262239 – dev-db/phpmyadmin-3.1.2 silently refuses to log in with blowfish_secret more than 56 symbols

Bug 262239 - dev-db/phpmyadmin-3.1.2 silently refuses to log in with blowfish_secret more than 56 symbols

Summary: dev-db/phpmyadmin-3.1.2 silently refuses to log in with blowfish_secret more ...

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Unspecified (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Web Application Packages Maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-03-12 08:36 UTC by Tim O'Kelly
Modified:	2009-09-27 11:02 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
sample config file (config.sample.inc.php,2.04 KB, text/plain) 2009-03-12 08:41 UTC, Tim O'Kelly	Details
config with boundary lenght of 57 symbols, that causes the bug (bug.config.inc.php,1.33 KB, text/plain) 2009-03-12 09:14 UTC, Tim O'Kelly	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim O'Kelly 2009-03-12 08:36:41 UTC

After installing dev-db/phpmyadmin-3.1.2 and setting $cfg['blowfish_secret] to more than 46 symbols string it silently refuses to log in independent of login+password. No error messages displayed. No warning comment about it in config.sample.inc.php.

Reproducible: Always

Steps to Reproduce:
1. emerge phpmyadmin
2. cd to phpmyadmin install dir
3. cp config.sample.inc.php config.inc.php
4. set $cfg['blowfish_secret] to more than 46 symbols string
5. try to log in

Actual Results:  
Phpmyadmin just redirects back to login page (index.php) without any error message independent of any login and password.

Expected Results:  
Successfully logging or having error message (depending on good/bad login+password).
Having error message, explaining what is wrong in the config file (like it already is for syntax errors in config.inc.php).

from http://www.phpmyadmin.net/documentation/Documentation.html

$cfg['blowfish_secret'] string
    The "cookie" auth_type uses blowfish algorithm to encrypt the password.
    If you are using the "cookie" auth_type, enter here a random passphrase of your choice. It will be used internally by the blowfish algorithm: you won’t be prompted for this passphrase. The maximum number of characters for this parameter seems to be 46.

Comment 1 Tim O'Kelly 2009-03-12 08:41:45 UTC

Created attachment 184781 [details]
sample config file

Should have a warning comment like this:

$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! *
/* NO MORE THAN 46 SYMBOLS OR YOU SILENTLY CAN NOT TO LOG IN !!!!!!!!!! */

Comment 2 Tim O'Kelly 2009-03-12 08:48:39 UTC

Perharps, it would be better behavior not to warn the user about 46 symbols, but simply fix phpmyadmin to work with blowish secrets of greater length (for example, Ruby on Rails applications works with secrets about 128 symbols by default).
Or maybe, just get the first 46 symbols and ignore the rest (with comment, of course).

Comment 3 Tim O'Kelly 2009-03-12 09:11:47 UTC

Sorry for my mistake: I expected the limit to be 46 symbols (as it is specified in documentation), but actually it is 56 symbols (with 56 symbols work normally, but with 57 this bug is shown).

Comment 4 Tim O'Kelly 2009-03-12 09:14:23 UTC

Created attachment 184788 [details]
config with boundary lenght of 57 symbols, that causes the bug

Comment 5 Alex Legler (RETIRED) archtester

2009-09-27 11:02:31 UTC

This is a problem that is not Gentoo specific. Please report this upstream and have them include the warning in the sample config by default. Thank you!