &$is_writable
243 * @param bool &$file_exists
245 function check_config_rw(&$is_readable, &$is_writable, &$file_exists)
247 $file_path = ConfigFile
::getInstance()->getFilePath();
248 $file_dir = dirname($file_path);
250 $is_writable = is_dir($file_dir);
251 if (SETUP_DIR_WRITABLE
) {
252 $is_writable = $is_writable && is_writable($file_dir);
254 $file_exists = file_exists($file_path);
256 $is_readable = is_readable($file_path);
257 $is_writable = $is_writable && is_writable($file_path);
262 * Performs various compatibility, security and consistency checks on current config
264 * Outputs results to message list, must be called between messages_begin()
267 function perform_config_checks()
269 $cf = ConfigFile
::getInstance();
270 $blowfish_secret = $cf->get('blowfish_secret');
271 $blowfish_secret_set = false;
272 $cookie_auth_used = false;
274 $strAllowArbitraryServerWarning = __('This %soption%s should be disabled as it allows attackers to bruteforce login to any MySQL server. If you feel this is necessary, use %strusted proxies list%s. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.');
275 $strAllowArbitraryServerWarning = sprintf($strAllowArbitraryServerWarning, '[a@?page=form&formset=Features#tab_Security]', '[/a]', '[a@?page=form&formset=Features#tab_Security]', '[/a]');
276 $strBlowfishSecretMsg = __('You didn\'t have blowfish secret set and have enabled cookie authentication, so a key was automatically generated for you. It is used to encrypt cookies; you don\'t need to remember it.');
277 $strBZipDumpWarning = __('%sBzip2 compression and decompression%s requires functions (%s) which are unavailable on this system.');
278 $strBZipDumpWarning = sprintf($strBZipDumpWarning, '[a@?page=form&formset=Features#tab_Import_export]', '[/a]', '%s');
279 $strDirectoryNotice = __('This value should be double checked to ensure that this directory is neither world accessible nor readable or writable by other users on your server.');
280 $strForceSSLNotice = __('This %soption%s should be enabled if your web server supports it.');
281 $strForceSSLNotice = sprintf($strForceSSLNotice, '[a@?page=form&formset=Features#tab_Security]', '[/a]');
282 $strGZipDumpWarning = __('%sGZip compression and decompression%s requires functions (%s) which are unavailable on this system.');
283 $strGZipDumpWarning = sprintf($strGZipDumpWarning, '[a@?page=form&formset=Features#tab_Import_export]', '[/a]', '%s');
284 $strLoginCookieValidityWarning = __('%sLogin cookie validity%s greater than 1440 seconds may cause random session invalidation if %ssession.gc_maxlifetime%s is lower than its value (currently %d).');
285 $strLoginCookieValidityWarning = sprintf($strLoginCookieValidityWarning, '[a@?page=form&formset=Features#tab_Security]', '[/a]', '[a@' . PMA_getPHPDocLink('session.configuration.php#ini.session.gc-maxlifetime') . ']', '[/a]', ini_get('session.gc_maxlifetime'));
286 $strLoginCookieValidityWarning2 = __('%sLogin cookie validity%s should be set to 1800 seconds (30 minutes) at most. Values larger than 1800 may pose a security risk such as impersonation.');
287 $strLoginCookieValidityWarning2 = sprintf($strLoginCookieValidityWarning2, '[a@?page=form&formset=Features#tab_Security]', '[/a]');
288 $strLoginCookieValidityWarning3 = __('If using cookie authentication and %sLogin cookie store%s is not 0, %sLogin cookie validity%s must be set to a value less or equal to it.');
