docker-imgurl/imgurl/phpMyAdmin/libraries/classes/Config/ServerConfigChecks.php

<?php
/**
 * Server config checks management
 */

declare(strict_types=1);

namespace PhpMyAdmin\Config;

use PhpMyAdmin\Core;
use PhpMyAdmin\Sanitize;
use PhpMyAdmin\Setup\Index as SetupIndex;
use PhpMyAdmin\Url;
use PhpMyAdmin\Util;

use function __;
use function count;
use function function_exists;
use function htmlspecialchars;
use function implode;
use function ini_get;
use function preg_match;
use function sprintf;
use function strlen;

/**
 * Performs various compatibility, security and consistency checks on current config
 *
 * Outputs results to message list, must be called between SetupIndex::messagesBegin()
 * and SetupIndex::messagesEnd()
 */
class ServerConfigChecks
{
    /** @var ConfigFile configurations being checked */
    protected $cfg;

    /**
     * @param ConfigFile $cfg Configuration
     */
    public function __construct(ConfigFile $cfg)
    {
        $this->cfg = $cfg;
    }

    /**
     * Perform config checks
     */
    public function performConfigChecks(): void
    {
        $blowfishSecret = $this->cfg->get('blowfish_secret');
        $blowfishSecretSet = false;
        $cookieAuthUsed = false;

        [$cookieAuthUsed, $blowfishSecret, $blowfishSecretSet] = $this->performConfigChecksServers(
            $cookieAuthUsed,
            $blowfishSecret,
            $blowfishSecretSet
        );

        $this->performConfigChecksCookieAuthUsed($cookieAuthUsed, $blowfishSecretSet, $blowfishSecret);

        // $cfg['AllowArbitraryServer']
        // should be disabled
        if ($this->cfg->getValue('AllowArbitraryServer')) {
            $sAllowArbitraryServerWarn = sprintf(
                __(
                    'This %soption%s should be disabled as it allows attackers to '
                    . 'bruteforce login to any MySQL server. If you feel this is necessary, '
                    . 'use %srestrict login to MySQL server%s or %strusted proxies list%s. '
                    . 'However, IP-based protection with trusted proxies list may not be '
                    . 'reliable if your IP belongs to an ISP where thousands of users, '
                    . 'including you, are connected to.'
                ),
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                '[/a]',
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                '[/a]',
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                '[/a]'
            );
            SetupIndex::messagesSet(
                'notice',
                'AllowArbitraryServer',
                Descriptions::get('AllowArbitraryServer'),
                Sanitize::sanitizeMessage($sAllowArbitraryServerWarn)
            );
        }

        $this->performConfigChecksLoginCookie();

        $sDirectoryNotice = __(
            'This value should be double checked to ensure that this directory is '
            . 'neither world accessible nor readable or writable by other users on '
            . 'your server.'
        );

        // $cfg['SaveDir']
        // should not be world-accessible
        if ($this->cfg->getValue('SaveDir') != '') {
            SetupIndex::messagesSet(
                'notice',
                'SaveDir',
                Descriptions::get('SaveDir'),
                Sanitize::sanitizeMessage($sDirectoryNotice)
            );
        }

        // $cfg['TempDir']
        // should not be world-accessible
        if ($this->cfg->getValue('TempDir') != '') {
            SetupIndex::messagesSet(
                'notice',
                'TempDir',
                Descriptions::get('TempDir'),
                Sanitize::sanitizeMessage($sDirectoryNotice)
            );
        }

        $this->performConfigChecksZips();
    }

    /**
     * Check config of servers
     *
     * @param bool   $cookieAuthUsed    Cookie auth is used
     * @param string $blowfishSecret    Blowfish secret
     * @param bool   $blowfishSecretSet Blowfish secret set
     *
     * @return array
     */
    protected function performConfigChecksServers(
        $cookieAuthUsed,
        $blowfishSecret,
        $blowfishSecretSet
    ) {
        $serverCnt = $this->cfg->getServerCount();
        $isCookieAuthUsed = (int) $cookieAuthUsed;
        for ($i = 1; $i <= $serverCnt; $i++) {
            $cookieAuthServer = ($this->cfg->getValue('Servers/' . $i . '/auth_type') === 'cookie');
            $isCookieAuthUsed |= (int) $cookieAuthServer;
            $serverName = $this->performConfigChecksServersGetServerName(
                $this->cfg->getServerName($i),
                $i
            );
            $serverName = htmlspecialchars($serverName);

