setup/lib/index.lib.php

   1 <?php
   2
   3 /**
   4  * Various checks and message functions used on index page.
   5  *
   6  * Security checks are the idea of Aung Khant <aungkhant[at]yehg.net>, http://yehg.net/lab
   7  * Version check taken from the old setup script by Michal Čihař <michal@cihar.com>
   8  *
   9  * @package    phpMyAdmin-setup
  10  * @license    http://www.gnu.org/licenses/gpl.html GNU GPL 2.0
  11  * @version    $Id$
  12  */
  13
  14 if (!defined('PHPMYADMIN')) {
  15     exit;
  16 }
  17
  18 /**
  19  * Load vendor config.
  20  */
  21 require_once('./libraries/vendor_config.php');
  22
  23 /**
  24  * Initializes message list
  25  */
  26 function messages_begin()
  27 {
  28     if (!isset($_SESSION['messages']) || !is_array($_SESSION['messages'])) {
  29         $_SESSION['messages'] = array('error' => array(), 'warning' => array(), 'notice' => array());
  30     } else {
  31         // reset message states
  32         foreach ($_SESSION['messages'] as &$messages) {
  33             foreach ($messages as &$msg) {
  34                 $msg['fresh'] = false;
  35                 $msg['active'] = false;
  36             }
  37         }
  38     }
  39 }
  40
  41 /**
  42  * Adds a new message to message list
  43  *
  44  * @param string $id unique message identifier
  45  * @param string $type one of: notice, warning, error
  46  * @param string $title language string id (in $str array)
  47  * @param string $message message text
  48  */
  49 function messages_set($type, $id, $title, $message)
  50 {
  51     $fresh = !isset($_SESSION['messages'][$type][$id]);
  52     $title = PMA_lang($title);
  53     $_SESSION['messages'][$type][$id] = array(
  54         'fresh' => $fresh,
  55         'active' => true,
  56         'title' => $title,
  57         'message' => $message);
  58 }
  59
  60 /**
  61  * Cleans up message list
  62  */
  63 function messages_end()
  64 {
  65     foreach ($_SESSION['messages'] as &$messages) {
  66         $remove_ids = array();
  67         foreach ($messages as $id => &$msg) {
  68             if ($msg['active'] == false) {
  69                 $remove_ids[] = $id;
  70             }
  71         }
  72         foreach ($remove_ids as $id) {
  73             unset($messages[$id]);
  74         }
  75     }
  76 }
  77
  78 /**
  79  * Prints message list, must be called after messages_end()
  80  */
  81 function messages_show_html()
  82 {
  83     $old_ids = array();
  84     foreach ($_SESSION['messages'] as $type => $messages) {
  85         foreach ($messages as $id => $msg) {
  86             echo '<div class="' . $type . '" id="' . $id . '">' . '<h4>' . $msg['title'] . '</h4>' . $msg['message'] . '</div>';
  87             if (!$msg['fresh'] && $type != 'error') {
  88                 $old_ids[] = $id;
  89             }
  90         }
  91     }
  92
  93     echo "\n" . '<script type="text/javascript">';
  94     foreach ($old_ids as $id) {
  95         echo "\nhiddenMessages.push('$id');";
  96     }
  97     echo "\n</script>\n";
  98 }
  99
 100 /**
 101  * Checks for newest phpMyAdmin version and sets result as a new notice
 102  */
 103 function PMA_version_check()
 104 {
 105     // version check messages should always be visible so let's make
 106     // a unique message id each time we run it
 107     $message_id = uniqid('version_check');
 108     // wait 3s at most for server response, it's enough to get information
 109     // from a working server
 110     $connection_timeout = 3;
 111
 112     $url = 'http://phpmyadmin.net/home_page/version.php';
 113     $context = stream_context_create(array(
 114         'http' => array(
 115             'timeout' => $connection_timeout)));