289 $strLoginCookieValidityWarning3 = sprintf($strLoginCookieValidityWarning3, '[a@?page=form&formset=Features#tab_Security]', '[/a]', '[a@?page=form&formset=Features#tab_Security]', '[/a]');
290 $strSecurityInfoMsg = __('If you feel this is necessary, use additional protection settings - %shost authentication%s settings and %strusted proxies list%s. However, IP-based protection may not be reliable if your IP belongs to an ISP where thousands of users, including you, are connected to.');
291 $strSecurityInfoMsg = sprintf($strSecurityInfoMsg, '[a@?page=servers&mode=edit&id=%1$d#tab_Server_config]', '[/a]', '[a@?page=form&formset=Features#tab_Security]', '[/a]');
292 $strServerAuthConfigMsg = __('You set the [kbd]config[/kbd] authentication type and included username and password for auto-login, which is not a desirable option for live hosts. Anyone who knows or guesses your phpMyAdmin URL can directly access your phpMyAdmin panel. Set %sauthentication type%s to [kbd]cookie[/kbd] or [kbd]http[/kbd].');
293 $strServerAuthConfigMsg = sprintf($strServerAuthConfigMsg, '[a@?page=servers&mode=edit&id=%1$d#tab_Server]', '[/a]');
294 $strZipDumpExportWarning = __('%sZip compression%s requires functions (%s) which are unavailable on this system.');
295 $strZipDumpExportWarning = sprintf($strZipDumpExportWarning, '[a@?page=form&formset=Features#tab_Import_export]', '[/a]', '%s');
296 $strZipDumpImportWarning = __('%sZip decompression%s requires functions (%s) which are unavailable on this system.');
297 $strZipDumpImportWarning = sprintf($strZipDumpImportWarning, '[a@?page=form&formset=Features#tab_Import_export]', '[/a]', '%s');
299 for ($i = 1, $server_cnt = $cf->getServerCount(); $i <= $server_cnt; $i++
) {
300 $cookie_auth_server = ($cf->getValue("Servers/$i/auth_type") == 'cookie');
301 $cookie_auth_used |
= $cookie_auth_server;
302 $server_name = $cf->getServerName($i);
303 if ($server_name == 'localhost') {
304 $server_name .= " [$i]";
307 if ($cookie_auth_server && $blowfish_secret === null) {
308 $blowfish_secret = uniqid('', true);
309 $blowfish_secret_set = true;
310 $cf->set('blowfish_secret', $blowfish_secret);
314 // $cfg['Servers'][$i]['ssl']
315 // should be enabled if possible
317 if (!$cf->getValue("Servers/$i/ssl")) {
318 $title = PMA_lang(PMA_lang_name('Servers/1/ssl')) . " ($server_name)";
323 __('You should use SSL connections if your web server supports it.'));
327 // $cfg['Servers'][$i]['extension']
328 // warn about using 'mysql'
330 if ($cf->getValue("Servers/$i/extension") == 'mysql') {
331 $title = PMA_lang(PMA_lang_name('Servers/1/extension')) . " ($server_name)";
334 "Servers/$i/extension",
336 __('You should use mysqli for performance reasons.'));
340 // $cfg['Servers'][$i]['auth_type']
341 // warn about full user credentials if 'auth_type' is 'config'
343 if ($cf->getValue("Servers/$i/auth_type") == 'config'
344 && $cf->getValue("Servers/$i/user") != ''
345 && $cf->getValue("Servers/$i/password") != '') {
346 $title = PMA_lang(PMA_lang_name('Servers/1/auth_type')) . " ($server_name)";
349 "Servers/$i/auth_type",
351 PMA_lang($strServerAuthConfigMsg, $i) . ' ' .
352 PMA_lang($strSecurityInfoMsg, $i));
356 // $cfg['Servers'][$i]['AllowRoot']
357 // $cfg['Servers'][$i]['AllowNoPassword']
358 // serious security flaw
360 if ($cf->getValue("Servers/$i/AllowRoot")
361 && $cf->getValue("Servers/$i/AllowNoPassword")) {
362 $title = PMA_lang(PMA_lang_name('Servers/1/AllowNoPassword')) . " ($server_name)";
365 "Servers/$i/AllowNoPassword",
367 __('You allow for connecting to the server without a password.') . ' ' .