            [$blowfishSecret, $blowfishSecretSet] = $this->performConfigChecksServersSetBlowfishSecret(
                $blowfishSecret,
                $cookieAuthServer,
                $blowfishSecretSet
            );

            // $cfg['Servers'][$i]['ssl']
            // should be enabled if possible
            if (! $this->cfg->getValue('Servers/' . $i . '/ssl')) {
                $title = Descriptions::get('Servers/1/ssl') . ' (' . $serverName . ')';
                SetupIndex::messagesSet(
                    'notice',
                    'Servers/' . $i . '/ssl',
                    $title,
                    __(
                        'You should use SSL connections if your database server supports it.'
                    )
                );
            }

            $sSecurityInfoMsg = Sanitize::sanitizeMessage(sprintf(
                __(
                    'If you feel this is necessary, use additional protection settings - '
                    . '%1$shost authentication%2$s settings and %3$strusted proxies list%4$s. '
                    . 'However, IP-based protection may not be reliable if your IP belongs '
                    . 'to an ISP where thousands of users, including you, are connected to.'
                ),
                '[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server_config]',
                '[/a]',
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                '[/a]'
            ));

            // $cfg['Servers'][$i]['auth_type']
            // warn about full user credentials if 'auth_type' is 'config'
            if (
                $this->cfg->getValue('Servers/' . $i . '/auth_type') === 'config'
                && $this->cfg->getValue('Servers/' . $i . '/user') != ''
                && $this->cfg->getValue('Servers/' . $i . '/password') != ''
            ) {
                $title = Descriptions::get('Servers/1/auth_type')
                    . ' (' . $serverName . ')';
                SetupIndex::messagesSet(
                    'notice',
                    'Servers/' . $i . '/auth_type',
                    $title,
                    Sanitize::sanitizeMessage(sprintf(
                        __(
                            'You set the [kbd]config[/kbd] authentication type and included '
                            . 'username and password for auto-login, which is not a desirable '
                            . 'option for live hosts. Anyone who knows or guesses your phpMyAdmin '
                            . 'URL can directly access your phpMyAdmin panel. Set %1$sauthentication '
                            . 'type%2$s to [kbd]cookie[/kbd] or [kbd]http[/kbd].'
                        ),
                        '[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server]',
                        '[/a]'
                    ))
                    . ' ' . $sSecurityInfoMsg
                );
            }

            // $cfg['Servers'][$i]['AllowRoot']
            // $cfg['Servers'][$i]['AllowNoPassword']
            // serious security flaw
            if (
                ! $this->cfg->getValue('Servers/' . $i . '/AllowRoot')
                || ! $this->cfg->getValue('Servers/' . $i . '/AllowNoPassword')
            ) {
                continue;
            }

            $title = Descriptions::get('Servers/1/AllowNoPassword')
                . ' (' . $serverName . ')';
            SetupIndex::messagesSet(
                'notice',
                'Servers/' . $i . '/AllowNoPassword',
                $title,
                __('You allow for connecting to the server without a password.')
                . ' ' . $sSecurityInfoMsg
            );
        }

        return [
            (bool) $isCookieAuthUsed,
            $blowfishSecret,
            $blowfishSecretSet,
        ];
    }

    /**
     * Set blowfish secret
     *
     * @param string|null $blowfishSecret    Blowfish secret
     * @param bool        $cookieAuthServer  Cookie auth is used
     * @param bool        $blowfishSecretSet Blowfish secret set
     *
     * @return array
     */
    protected function performConfigChecksServersSetBlowfishSecret(
        $blowfishSecret,
        $cookieAuthServer,
        $blowfishSecretSet
    ): array {
        if ($cookieAuthServer && $blowfishSecret === null) {
            $blowfishSecretSet = true;
            $this->cfg->set('blowfish_secret', Util::generateRandom(32));
        }

        return [
            $blowfishSecret,
            $blowfishSecretSet,
        ];
    }