 116     $data = @file_get_contents($url, null, $context);
 117     if ($data === false) {
 118         if (function_exists('curl_init')) {
 119             $ch = curl_init($url);
 120             curl_setopt($ch, CURLOPT_HEADER, false);
 121             curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 122             curl_setopt($ch, CURLOPT_TIMEOUT, $connection_timeout);
 123             $data = curl_exec($ch);
 124             curl_close($ch);
 125         } else {
 126             messages_set('error', $message_id, 'VersionCheck',
 127                 PMA_lang('VersionCheckWrapperError'));
 128             return;
 129         }
 130     }
 131
 132     if (empty($data)) {
 133         messages_set('error', $message_id, 'VersionCheck',
 134             PMA_lang('VersionCheckDataError'));
 135         return;
 136     }
 137
 138     /* Format: version\ndate\n(download\n)* */
 139     $data_list = explode("\n", $data);
 140
 141     if (count($data_list) > 1) {
 142         $version = $data_list[0];
 143         $date = $data_list[1];
 144     } else {
 145         $version = $date = '';
 146     }
 147
 148     $version_upstream = version_to_int($version);
 149     if ($version_upstream === false) {
 150         messages_set('error', $message_id, 'VersionCheck',
 151             PMA_lang('VersionCheckInvalid'));
 152         return;
 153     }
 154
 155     $version_local = version_to_int($GLOBALS['PMA_Config']->get('PMA_VERSION'));
 156     if ($version_local === false) {
 157         messages_set('error', $message_id, 'VersionCheck',
 158             PMA_lang('VersionCheckUnparsable'));
 159         return;
 160     }
 161
 162     if ($version_upstream > $version_local) {
 163         $version = htmlspecialchars($version);
 164         $date = htmlspecialchars($date);
 165         messages_set('notice', $message_id, 'VersionCheck',
 166             PMA_lang('VersionCheckNewAvailable', $version, $date));
 167     } else {
 168         if ($version_local % 100 == 0) {
 169             messages_set('notice', $message_id, 'VersionCheck',
 170                 PMA_lang('VersionCheckNewAvailableSvn', $version, $date));
 171         } else {
 172             messages_set('notice', $message_id, 'VersionCheck',
 173                 PMA_lang('VersionCheckNone'));
 174         }
 175     }
 176 }
 177
 178 /**
 179  * Calculates numerical equivalent of phpMyAdmin version string
 180  *
 181  * @param string  version
 182  * @return mixed  false on failure, integer on success
 183  */
 184 function version_to_int($version)
 185 {
 186     $matches = array();
 187     if (!preg_match('/^(\d+)\.(\d+)\.(\d+)((\.|-(pl|rc|dev|beta|alpha))(\d+)?)?$/', $version, $matches)) {
 188         return false;
 189     }
 190     if (!empty($matches[6])) {
 191         switch ($matches[6]) {
 192             case 'pl':
 193                 $added = 60;
 194                 break;
 195             case 'rc':
 196                 $added = 30;
 197                 break;
 198             case 'beta':
 199                 $added = 20;
 200                 break;
 201             case 'alpha':
 202                 $added = 10;
 203                 break;
 204             case 'dev':
 205                 $added = 0;
 206                 break;
 207             default:
 208                 messages_set('notice', 'version_match', 'VersionCheck',
 209                     'Unknown version part: ' . htmlspecialchars($matches[6]));
 210                 $added = 0;
 211                 break;
 212         }
 213     } else {
 214         $added = 50; // for final
 215     }
 216     if (!empty($matches[7])) {
 217         $added = $added + $matches[7];
 218     }
 219     return $matches[1] * 1000000 + $matches[2] * 10000 + $matches[3] * 100 + $added;