368 PMA_lang($strSecurityInfoMsg, $i));
373 // $cfg['blowfish_secret']
374 // it's required for 'cookie' authentication
376 if ($cookie_auth_used) {
377 if ($blowfish_secret_set) {
378 // 'cookie' auth used, blowfish_secret was generated
381 'blowfish_secret_created',
382 PMA_lang(PMA_lang_name('blowfish_secret')),
383 $strBlowfishSecretMsg);
385 $blowfish_warnings = array();
387 if (strlen($blowfish_secret) < 8) {
389 $blowfish_warnings[] = __('Key is too short, it should have at least 8 characters.');
391 // check used characters
392 $has_digits = (bool) preg_match('/\d/', $blowfish_secret);
393 $has_chars = (bool) preg_match('/\S/', $blowfish_secret);
394 $has_nonword = (bool) preg_match('/\W/', $blowfish_secret);
395 if (!$has_digits ||
!$has_chars ||
!$has_nonword) {
396 $blowfish_warnings[] = PMA_lang(__('Key should contain letters, numbers [em]and[/em] special characters.'));
398 if (!empty($blowfish_warnings)) {
401 'blowfish_warnings' . count($blowfish_warnings),
402 PMA_lang(PMA_lang_name('blowfish_secret')),
403 implode('<br />', $blowfish_warnings));
410 // should be enabled if possible
412 if (!$cf->getValue('ForceSSL')) {
416 PMA_lang(PMA_lang_name('ForceSSL')),
417 PMA_lang($strForceSSLNotice));
421 // $cfg['AllowArbitraryServer']
422 // should be disabled
424 if ($cf->getValue('AllowArbitraryServer')) {
427 'AllowArbitraryServer',
428 PMA_lang(PMA_lang_name('AllowArbitraryServer')),
429 PMA_lang($strAllowArbitraryServerWarning));
433 // $cfg['LoginCookieValidity']
434 // value greater than session.gc_maxlifetime will cause random session invalidation after that time
436 if ($cf->getValue('LoginCookieValidity') > 1440
437 ||
$cf->getValue('LoginCookieValidity') > ini_get('session.gc_maxlifetime')) {
438 $message_type = $cf->getValue('LoginCookieValidity') > ini_get('session.gc_maxlifetime')
443 'LoginCookieValidity',
444 PMA_lang(PMA_lang_name('LoginCookieValidity')),
445 PMA_lang($strLoginCookieValidityWarning));
449 // $cfg['LoginCookieValidity']
450 // should be at most 1800 (30 min)
452 if ($cf->getValue('LoginCookieValidity') > 1800) {
455 'LoginCookieValidity',
456 PMA_lang(PMA_lang_name('LoginCookieValidity')),
457 PMA_lang($strLoginCookieValidityWarning2));
461 // $cfg['LoginCookieValidity']
462 // $cfg['LoginCookieStore']
463 // LoginCookieValidity must be less or equal to LoginCookieStore
465 if ($cf->getValue('LoginCookieStore') != 0 && $cf->getValue('LoginCookieValidity') > $cf->getValue('LoginCookieStore')) {
468 'LoginCookieValidity',
469 PMA_lang(PMA_lang_name('LoginCookieValidity')),
470 PMA_lang($strLoginCookieValidityWarning3));
475 // should not be world-accessible
477 if ($cf->getValue('SaveDir') != '') {
481 PMA_lang(PMA_lang_name('SaveDir')),
482 PMA_lang($strDirectoryNotice));
487 // should not be world-accessible
489 if ($cf->getValue('TempDir') != '') {
493 PMA_lang(PMA_lang_name('TempDir')),
494 PMA_lang($strDirectoryNotice));
499 // requires zlib functions
501 if ($cf->getValue('GZipDump')
502 && (@!function_exists('gzopen') ||
@!function_exists('gzencode'))) {
506 PMA_lang(PMA_lang_name('GZipDump')),
507 PMA_lang($strGZipDumpWarning, 'gzencode'));
512 // requires bzip2 functions
514 if ($cf->getValue('BZipDump')
515 && (!@function_exists
('bzopen') ||
!@function_exists
('bzcompress'))) {
516 $functions = @function_exists
('bzopen')
519 $functions .= @function_exists
('bzcompress')
521 : ($functions ?
', ' : '') . 'bzcompress';
525 PMA_lang(PMA_lang_name('BZipDump')),
526 PMA_lang($strBZipDumpWarning, $functions));
531 // requires zip_open in import
533 if ($cf->getValue('ZipDump') && !@function_exists
('zip_open')) {
537 PMA_lang(PMA_lang_name('ZipDump')),
538 PMA_lang($strZipDumpImportWarning, 'zip_open'));
543 // requires gzcompress in export
545 if ($cf->getValue('ZipDump') && !@function_exists
('gzcompress')) {
549 PMA_lang(PMA_lang_name('ZipDump')),
550 PMA_lang($strZipDumpExportWarning, 'gzcompress'));