    /**
     * Define server name
     *
     * @param string $serverName Server name
     * @param int    $serverId   Server id
     *
     * @return string Server name
     */
    protected function performConfigChecksServersGetServerName(
        $serverName,
        $serverId
    ) {
        if ($serverName === 'localhost') {
            return $serverName . ' [' . $serverId . ']';
        }

        return $serverName;
    }

    /**
     * Perform config checks for zip part.
     */
    protected function performConfigChecksZips(): void
    {
        $this->performConfigChecksServerGZipdump();
        $this->performConfigChecksServerBZipdump();
        $this->performConfigChecksServersZipdump();
    }

    /**
     * Perform config checks for zip part.
     */
    protected function performConfigChecksServersZipdump(): void
    {
        // $cfg['ZipDump']
        // requires zip_open in import
        if ($this->cfg->getValue('ZipDump') && ! $this->functionExists('zip_open')) {
            SetupIndex::messagesSet(
                'error',
                'ZipDump_import',
                Descriptions::get('ZipDump'),
                Sanitize::sanitizeMessage(sprintf(
                    __(
                        '%sZip decompression%s requires functions (%s) which are unavailable on this system.'
                    ),
                    '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
                    '[/a]',
                    'zip_open'
                ))
            );
        }

        // $cfg['ZipDump']
        // requires gzcompress in export
        if (! $this->cfg->getValue('ZipDump') || $this->functionExists('gzcompress')) {
            return;
        }

        SetupIndex::messagesSet(
            'error',
            'ZipDump_export',
            Descriptions::get('ZipDump'),
            Sanitize::sanitizeMessage(sprintf(
                __(
                    '%sZip compression%s requires functions (%s) which are unavailable on this system.'
                ),
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
                '[/a]',
                'gzcompress'
            ))
        );
    }

    /**
     * Check config of servers
     *
     * @param bool   $cookieAuthUsed    Cookie auth is used
     * @param bool   $blowfishSecretSet Blowfish secret set
     * @param string $blowfishSecret    Blowfish secret
     */
    protected function performConfigChecksCookieAuthUsed(
        $cookieAuthUsed,
        $blowfishSecretSet,
        $blowfishSecret
    ): void {
        // $cfg['blowfish_secret']
        // it's required for 'cookie' authentication
        if (! $cookieAuthUsed) {
            return;
        }

        if ($blowfishSecretSet) {
            // 'cookie' auth used, blowfish_secret was generated
            SetupIndex::messagesSet(
                'notice',
                'blowfish_secret_created',
                Descriptions::get('blowfish_secret'),
                Sanitize::sanitizeMessage(__(
                    'You didn\'t have blowfish secret set and have enabled '
                    . '[kbd]cookie[/kbd] authentication, so a key was automatically '
                    . 'generated for you. It is used to encrypt cookies; you don\'t need to '
                    . 'remember it.'
                ))
            );

            return;
        }

        $blowfishWarnings = [];
        // check length
        if (strlen($blowfishSecret) < 32) {
            // too short key
            $blowfishWarnings[] = __('Key is too short, it should have at least 32 characters.');
        }

        // check used characters
        $hasDigits = (bool) preg_match('/\d/', $blowfishSecret);
        $hasChars = (bool) preg_match('/\S/', $blowfishSecret);
        $hasNonword = (bool) preg_match('/\W/', $blowfishSecret);
        if (! $hasDigits || ! $hasChars || ! $hasNonword) {
            $blowfishWarnings[] = Sanitize::sanitizeMessage(
                __(
                    'Key should contain letters, numbers [em]and[/em] special characters.'
                )
            );
        }

        if (empty($blowfishWarnings)) {
            return;
        }

        SetupIndex::messagesSet(
            'error',
            'blowfish_warnings' . count($blowfishWarnings),
            Descriptions::get('blowfish_secret'),
            implode('<br>', $blowfishWarnings)
        );
    }

    /**
     * Check configuration for login cookie
     */
    protected function performConfigChecksLoginCookie(): void
    {
        // $cfg['LoginCookieValidity']
        // value greater than session.gc_maxlifetime will cause
        // random session invalidation after that time
        $loginCookieValidity = $this->cfg->getValue('LoginCookieValidity');
        if ($loginCookieValidity > ini_get('session.gc_maxlifetime')) {
            SetupIndex::messagesSet(
                'error',
                'LoginCookieValidity',
                Descriptions::get('LoginCookieValidity'),
                Sanitize::sanitizeMessage(sprintf(
                    __(
                        '%1$sLogin cookie validity%2$s greater than %3$ssession.gc_maxlifetime%4$s may '
                        . 'cause random session invalidation (currently session.gc_maxlifetime '
                        . 'is %5$d).'
                    ),
                    '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                    '[/a]',
                    '[a@' . Core::getPHPDocLink('session.configuration.php#ini.session.gc-maxlifetime') . ']',
                    '[/a]',
                    ini_get('session.gc_maxlifetime')
                ))
            );
        }

