Server : Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 System : Windows NT USER-PC 6.1 build 7601 (Windows 7 Professional Edition Service Pack 1) AMD64 User : User ( 0) PHP Version : 7.4.6 Disable Function : NONE Directory : C:/xampp/phpMyAdmin/libraries/classes/Config/ |
<?php /* vim: set expandtab sw=4 ts=4 sts=4: */ /** * Server config checks management * * @package PhpMyAdmin */ declare(strict_types=1); namespace PhpMyAdmin\Config; use PhpMyAdmin\Config\ConfigFile; use PhpMyAdmin\Config\Descriptions; use PhpMyAdmin\Core; use PhpMyAdmin\Sanitize; use PhpMyAdmin\Setup\Index as SetupIndex; use PhpMyAdmin\Url; use PhpMyAdmin\Util; /** * Performs various compatibility, security and consistency checks on current config * * Outputs results to message list, must be called between SetupIndex::messagesBegin() * and SetupIndex::messagesEnd() * * @package PhpMyAdmin */ class ServerConfigChecks { /** * @var ConfigFile configurations being checked */ protected $cfg; /** * Constructor. * * @param ConfigFile $cfg Configuration */ public function __construct(ConfigFile $cfg) { $this->cfg = $cfg; } /** * Perform config checks * * @return void */ public function performConfigChecks() { $blowfishSecret = $this->cfg->get('blowfish_secret'); $blowfishSecretSet = false; $cookieAuthUsed = false; list($cookieAuthUsed, $blowfishSecret, $blowfishSecretSet) = $this->performConfigChecksServers( $cookieAuthUsed, $blowfishSecret, $blowfishSecretSet ); $this->performConfigChecksCookieAuthUsed( $cookieAuthUsed, $blowfishSecretSet, $blowfishSecret ); // // $cfg['AllowArbitraryServer'] // should be disabled // if ($this->cfg->getValue('AllowArbitraryServer')) { $sAllowArbitraryServerWarn = sprintf( __( 'This %soption%s should be disabled as it allows attackers to ' . 'bruteforce login to any MySQL server. If you feel this is necessary, ' . 'use %srestrict login to MySQL server%s or %strusted proxies list%s. ' . 'However, IP-based protection with trusted proxies list may not be ' . 'reliable if your IP belongs to an ISP where thousands of users, ' . 'including you, are connected to.' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]', '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]', '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]' ); SetupIndex::messagesSet( 'notice', 'AllowArbitraryServer', Descriptions::get('AllowArbitraryServer'), Sanitize::sanitizeMessage($sAllowArbitraryServerWarn) ); } $this->performConfigChecksLoginCookie(); $sDirectoryNotice = __( 'This value should be double checked to ensure that this directory is ' . 'neither world accessible nor readable or writable by other users on ' . 'your server.' ); // // $cfg['SaveDir'] // should not be world-accessible // if ($this->cfg->getValue('SaveDir') != '') { SetupIndex::messagesSet( 'notice', 'SaveDir', Descriptions::get('SaveDir'), Sanitize::sanitizeMessage($sDirectoryNotice) ); } // // $cfg['TempDir'] // should not be world-accessible // if ($this->cfg->getValue('TempDir') != '') { SetupIndex::messagesSet( 'notice', 'TempDir', Descriptions::get('TempDir'), Sanitize::sanitizeMessage($sDirectoryNotice) ); } $this->performConfigChecksZips(); } /** * Check config of servers * * @param boolean $cookieAuthUsed Cookie auth is used * @param string $blowfishSecret Blowfish secret * @param boolean $blowfishSecretSet Blowfish secret set * * @return array */ protected function performConfigChecksServers( $cookieAuthUsed, $blowfishSecret, $blowfishSecretSet ) { $serverCnt = $this->cfg->getServerCount(); for ($i = 1; $i <= $serverCnt; $i++) { $cookieAuthServer = ($this->cfg->getValue("Servers/$i/auth_type") == 'cookie'); $cookieAuthUsed |= $cookieAuthServer; $serverName = $this->performConfigChecksServersGetServerName( $this->cfg->getServerName($i), $i ); $serverName = htmlspecialchars($serverName); list($blowfishSecret, $blowfishSecretSet) = $this->performConfigChecksServersSetBlowfishSecret( $blowfishSecret, $cookieAuthServer, $blowfishSecretSet ); // // $cfg['Servers'][$i]['ssl'] // should be enabled if possible // if (! $this->cfg->getValue("Servers/$i/ssl")) { $title = Descriptions::get('Servers/1/ssl') . " ($serverName)"; SetupIndex::messagesSet( 'notice', "Servers/$i/ssl", $title, __( 'You should use SSL connections if your database server ' . 'supports it.' ) ); } $sSecurityInfoMsg = Sanitize::sanitizeMessage(sprintf( __( 'If you feel this is necessary, use additional protection settings - ' . '%1$shost authentication%2$s settings and %3$strusted proxies list%4%s. ' . 