 220 }
 221
 222 /**
 223  * Checks whether config file is readable/writable
 224  *
 225  * @param bool &$is_readable
 226  * @param bool &$is_writable
 227  * @param bool &$file_exists
 228  */
 229 function check_config_rw(&$is_readable, &$is_writable, &$file_exists)
 230 {
 231     $file_path = ConfigFile::getInstance()->getFilePath();
 232     $file_dir = dirname($file_path);
 233     $is_readable = true;
 234     $is_writable = is_dir($file_dir);
 235     if (SETUP_DIR_WRITABLE) {
 236         $is_writable = $is_writable && is_writable($file_dir);
 237     }
 238     $file_exists = file_exists($file_path);
 239     if ($file_exists) {
 240         $is_readable = is_readable($file_path);
 241         $is_writable = $is_writable && is_writable($file_path);
 242     }
 243 }
 244
 245 /**
 246  * Performs various compatibility, security and consistency checks on current config
 247  *
 248  * Outputs results to message list, must be called between messages_begin()
 249  * and messages_end()
 250  */
 251 function perform_config_checks()
 252 {
 253     $cf = ConfigFile::getInstance();
 254     $blowfish_secret = $cf->get('blowfish_secret');
 255     $blowfish_secret_set = false;
 256     $cookie_auth_used = false;
 257     for ($i = 1, $server_cnt = $cf->getServerCount(); $i <= $server_cnt; $i++) {
 258         $cookie_auth_server = ($cf->getValue("Servers/$i/auth_type") == 'cookie');
 259         $cookie_auth_used |= $cookie_auth_server;
 260         $server_name = $cf->getServerName($i);
 261         if ($server_name == 'localhost') {
 262             $server_name .=  " [$i]";
 263         }
 264
 265         if ($cookie_auth_server && $blowfish_secret === null) {
 266             $blowfish_secret = uniqid('', true);
 267             $blowfish_secret_set = true;
 268             $cf->set('blowfish_secret', $blowfish_secret);
 269         }
 270
 271         //
 272         // $cfg['Servers'][$i]['ssl']
 273         // should be enabled if possible
 274         //
 275         if (!$cf->getValue("Servers/$i/ssl")) {
 276             $title = PMA_lang_name('Servers/1/ssl') . " ($server_name)";
 277             messages_set('notice', "Servers/$i/ssl", $title,
 278                 PMA_lang('ServerSslMsg'));
 279         }
 280
 281         //
 282         // $cfg['Servers'][$i]['extension']
 283         // warn about using 'mysql'
 284         //
 285         if ($cf->getValue("Servers/$i/extension") == 'mysql') {
 286             $title = PMA_lang_name('Servers/1/extension') . " ($server_name)";
 287             messages_set('notice', "Servers/$i/extension", $title,
 288                 PMA_lang('ServerExtensionMsg'));
 289         }
 290
 291         //
 292         // $cfg['Servers'][$i]['auth_type']
 293         // warn about full user credentials if 'auth_type' is 'config'
 294         //
 295         if ($cf->getValue("Servers/$i/auth_type") == 'config'
 296             && $cf->getValue("Servers/$i/user") != ''
 297             && $cf->getValue("Servers/$i/password") != '') {
 298             $title = PMA_lang_name('Servers/1/auth_type') . " ($server_name)";
 299             messages_set('warning', "Servers/$i/auth_type", $title,
 300                 PMA_lang('ServerAuthConfigMsg', $i) . ' ' .
 301                 PMA_lang('ServerSecurityInfoMsg', $i));
 302         }
 303
 304         //
 305         // $cfg['Servers'][$i]['AllowRoot']
 306         // $cfg['Servers'][$i]['AllowNoPassword']
 307         // serious security flaw
 308         //
 309         if ($cf->getValue("Servers/$i/AllowRoot")
 310             && $cf->getValue("Servers/$i/AllowNoPassword")) {
 311             $title = PMA_lang_name('Servers/1/AllowNoPassword') . " ($server_name)";