        // $cfg['LoginCookieValidity']
        // should be at most 1800 (30 min)
        if ($loginCookieValidity > 1800) {
            SetupIndex::messagesSet(
                'notice',
                'LoginCookieValidity',
                Descriptions::get('LoginCookieValidity'),
                Sanitize::sanitizeMessage(sprintf(
                    __(
                        '%sLogin cookie validity%s should be set to 1800 seconds (30 minutes) '
                        . 'at most. Values larger than 1800 may pose a security risk such as '
                        . 'impersonation.'
                    ),
                    '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                    '[/a]'
                ))
            );
        }

        // $cfg['LoginCookieValidity']
        // $cfg['LoginCookieStore']
        // LoginCookieValidity must be less or equal to LoginCookieStore
        if (
            ($this->cfg->getValue('LoginCookieStore') == 0)
            || ($loginCookieValidity <= $this->cfg->getValue('LoginCookieStore'))
        ) {
            return;
        }

        SetupIndex::messagesSet(
            'error',
            'LoginCookieValidity',
            Descriptions::get('LoginCookieValidity'),
            Sanitize::sanitizeMessage(sprintf(
                __(
                    'If using [kbd]cookie[/kbd] authentication and %sLogin cookie store%s '
                    . 'is not 0, %sLogin cookie validity%s must be set to a value less or '
                    . 'equal to it.'
                ),
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                '[/a]',
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',
                '[/a]'
            ))
        );
    }

    /**
     * Check GZipDump configuration
     */
    protected function performConfigChecksServerBZipdump(): void
    {
        // $cfg['BZipDump']
        // requires bzip2 functions
        if (
            ! $this->cfg->getValue('BZipDump')
            || ($this->functionExists('bzopen') && $this->functionExists('bzcompress'))
        ) {
            return;
        }

        $functions = $this->functionExists('bzopen')
            ? '' :
            'bzopen';
        $functions .= $this->functionExists('bzcompress')
            ? ''
            : ($functions ? ', ' : '') . 'bzcompress';
        SetupIndex::messagesSet(
            'error',
            'BZipDump',
            Descriptions::get('BZipDump'),
            Sanitize::sanitizeMessage(
                sprintf(
                    __(
                        '%1$sBzip2 compression and decompression%2$s requires functions (%3$s) which '
                         . 'are unavailable on this system.'
                    ),
                    '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
                    '[/a]',
                    $functions
                )
            )
        );
    }

    /**
     * Check GZipDump configuration
     */
    protected function performConfigChecksServerGZipdump(): void
    {
        // $cfg['GZipDump']
        // requires zlib functions
        if (
            ! $this->cfg->getValue('GZipDump')
            || ($this->functionExists('gzopen') && $this->functionExists('gzencode'))
        ) {
            return;
        }

        SetupIndex::messagesSet(
            'error',
            'GZipDump',
            Descriptions::get('GZipDump'),
            Sanitize::sanitizeMessage(sprintf(
                __(
                    '%1$sGZip compression and decompression%2$s requires functions (%3$s) which '
                    . 'are unavailable on this system.'
                ),
                '[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',
                '[/a]',
                'gzencode'
            ))
        );
    }

    /**
     * Wrapper around function_exists to allow mock in test
     *
     * @param string $name Function name
     */
    protected function functionExists($name): bool
    {
        return function_exists($name);
    }
}
fix bug 2 years ago			`<?php`
			`/**`
			`* Server config checks management`
			`*/`

			`declare(strict_types=1);`

			`namespace PhpMyAdmin\Config;`

			`use PhpMyAdmin\Core;`
			`use PhpMyAdmin\Sanitize;`
			`use PhpMyAdmin\Setup\Index as SetupIndex;`
			`use PhpMyAdmin\Url;`
			`use PhpMyAdmin\Util;`

			`use function __;`
			`use function count;`
			`use function function_exists;`
			`use function htmlspecialchars;`
			`use function implode;`
			`use function ini_get;`
			`use function preg_match;`
			`use function sprintf;`
			`use function strlen;`