'However, IP-based protection may not be reliable if your IP belongs ' . 'to an ISP where thousands of users, including you, are connected to.' ), '[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server_config]', '[/a]', '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]' )); // // $cfg['Servers'][$i]['auth_type'] // warn about full user credentials if 'auth_type' is 'config' // if ($this->cfg->getValue("Servers/$i/auth_type") == 'config' && $this->cfg->getValue("Servers/$i/user") != '' && $this->cfg->getValue("Servers/$i/password") != '' ) { $title = Descriptions::get('Servers/1/auth_type') . " ($serverName)"; SetupIndex::messagesSet( 'notice', "Servers/$i/auth_type", $title, Sanitize::sanitizeMessage(sprintf( __( 'You set the [kbd]config[/kbd] authentication type and included ' . 'username and password for auto-login, which is not a desirable ' . 'option for live hosts. Anyone who knows or guesses your phpMyAdmin ' . 'URL can directly access your phpMyAdmin panel. Set %1$sauthentication ' . 'type%2$s to [kbd]cookie[/kbd] or [kbd]http[/kbd].' ), '[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server]', '[/a]' )) . ' ' . $sSecurityInfoMsg ); } // // $cfg['Servers'][$i]['AllowRoot'] // $cfg['Servers'][$i]['AllowNoPassword'] // serious security flaw // if ($this->cfg->getValue("Servers/$i/AllowRoot") && $this->cfg->getValue("Servers/$i/AllowNoPassword") ) { $title = Descriptions::get('Servers/1/AllowNoPassword') . " ($serverName)"; SetupIndex::messagesSet( 'notice', "Servers/$i/AllowNoPassword", $title, __('You allow for connecting to the server without a password.') . ' ' . $sSecurityInfoMsg ); } } return [ $cookieAuthUsed, $blowfishSecret, $blowfishSecretSet, ]; } /** * Set blowfish secret * * @param string $blowfishSecret Blowfish secret * @param boolean $cookieAuthServer Cookie auth is used * @param boolean $blowfishSecretSet Blowfish secret set * * @return array */ protected function performConfigChecksServersSetBlowfishSecret( $blowfishSecret, $cookieAuthServer, $blowfishSecretSet ) { if ($cookieAuthServer && $blowfishSecret === null) { $blowfishSecretSet = true; $this->cfg->set('blowfish_secret', Util::generateRandom(32)); } return [ $blowfishSecret, $blowfishSecretSet, ]; } /** * Define server name * * @param string $serverName Server name * @param int $serverId Server id * * @return string Server name */ protected function performConfigChecksServersGetServerName( $serverName, $serverId ) { if ($serverName == 'localhost') { $serverName .= " [$serverId]"; return $serverName; } return $serverName; } /** * Perform config checks for zip part. * * @return void */ protected function performConfigChecksZips() { $this->performConfigChecksServerGZipdump(); $this->performConfigChecksServerBZipdump(); $this->performConfigChecksServersZipdump(); } /** * Perform config checks for zip part. * * @return void */ protected function performConfigChecksServersZipdump() { // // $cfg['ZipDump'] // requires zip_open in import // if ($this->cfg->getValue('ZipDump') && ! $this->functionExists('zip_open')) { SetupIndex::messagesSet( 'error', 'ZipDump_import', Descriptions::get('ZipDump'), Sanitize::sanitizeMessage(sprintf( __( '%sZip decompression%s requires functions (%s) which are unavailable ' . 'on this system.' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]', '[/a]', 'zip_open' )) ); } // // $cfg['ZipDump'] // requires gzcompress in export // if ($this->cfg->getValue('ZipDump') && ! $this->functionExists('gzcompress')) { SetupIndex::messagesSet( 'error', 'ZipDump_export', Descriptions::get('ZipDump'), Sanitize::sanitizeMessage(sprintf( __( '%sZip compression%s requires functions (%s) which are unavailable on ' . 'this system.' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]', '[/a]', 'gzcompress' )) ); } } /** * Check config of servers * * @param boolean $cookieAuthUsed Cookie auth is used * @param boolean $blowfishSecretSet Blowfish secret set * @param string $blowfishSecret Blowfish secret * * @return void */ protected function performConfigChecksCookieAuthUsed( $cookieAuthUsed, $blowfishSecretSet, $blowfishSecret ) { // // $cfg['blowfish_secret'] // it's required for 'cookie' authentication // if ($cookieAuthUsed) { if ($blowfishSecretSet) { // 'cookie' auth used, blowfish_secret was generated SetupIndex::messagesSet( 'notice', 'blowfish_secret_created', Descriptions::get('blowfish_secret'), Sanitize::sanitizeMessage(__( 'You didn\'t have blowfish secret set and have enabled ' . '[kbd]cookie[/kbd] authentication, so a key was automatically ' . 'generated for you. It is used to encrypt cookies; you don\'t need to ' . 'remember it.' )) ); } else { $blowfishWarnings = []; // check length if (strlen($blowfishSecret) < 32) { // too short key $blowfishWarnings[] = __( 'Key is too short, it should have at least 32 characters.' ); } // check used characters $hasDigits = (bool) preg_match('/\d/', $blowfishSecret); $hasChars = (bool) preg_match('/\S/', $blowfishSecret); $hasNonword = (bool) preg_match('/\W/', $blowfishSecret); if (! $hasDigits || ! $hasChars || ! $hasNonword) { $blowfishWarnings[] = Sanitize::sanitizeMessage( __( 'Key should contain letters, numbers [em]and[/em] ' . 'special characters.' ) ); } if (! empty($blowfishWarnings)) { SetupIndex::messagesSet( 'error', 'blowfish_warnings' . count($blowfishWarnings), Descriptions::get('blowfish_secret'), implode('<br>', $blowfishWarnings) ); } } } } /** * Check configuration for login cookie * * @return void */ protected function performConfigChecksLoginCookie() { // // $cfg['LoginCookieValidity'] // value greater than session.gc_maxlifetime will cause // random session invalidation after that time $loginCookieValidity = $this->cfg->getValue('LoginCookieValidity'); if ($loginCookieValidity > ini_get('session.gc_maxlifetime') ) { SetupIndex::messagesSet( 'error', 'LoginCookieValidity', Descriptions::get('LoginCookieValidity'), Sanitize::sanitizeMessage(sprintf( __( '%1$sLogin cookie validity%2$s greater than %3$ssession.gc_maxlifetime%4$s may ' . 'cause random session invalidation (currently session.gc_maxlifetime ' . 'is %5$d).' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]', '[a@' . Core::getPHPDocLink('session.configuration.php#ini.session.gc-maxlifetime') . ']', '[/a]', ini_get('session.gc_maxlifetime') )) ); } // // $cfg['LoginCookieValidity'] // should be at most 1800 (30 min) // if ($loginCookieValidity > 1800) { SetupIndex::messagesSet( 'notice', 'LoginCookieValidity', Descriptions::get('LoginCookieValidity'), Sanitize::sanitizeMessage(sprintf( __( '%sLogin cookie validity%s should be set to 1800 seconds (30 minutes) ' . 'at most. Values larger than 1800 may pose a security risk such as ' . 'impersonation.' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]' )) ); } // // $cfg['LoginCookieValidity'] // $cfg['LoginCookieStore'] // LoginCookieValidity must be less or equal to LoginCookieStore // if (($this->cfg->getValue('LoginCookieStore') != 0) && ($loginCookieValidity > $this->cfg->getValue('LoginCookieStore')) ) { SetupIndex::messagesSet( 'error', 'LoginCookieValidity', Descriptions::get('LoginCookieValidity'), Sanitize::sanitizeMessage(sprintf( __( 'If using [kbd]cookie[/kbd] authentication and %sLogin cookie store%s ' . 'is not 0, %sLogin cookie validity%s must be set to a value less or ' . 'equal to it.' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]', '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]', '[/a]' )) ); } } /** * Check GZipDump configuration * * @return void */ protected function performConfigChecksServerBZipdump() { // // $cfg['BZipDump'] // requires bzip2 functions // if ($this->cfg->getValue('BZipDump') && (! $this->functionExists('bzopen') || ! $this->functionExists('bzcompress')) ) { $functions = $this->functionExists('bzopen') ? '' : 'bzopen'; $functions .= $this->functionExists('bzcompress') ? '' : ($functions ? ', ' : '') . 'bzcompress'; SetupIndex::messagesSet( 'error', 'BZipDump', Descriptions::get('BZipDump'), Sanitize::sanitizeMessage( sprintf( __( '%1$sBzip2 compression and decompression%2$s requires functions (%3$s) which ' . 'are unavailable on this system.' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]', '[/a]', $functions ) ) ); } } /** * Check GZipDump configuration * * @return void */ protected function performConfigChecksServerGZipdump() { // // $cfg['GZipDump'] // requires zlib functions // if ($this->cfg->getValue('GZipDump') && (! $this->functionExists('gzopen') || ! $this->functionExists('gzencode')) ) { SetupIndex::messagesSet( 'error', 'GZipDump', Descriptions::get('GZipDump'), Sanitize::sanitizeMessage(sprintf( __( '%1$sGZip compression and decompression%2$s requires functions (%3$s) which ' . 'are unavailable on this system.' ), '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]', '[/a]', 'gzencode' )) ); } } /** * Wrapper around function_exists to allow mock in test * * @param string $name Function name * * @return boolean */ protected function functionExists($name) { return function_exists($name); } }