Fix phpMyAdmin SSO login and harden SSO/security posture
phpMyAdmin login was broken because phpmyadmin_install.sh never wired the private phpMyAdmin copy into the web server: no Apache Alias was registered via DirectAdmin CustomBuild, so the SSO redirect target was unreachable. Add configure_apache_alias()/apply_apache_alias() (Alias + Directory blocks, ./build rewrite_confs, httpd reload), detect the real Apache group instead of hardcoding diradmin:diradmin, stop silently swallowing chown/chmod failures, and verify an optional SHA256 for the downloaded phpMyAdmin tarball. Extend phpmyadmin_health_check.sh to detect a missing/incorrect Apache alias and to probe HTTP reachability. Security hardening: scope temporary phpMyAdmin SSO MySQL roles to 127.0.0.1 instead of '%', tighten SSO ticket file permissions to 0640 (they contain a plaintext MySQL password), and log MySQL connection failures for diagnosis instead of swallowing them silently. Bump version to 1.2.12 and rebuild the release archive.
This commit is contained in:
@@ -0,0 +1,62 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
$pluginDir = dirname(__DIR__);
|
||||
require_once $pluginDir . '/exec/lib/Settings.php';
|
||||
require_once $pluginDir . '/exec/lib/MySQLService.php';
|
||||
|
||||
function fail(string $message): void
|
||||
{
|
||||
fwrite(STDERR, "FAIL: {$message}\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
function assert_true(bool $condition, string $message): void
|
||||
{
|
||||
if (!$condition) {
|
||||
fail($message);
|
||||
}
|
||||
}
|
||||
|
||||
$logPath = tempnam(sys_get_temp_dir(), 'altmysql-error-log-');
|
||||
if ($logPath === false) {
|
||||
fail('cannot create temp log file');
|
||||
}
|
||||
ini_set('log_errors', '1');
|
||||
ini_set('error_log', $logPath);
|
||||
|
||||
$settingsPath = tempnam(sys_get_temp_dir(), 'altmysql-settings-');
|
||||
file_put_contents($settingsPath, '');
|
||||
$settings = Settings::load($settingsPath);
|
||||
unlink($settingsPath);
|
||||
|
||||
$mysql = new MySQLService([
|
||||
'host' => '127.0.0.1',
|
||||
'port' => 1,
|
||||
'database' => 'mysql',
|
||||
'user' => 'nobody',
|
||||
'password' => 'nopassword',
|
||||
'socket' => '',
|
||||
], $settings);
|
||||
|
||||
$threw = false;
|
||||
try {
|
||||
$mysql->serverVersion();
|
||||
} catch (Throwable $e) {
|
||||
$threw = true;
|
||||
}
|
||||
assert_true($threw, 'connecting to a closed port must still raise an exception');
|
||||
|
||||
$logContents = (string)file_get_contents($logPath);
|
||||
assert_true(
|
||||
str_contains($logContents, 'MYSQL_CONNECT_FAIL'),
|
||||
'a failed MySQL connection must be logged for diagnosis (expected MYSQL_CONNECT_FAIL marker in error log, got: ' . $logContents . ')'
|
||||
);
|
||||
assert_true(
|
||||
str_contains($logContents, '127.0.0.1'),
|
||||
'the connect-failure log line must include the target host for diagnosis'
|
||||
);
|
||||
|
||||
unlink($logPath);
|
||||
|
||||
echo "mysql_connect_failure_test: OK\n";
|
||||
Reference in New Issue
Block a user