			`/**`
			`* Performs various compatibility, security and consistency checks on current config`
			`*`
			`* Outputs results to message list, must be called between SetupIndex::messagesBegin()`
			`* and SetupIndex::messagesEnd()`
			`*/`
			`class ServerConfigChecks`
			`{`
			`/** @var ConfigFile configurations being checked */`
			`protected $cfg;`

			`/**`
			`* @param ConfigFile $cfg Configuration`
			`*/`
			`public function __construct(ConfigFile $cfg)`
			`{`
			`$this->cfg = $cfg;`
			`}`

			`/**`
			`* Perform config checks`
			`*/`
			`public function performConfigChecks(): void`
			`{`
			`$blowfishSecret = $this->cfg->get('blowfish_secret');`
			`$blowfishSecretSet = false;`
			`$cookieAuthUsed = false;`

			`[$cookieAuthUsed, $blowfishSecret, $blowfishSecretSet] = $this->performConfigChecksServers(`
			`$cookieAuthUsed,`
			`$blowfishSecret,`
			`$blowfishSecretSet`
			`);`

			`$this->performConfigChecksCookieAuthUsed($cookieAuthUsed, $blowfishSecretSet, $blowfishSecret);`

			`// $cfg['AllowArbitraryServer']`
			`// should be disabled`
			`if ($this->cfg->getValue('AllowArbitraryServer')) {`
			`$sAllowArbitraryServerWarn = sprintf(`
			`__(`
			`'This %soption%s should be disabled as it allows attackers to '`
			`. 'bruteforce login to any MySQL server. If you feel this is necessary, '`
			`. 'use %srestrict login to MySQL server%s or %strusted proxies list%s. '`
			`. 'However, IP-based protection with trusted proxies list may not be '`
			`. 'reliable if your IP belongs to an ISP where thousands of users, '`
			`. 'including you, are connected to.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]',`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]',`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]'`
			`);`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'AllowArbitraryServer',`
			`Descriptions::get('AllowArbitraryServer'),`
			`Sanitize::sanitizeMessage($sAllowArbitraryServerWarn)`
			`);`
			`}`

			`$this->performConfigChecksLoginCookie();`

			`$sDirectoryNotice = __(`
			`'This value should be double checked to ensure that this directory is '`
			`. 'neither world accessible nor readable or writable by other users on '`
			`. 'your server.'`
			`);`

			`// $cfg['SaveDir']`
			`// should not be world-accessible`
			`if ($this->cfg->getValue('SaveDir') != '') {`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'SaveDir',`
			`Descriptions::get('SaveDir'),`
			`Sanitize::sanitizeMessage($sDirectoryNotice)`
			`);`
			`}`

			`// $cfg['TempDir']`
			`// should not be world-accessible`
			`if ($this->cfg->getValue('TempDir') != '') {`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'TempDir',`
			`Descriptions::get('TempDir'),`
			`Sanitize::sanitizeMessage($sDirectoryNotice)`
			`);`
			`}`

			`$this->performConfigChecksZips();`
			`}`

			`/**`
			`* Check config of servers`
			`*`
			`* @param bool $cookieAuthUsed Cookie auth is used`
			`* @param string $blowfishSecret Blowfish secret`
			`* @param bool $blowfishSecretSet Blowfish secret set`
			`*`
			`* @return array`
			`*/`
			`protected function performConfigChecksServers(`
			`$cookieAuthUsed,`
			`$blowfishSecret,`
			`$blowfishSecretSet`
			`) {`
			`$serverCnt = $this->cfg->getServerCount();`
			`$isCookieAuthUsed = (int) $cookieAuthUsed;`
			`for ($i = 1; $i <= $serverCnt; $i++) {`
			`$cookieAuthServer = ($this->cfg->getValue('Servers/' . $i . '/auth_type') === 'cookie');`
			`$isCookieAuthUsed \|= (int) $cookieAuthServer;`
			`$serverName = $this->performConfigChecksServersGetServerName(`
			`$this->cfg->getServerName($i),`
			`$i`
			`);`
			`$serverName = htmlspecialchars($serverName);`

