[adminer-svn] SF.net SVN: adminer:[1421] branches/sqlite
Database management in a single PHP file
Brought to you by:
jakubvrana
From: <jak...@us...> - 2010-04-12 11:42:40
|
Revision: 1421 http://adminer.svn.sourceforge.net/adminer/?rev=1421&view=rev Author: jakubvrana Date: 2010-04-12 11:42:31 +0000 (Mon, 12 Apr 2010) Log Message: ----------- Token initialization Modified Paths: -------------- branches/sqlite/adminer/include/adminer.inc.php branches/sqlite/adminer/include/auth.inc.php branches/sqlite/adminer/include/bootstrap.inc.php branches/sqlite/editor/include/adminer.inc.php Modified: branches/sqlite/adminer/include/adminer.inc.php =================================================================== --- branches/sqlite/adminer/include/adminer.inc.php 2010-04-12 11:22:40 UTC (rev 1420) +++ branches/sqlite/adminer/include/adminer.inc.php 2010-04-12 11:42:31 UTC (rev 1421) @@ -488,7 +488,7 @@ * @return null */ function navigation($missing) { - global $VERSION, $connection; + global $VERSION, $connection, $token; ?> <h1> <a href="http://www.adminer.org/" id="h1"><?php echo $this->name(); ?></a> @@ -503,7 +503,7 @@ <p class="logout"> <a href="<?php echo h(ME); ?>sql="><?php echo bold(lang('SQL command'), isset($_GET["sql"])); ?></a> <a href="<?php echo h(ME); ?>dump=<?php echo urlencode(isset($_GET["table"]) ? $_GET["table"] : $_GET["select"]); ?>"><?php echo bold(lang('Dump'), isset($_GET["dump"])); ?></a> -<input type="hidden" name="token" value="<?php echo $_SESSION["token"]; ?>"> +<input type="hidden" name="token" value="<?php echo $token; ?>"> <input type="submit" name="logout" value="<?php echo lang('Logout'); ?>"> </p> </form> Modified: branches/sqlite/adminer/include/auth.inc.php =================================================================== --- branches/sqlite/adminer/include/auth.inc.php 2010-04-12 11:22:40 UTC (rev 1420) +++ branches/sqlite/adminer/include/auth.inc.php 2010-04-12 11:42:31 UTC (rev 1421) @@ -8,6 +8,10 @@ } $_GET["server"] = $_GET[$_GET["driver"]]; // translate pgsql=localhost to driver=pgsql&server=localhost +$token = $_SESSION["token"]; +if (!$_SESSION["token"]) { + $_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery +} if (isset($_POST["server"])) { session_regenerate_id(); // defense against session fixation @@ -29,7 +33,6 @@ redirect($location); } } elseif ($_POST["logout"]) { - $token = $_SESSION["token"]; if ($token && $_POST["token"] != $token) { page_header(lang('Logout'), lang('Invalid CSRF token. Send the form again.')); page_footer("db"); @@ -50,13 +53,13 @@ } function auth_error($exception = null) { - global $connection, $adminer; + global $connection, $adminer, $token; $session_name = session_name(); $error = ""; if (!$_COOKIE[$session_name] && $_GET[$session_name] && ini_get("session.use_only_cookies")) { $error = lang('Session support must be enabled.'); } elseif (isset($_GET["username"])) { - if (($_COOKIE[$session_name] || $_GET[$session_name]) && !isset($_SESSION["token"])) { + if (($_COOKIE[$session_name] || $_GET[$session_name]) && !$token) { $error = lang('Session expired, please login again.'); } else { $password = get_session("passwords"); @@ -64,9 +67,6 @@ $error = h($exception ? $exception->getMessage() : (is_string($connection) ? $connection : lang('Invalid credentials.'))); } } - if (!$_SESSION["token"]) { // checked for existence of session - $_SESSION["token"] = rand(1, 1e6); - } } page_header(lang('Login'), $error, null); echo "<form action='' method='post'>\n"; @@ -86,13 +86,10 @@ exit; } -if (!$_SESSION["token"]) { - $_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery -} +$token = $_SESSION["token"]; ///< @var string CSRF protection if (isset($_POST["server"]) && $_POST["token"]) { - $_POST["token"] = $_SESSION["token"]; // reset token after explicit login + $_POST["token"] = $token; // reset token after explicit login } -$token = $_SESSION["token"]; ///< @var string CSRF protection $error = ($_POST ///< @var string ? ($_POST["token"] == $token ? "" : lang('Invalid CSRF token. Send the form again.')) : ($_SERVER["REQUEST_METHOD"] != "POST" ? "" : lang('Too big POST data. Reduce the data or increase the %s configuration directive.', '"post_max_size"')) // posted form with no data means that post_max_size exceeded because Adminer always sends token at least Modified: branches/sqlite/adminer/include/bootstrap.inc.php =================================================================== --- branches/sqlite/adminer/include/bootstrap.inc.php 2010-04-12 11:22:40 UTC (rev 1420) +++ branches/sqlite/adminer/include/bootstrap.inc.php 2010-04-12 11:42:31 UTC (rev 1421) @@ -76,7 +76,12 @@ @set_time_limit(0); // @ - can be disabled define("DB", $_GET["db"]); // for the sake of speed and size -define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . '?' . (SID && !ini_get("session.use_only_cookies") ? SID . '&' : '') . (isset($_GET["server"]) ? urlencode($_GET["driver"]) . "=" . urlencode($_GET["server"]) . '&' : '') . (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '') . (DB != "" ? 'db=' . urlencode(DB) . '&' : '')); +define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . '?' + . (SID && !$_COOKIE ? SID . '&' : '') // !$_COOKIE - don't pass SID with permanent login + . (isset($_GET["server"]) ? urlencode($_GET["driver"]) . "=" . urlencode($_GET["server"]) . '&' : '') + . (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '') + . (DB != "" ? 'db=' . urlencode(DB) . '&' : '') +); include "../adminer/include/functions.inc.php"; include "../adminer/include/lang.inc.php"; Modified: branches/sqlite/editor/include/adminer.inc.php =================================================================== --- branches/sqlite/editor/include/adminer.inc.php 2010-04-12 11:22:40 UTC (rev 1420) +++ branches/sqlite/editor/include/adminer.inc.php 2010-04-12 11:42:31 UTC (rev 1421) @@ -443,7 +443,7 @@ } function navigation($missing) { - global $VERSION; + global $VERSION, $token; ?> <h1> <a href="http://www.adminer.org/" id="h1"><?php echo $this->name(); ?></a> @@ -455,7 +455,7 @@ ?> <form action="" method="post"> <p class="logout"> -<input type="hidden" name="token" value="<?php echo $_SESSION["token"]; ?>"> +<input type="hidden" name="token" value="<?php echo $token; ?>"> <input type="submit" name="logout" value="<?php echo lang('Logout'); ?>"> </p> </form> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |