Add check for mysql-plugin validate_password to allow passwords as hashes (Fixes #4777)

83957eb8 · Florian Schaal · 70182c0b · 83957eb8 · 83957eb8 · 83957eb8
Commit 83957eb8 authored Sep 06, 2017 by Florian Schaal
3 changed files
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -234,6 +234,15 @@ class installer_base {
 			die();
 		}

+		$unwanted_sql_plugins = array('validate_password');
+		$temp = '"'.implode('","', $unwanted_sql_plugins).'"';
+		$sql_plugins = $inst->db->queryAllRecords("SELECT plugin_name FROM information_schema.plugins WHERE plugin_status='ACTIVE' AND plugin_name IN ($temp)");
+		if(is_array($sql_plugins) && !empty($sql_plugins)) {
+			foreach ($sql_plugins as $plugin) echo "Login in to MySQL and disable $plugin[plugin_name] with:\n\n    UNINSTALL PLUGIN $plugin[plugin_name];";
+			die();
+		}
+		unset($temp);
+
 		//** Create the database
 		if(!$this->db->query('CREATE DATABASE IF NOT EXISTS ?? DEFAULT CHARACTER SET ?', $conf['mysql']['database'], $conf['mysql']['charset'])) {
 			$this->error('Unable to create MySQL database: '.$conf['mysql']['database'].'.');

--- a/install/lib/update.lib.php
+++ b/install/lib/update.lib.php
@@ -132,6 +132,15 @@ function updateDbAndIni() {
 		die();
 	}

+	$unwanted_sql_plugins = array('validate_password');
+	$temp = '"'.implode('","', $unwanted_sql_plugins).'"';
+	$sql_plugins = $inst->db->queryAllRecords("SELECT plugin_name FROM information_schema.plugins WHERE plugin_status='ACTIVE' AND plugin_name IN ($temp)");
+	if(is_array($sql_plugins) && !empty($sql_plugins)) {
+		foreach ($sql_plugins as $plugin) echo "Login in to MySQL and disable $plugin[plugin_name] with:\n\n    UNINSTALL PLUGIN $plugin[plugin_name];";
+		die();
+	}
+	unset($temp);
+
 	//* Update $conf array with values from the server.ini that shall be preserved
 	$tmp = $inst->db->queryOneRecord("SELECT * FROM ?? WHERE server_id = ?", $conf["mysql"]["database"] . '.server', $conf['server_id']);
 	$ini_array = ini_to_array(stripslashes($tmp['config']));

--- a/server/plugins-available/mysql_clientdb_plugin.inc.php
+++ b/server/plugins-available/mysql_clientdb_plugin.inc.php
@@ -73,7 +73,20 @@ class mysql_clientdb_plugin {

 	function process_host_list($action, $database_name, $database_user, $database_password, $host_list, $link, $database_rename_user = '', $user_access_mode = 'rw') {
 		global $app;
-		
+
+		// check mysql-plugins
+		$unwanted_sql_plugins = array('validate_password'); // strict-password-validation
+		$temp = "'".implode("','", $unwanted_sql_plugins)."'";
+		$result = $link->query("SELECT plugin_name FROM information_schema.plugins WHERE plugin_status='ACTIVE' AND plugin_name IN ($temp)");
+		if($result) {
+			while ($row = $result->fetch_assoc()) {
+				$sql_plugins[] = $row['plugin_name'];
+			}
+			$result->free();
+			foreach ($sql_plugins as $plugin) $app->log("MySQL-Plugin $plugin[plugin_name] enabled - can not execute function process_host_list", LOGLEVEL_ERROR);
+			return false;
+		}
+
 		if(!$user_access_mode) $user_access_mode = 'rw';
 		$action = strtoupper($action);