			`[$blowfishSecret, $blowfishSecretSet] = $this->performConfigChecksServersSetBlowfishSecret(`
			`$blowfishSecret,`
			`$cookieAuthServer,`
			`$blowfishSecretSet`
			`);`

			`// $cfg['Servers'][$i]['ssl']`
			`// should be enabled if possible`
			`if (! $this->cfg->getValue('Servers/' . $i . '/ssl')) {`
			`$title = Descriptions::get('Servers/1/ssl') . ' (' . $serverName . ')';`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'Servers/' . $i . '/ssl',`
			`$title,`
			`__(`
			`'You should use SSL connections if your database server supports it.'`
			`)`
			`);`
			`}`

			`$sSecurityInfoMsg = Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'If you feel this is necessary, use additional protection settings - '`
			`. '%1$shost authentication%2$s settings and %3$strusted proxies list%4$s. '`
			`. 'However, IP-based protection may not be reliable if your IP belongs '`
			`. 'to an ISP where thousands of users, including you, are connected to.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server_config]',`
			`'[/a]',`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]'`
			`));`

			`// $cfg['Servers'][$i]['auth_type']`
			`// warn about full user credentials if 'auth_type' is 'config'`
			`if (`
			`$this->cfg->getValue('Servers/' . $i . '/auth_type') === 'config'`
			`&& $this->cfg->getValue('Servers/' . $i . '/user') != ''`
			`&& $this->cfg->getValue('Servers/' . $i . '/password') != ''`
			`) {`
			`$title = Descriptions::get('Servers/1/auth_type')`
			`. ' (' . $serverName . ')';`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'Servers/' . $i . '/auth_type',`
			`$title,`
			`Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'You set the [kbd]config[/kbd] authentication type and included '`
			`. 'username and password for auto-login, which is not a desirable '`
			`. 'option for live hosts. Anyone who knows or guesses your phpMyAdmin '`
			`. 'URL can directly access your phpMyAdmin panel. Set %1$sauthentication '`
			`. 'type%2$s to [kbd]cookie[/kbd] or [kbd]http[/kbd].'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'servers', 'mode' => 'edit', 'id' => $i]) . '#tab_Server]',`
			`'[/a]'`
			`))`
			`. ' ' . $sSecurityInfoMsg`
			`);`
			`}`

			`// $cfg['Servers'][$i]['AllowRoot']`
			`// $cfg['Servers'][$i]['AllowNoPassword']`
			`// serious security flaw`
			`if (`
			`! $this->cfg->getValue('Servers/' . $i . '/AllowRoot')`
			`\|\| ! $this->cfg->getValue('Servers/' . $i . '/AllowNoPassword')`
			`) {`
			`continue;`
			`}`

			`$title = Descriptions::get('Servers/1/AllowNoPassword')`
			`. ' (' . $serverName . ')';`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'Servers/' . $i . '/AllowNoPassword',`
			`$title,`
			`__('You allow for connecting to the server without a password.')`
			`. ' ' . $sSecurityInfoMsg`
			`);`
			`}`

			`return [`
			`(bool) $isCookieAuthUsed,`
			`$blowfishSecret,`
			`$blowfishSecretSet,`
			`];`
			`}`

			`/**`
			`* Set blowfish secret`
			`*`
			`* @param string\|null $blowfishSecret Blowfish secret`
			`* @param bool $cookieAuthServer Cookie auth is used`
			`* @param bool $blowfishSecretSet Blowfish secret set`
			`*`
			`* @return array`
			`*/`
			`protected function performConfigChecksServersSetBlowfishSecret(`
			`$blowfishSecret,`
			`$cookieAuthServer,`
			`$blowfishSecretSet`
			`): array {`
			`if ($cookieAuthServer && $blowfishSecret === null) {`
			`$blowfishSecretSet = true;`
			`$this->cfg->set('blowfish_secret', Util::generateRandom(32));`
			`}`

			`return [`
			`$blowfishSecret,`
			`$blowfishSecretSet,`
			`];`
			`}`

			`/**`
			`* Define server name`
			`*`
			`* @param string $serverName Server name`
			`* @param int $serverId Server id`
			`*`
			`* @return string Server name`
			`*/`
			`protected function performConfigChecksServersGetServerName(`
			`$serverName,`
			`$serverId`
			`) {`
			`if ($serverName === 'localhost') {`
			`return $serverName . ' [' . $serverId . ']';`
			`}`