 312             messages_set('warning', "Servers/$i/AllowNoPassword", $title,
 313                 PMA_lang('ServerNoPasswordMsg') . ' ' .
 314                 PMA_lang('ServerSecurityInfoMsg', $i));
 315         }
 316     }
 317
 318     //
 319     // $cfg['blowfish_secret']
 320     // it's required for 'cookie' authentication
 321     //
 322     if ($cookie_auth_used) {
 323         if ($blowfish_secret_set) {
 324             // 'cookie' auth used, blowfish_secret was generated
 325             messages_set('notice', 'blowfish_secret_created', 'blowfish_secret_name',
 326                  PMA_lang('BlowfishSecretMsg'));
 327         } else {
 328             $blowfish_warnings = array();
 329             // check length
 330             if (strlen($blowfish_secret) < 8) {
 331                 // too short key
 332                 $blowfish_warnings[] = PMA_lang('BlowfishSecretLengthMsg');
 333             }
 334             // check used characters
 335             $has_digits = (bool) preg_match('/\d/', $blowfish_secret);
 336             $has_chars = (bool) preg_match('/\S/', $blowfish_secret);
 337             $has_nonword = (bool) preg_match('/\W/', $blowfish_secret);
 338             if (!$has_digits || !$has_chars || !$has_nonword) {
 339                 $blowfish_warnings[] = PMA_lang('BlowfishSecretCharsMsg');
 340             }
 341             if (!empty($blowfish_warnings)) {
 342                 messages_set('warning', 'blowfish_warnings' . count($blowfish_warnings),
 343                     'blowfish_secret_name', implode("<br />", $blowfish_warnings));
 344             }
 345         }
 346     }
 347
 348     //
 349     // $cfg['ForceSSL']
 350     // should be enabled if possible
 351     //
 352     if (!$cf->getValue('ForceSSL')) {
 353         messages_set('notice', 'ForceSSL', 'ForceSSL_name',
 354             PMA_lang('ForceSSLMsg'));
 355     }
 356
 357     //
 358     // $cfg['AllowArbitraryServer']
 359     // should be disabled
 360     //
 361     if ($cf->getValue('AllowArbitraryServer')) {
 362         messages_set('warning', 'AllowArbitraryServer', 'AllowArbitraryServer_name',
 363             PMA_lang('AllowArbitraryServerMsg'));
 364     }
 365
 366     //
 367     // $cfg['LoginCookieValidity']
 368     // should be at most 1800 (30 min)
 369     //
 370     if ($cf->getValue('LoginCookieValidity') > 1800) {
 371         messages_set('warning', 'LoginCookieValidity', 'LoginCookieValidity_name',
 372             PMA_lang('LoginCookieValidityMsg'));
 373     }
 374
 375     //
 376     // $cfg['SaveDir']
 377     // should not be world-accessible
 378     //
 379     if ($cf->getValue('SaveDir') != '') {
 380         messages_set('notice', 'SaveDir', 'SaveDir_name',
 381             PMA_lang('DirectoryNotice'));
 382     }
 383
 384     //
 385     // $cfg['TempDir']
 386     // should not be world-accessible
 387     //
 388     if ($cf->getValue('TempDir') != '') {
 389         messages_set('notice', 'TempDir', 'TempDir_name',
 390             PMA_lang('DirectoryNotice'));
 391     }
 392
 393     //
 394     // $cfg['GZipDump']
 395     // requires zlib functions
 396     //
 397     if ($cf->getValue('GZipDump')
 398         && (@!function_exists('gzopen') || @!function_exists('gzencode'))) {
 399         messages_set('warning', 'GZipDump', 'GZipDump_name',
 400             PMA_lang('GZipDumpWarning', 'gzencode'));
 401     }
 402
 403     //
 404     // $cfg['BZipDump']
 405     // requires bzip2 functions
 406     //
 407     if ($cf->getValue('BZipDump')
 408         && (!@function_exists('bzopen') || !@function_exists('bzcompress'))) {
 409         $functions = @function_exists('bzopen')
 410             ? '' :
 411             'bzopen';
 412         $functions .= @function_exists('bzcompress')
 413             ? ''
 414             : ($functions ? ', ' : '') . 'bzcompress';
 415         messages_set('warning', 'BZipDump', 'BZipDump_name',
 416             PMA_lang('BZipDumpWarning', $functions));
 417     }
 418
 419     //
 420     // $cfg['ZipDump']
 421     // requires zip_open in import
 422     //
 423     if ($cf->getValue('ZipDump') && !@function_exists('zip_open')) {
 424         messages_set('warning', 'ZipDump_import', 'ZipDump_name',
 425             PMA_lang('ZipDumpImportWarning', 'zip_open'));
 426     }
 427
 428     //
 429     // $cfg['ZipDump']
 430     // requires gzcompress in export
 431     //
 432     if ($cf->getValue('ZipDump') && !@function_exists('gzcompress')) {
 433         messages_set('warning', 'ZipDump_export', 'ZipDump_name',
 434             PMA_lang('ZipDumpExportWarning', 'gzcompress'));
 435     }
 436 }
 437 ?>