			`return $serverName;`
			`}`

			`/**`
			`* Perform config checks for zip part.`
			`*/`
			`protected function performConfigChecksZips(): void`
			`{`
			`$this->performConfigChecksServerGZipdump();`
			`$this->performConfigChecksServerBZipdump();`
			`$this->performConfigChecksServersZipdump();`
			`}`

			`/**`
			`* Perform config checks for zip part.`
			`*/`
			`protected function performConfigChecksServersZipdump(): void`
			`{`
			`// $cfg['ZipDump']`
			`// requires zip_open in import`
			`if ($this->cfg->getValue('ZipDump') && ! $this->functionExists('zip_open')) {`
			`SetupIndex::messagesSet(`
			`'error',`
			`'ZipDump_import',`
			`Descriptions::get('ZipDump'),`
			`Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'%sZip decompression%s requires functions (%s) which are unavailable on this system.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',`
			`'[/a]',`
			`'zip_open'`
			`))`
			`);`
			`}`

			`// $cfg['ZipDump']`
			`// requires gzcompress in export`
			`if (! $this->cfg->getValue('ZipDump') \|\| $this->functionExists('gzcompress')) {`
			`return;`
			`}`

			`SetupIndex::messagesSet(`
			`'error',`
			`'ZipDump_export',`
			`Descriptions::get('ZipDump'),`
			`Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'%sZip compression%s requires functions (%s) which are unavailable on this system.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',`
			`'[/a]',`
			`'gzcompress'`
			`))`
			`);`
			`}`

			`/**`
			`* Check config of servers`
			`*`
			`* @param bool $cookieAuthUsed Cookie auth is used`
			`* @param bool $blowfishSecretSet Blowfish secret set`
			`* @param string $blowfishSecret Blowfish secret`
			`*/`
			`protected function performConfigChecksCookieAuthUsed(`
			`$cookieAuthUsed,`
			`$blowfishSecretSet,`
			`$blowfishSecret`
			`): void {`
			`// $cfg['blowfish_secret']`
			`// it's required for 'cookie' authentication`
			`if (! $cookieAuthUsed) {`
			`return;`
			`}`

			`if ($blowfishSecretSet) {`
			`// 'cookie' auth used, blowfish_secret was generated`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'blowfish_secret_created',`
			`Descriptions::get('blowfish_secret'),`
			`Sanitize::sanitizeMessage(__(`
			`'You didn\'t have blowfish secret set and have enabled '`
			`. '[kbd]cookie[/kbd] authentication, so a key was automatically '`
			`. 'generated for you. It is used to encrypt cookies; you don\'t need to '`
			`. 'remember it.'`
			`))`
			`);`

			`return;`
			`}`

			`$blowfishWarnings = [];`
			`// check length`
			`if (strlen($blowfishSecret) < 32) {`
			`// too short key`
			`$blowfishWarnings[] = __('Key is too short, it should have at least 32 characters.');`
			`}`

			`// check used characters`
			`$hasDigits = (bool) preg_match('/\d/', $blowfishSecret);`
			`$hasChars = (bool) preg_match('/\S/', $blowfishSecret);`
			`$hasNonword = (bool) preg_match('/\W/', $blowfishSecret);`
			`if (! $hasDigits \|\| ! $hasChars \|\| ! $hasNonword) {`
			`$blowfishWarnings[] = Sanitize::sanitizeMessage(`
			`__(`
			`'Key should contain letters, numbers [em]and[/em] special characters.'`
			`)`
			`);`
			`}`

			`if (empty($blowfishWarnings)) {`
			`return;`
			`}`

			`SetupIndex::messagesSet(`
			`'error',`
			`'blowfish_warnings' . count($blowfishWarnings),`
			`Descriptions::get('blowfish_secret'),`
			`implode('<br>', $blowfishWarnings)`
			`);`
			`}`

			`/**`
			`* Check configuration for login cookie`
			`*/`
			`protected function performConfigChecksLoginCookie(): void`
			`{`
			`// $cfg['LoginCookieValidity']`
			`// value greater than session.gc_maxlifetime will cause`
			`// random session invalidation after that time`
			`$loginCookieValidity = $this->cfg->getValue('LoginCookieValidity');`
			`if ($loginCookieValidity > ini_get('session.gc_maxlifetime')) {`
			`SetupIndex::messagesSet(`
			`'error',`
			`'LoginCookieValidity',`
			`Descriptions::get('LoginCookieValidity'),`
			`Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'%1$sLogin cookie validity%2$s greater than %3$ssession.gc_maxlifetime%4$s may '`
			`. 'cause random session invalidation (currently session.gc_maxlifetime '`
			`. 'is %5$d).'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]',`
			`'[a@' . Core::getPHPDocLink('session.configuration.php#ini.session.gc-maxlifetime') . ']',`
			`'[/a]',`
			`ini_get('session.gc_maxlifetime')`
			`))`
			`);`
			`}`

			`// $cfg['LoginCookieValidity']`
			`// should be at most 1800 (30 min)`
			`if ($loginCookieValidity > 1800) {`
			`SetupIndex::messagesSet(`
			`'notice',`
			`'LoginCookieValidity',`
			`Descriptions::get('LoginCookieValidity'),`
			`Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'%sLogin cookie validity%s should be set to 1800 seconds (30 minutes) '`
			`. 'at most. Values larger than 1800 may pose a security risk such as '`
			`. 'impersonation.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]'`
			`))`
			`);`
			`}`

			`// $cfg['LoginCookieValidity']`
			`// $cfg['LoginCookieStore']`
			`// LoginCookieValidity must be less or equal to LoginCookieStore`
			`if (`
			`($this->cfg->getValue('LoginCookieStore') == 0)`
			`\|\| ($loginCookieValidity <= $this->cfg->getValue('LoginCookieStore'))`
			`) {`
			`return;`
			`}`

			`SetupIndex::messagesSet(`
			`'error',`
			`'LoginCookieValidity',`
			`Descriptions::get('LoginCookieValidity'),`
			`Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'If using [kbd]cookie[/kbd] authentication and %sLogin cookie store%s '`
			`. 'is not 0, %sLogin cookie validity%s must be set to a value less or '`
			`. 'equal to it.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]',`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Security]',`
			`'[/a]'`
			`))`
			`);`
			`}`

			`/**`
			`* Check GZipDump configuration`
			`*/`
			`protected function performConfigChecksServerBZipdump(): void`
			`{`
			`// $cfg['BZipDump']`
			`// requires bzip2 functions`
			`if (`
			`! $this->cfg->getValue('BZipDump')`
			`\|\| ($this->functionExists('bzopen') && $this->functionExists('bzcompress'))`
			`) {`
			`return;`
			`}`

			`$functions = $this->functionExists('bzopen')`
			`? '' :`
			`'bzopen';`
			`$functions .= $this->functionExists('bzcompress')`
			`? ''`
			`: ($functions ? ', ' : '') . 'bzcompress';`
			`SetupIndex::messagesSet(`
			`'error',`
			`'BZipDump',`
			`Descriptions::get('BZipDump'),`
			`Sanitize::sanitizeMessage(`
			`sprintf(`
			`__(`
			`'%1$sBzip2 compression and decompression%2$s requires functions (%3$s) which '`
			`. 'are unavailable on this system.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',`
			`'[/a]',`
			`$functions`
			`)`
			`)`
			`);`
			`}`

			`/**`
			`* Check GZipDump configuration`
			`*/`
			`protected function performConfigChecksServerGZipdump(): void`
			`{`
			`// $cfg['GZipDump']`
			`// requires zlib functions`
			`if (`
			`! $this->cfg->getValue('GZipDump')`
			`\|\| ($this->functionExists('gzopen') && $this->functionExists('gzencode'))`
			`) {`
			`return;`
			`}`

			`SetupIndex::messagesSet(`
			`'error',`
			`'GZipDump',`
			`Descriptions::get('GZipDump'),`
			`Sanitize::sanitizeMessage(sprintf(`
			`__(`
			`'%1$sGZip compression and decompression%2$s requires functions (%3$s) which '`
			`. 'are unavailable on this system.'`
			`),`
			`'[a@' . Url::getCommon(['page' => 'form', 'formset' => 'Features']) . '#tab_Import_export]',`
			`'[/a]',`
			`'gzencode'`
			`))`
			`);`
			`}`

			`/**`
			`* Wrapper around function_exists to allow mock in test`
			`*`
			`* @param string $name Function name`
			`*/`
			`protected function functionExists($name): bool`
			`{`
			`return function_exists($name);`
			`}`
			`}`