Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blowfish_secret of not exactly 32 characters causes server error #17369

Closed
ibennetch opened this issue Feb 11, 2022 · 12 comments
Closed

blowfish_secret of not exactly 32 characters causes server error #17369

ibennetch opened this issue Feb 11, 2022 · 12 comments
Assignees
@MauricioFauth
Labels
Bug A problem or regression with an existing feature has-pr An issue that has a pull request pending that may fix this issue. The pull request may be incomplete
Milestone
5.2.1

Comments

@ibennetch
Copy link
Member

QA_5_2 and master have a problem if blowfish_secret isn't exactly 32 bytes long. The main pane is blank aside from the top tabs and this is logged:

PHP Fatal error:  Uncaught ErrorException: The secret passphrase in configuration (blowfish_secret) is not the correct length. It should be 32 bytes long. in /var/www/pma-dev/fork/libraries/classes/Controllers/HomeController.php:330\nStack trace:\n#0 [internal function]: PhpMyAdmin\\ErrorHandler->handleError()\n#1 /var/www/pma-dev/fork/libraries/classes/Controllers/HomeController.php(330): trigger_error()\n#2 /var/www/pma-dev/fork/libraries/classes/Controllers/HomeController.php(220): PhpMyAdmin\\Controllers\\HomeController->checkRequirements()\n#3 /var/www/pma-dev/fork/libraries/classes/Routing.php(187): PhpMyAdmin\\Controllers\\HomeController->__invoke()\n#4 /var/www/pma-dev/fork/index.php(43): PhpMyAdmin\\Routing::callControllerForRoute()\n#5 {main}\n  thrown in /var/www/pma-dev/fork/libraries/classes/Controllers/HomeController.php on line 330

We should definitely handle this more gracefully and show the user a warning that their blowfish_secret isn't the correct length.
@ibennetch ibennetch changed the title blowfish_secret of not 32 characters causes server error blowfish_secret of not exactly 32 characters causes server error Feb 11, 2022
@MauricioFauth MauricioFauth added the Bug A problem or regression with an existing feature label Feb 11, 2022
@MauricioFauth MauricioFauth added this to the 5.2.0 milestone Feb 11, 2022
@ibennetch ibennetch modified the milestones: 5.2.0, 5.2.1 May 11, 2022
@xkill
Copy link

xkill commented May 18, 2022

Hi, I'm using a 93 chars secret, and I'm also having this problem. 5.2.0 just updated from 5.1.3.

@svivian
Copy link
Contributor

svivian commented May 23, 2022

Is there a reason it needs to be exactly 32 characters long? Surely a longer key is more secure?

@williamdes
Copy link
Member

williamdes commented May 23, 2022
edited

Is there a reason it needs to be exactly 32 characters long? Surely a longer key is more secure?

Seems like this is a technical issue from the php extension: https://www.php.net/manual/en/function.sodium-crypto-secretbox.php

If key has a length of bytes different than SODIUM_CRYPTO_SECRETBOX_KEYBYTES (32 bytes), a SodiumException will be thrown.

@J0riz
Copy link

J0riz commented May 25, 2022
edited

We just updated phpMyAdmin on one of our staging servers to phpMyAdmin 5.2.
We noticed that after login you see the follow message in a red box:
The secret passphrase in configuration (blowfish_secret) is not the correct length. It should be 32 bytes long.

No further errors are logged or thrown. So except this confusing error phpMyAdmin works fine.
We currently use a longer key what should be fine. I agree with @svivian that a longer key should be more secure.

I see this was changed in this commit: 411bacf

If it actually should always be 32 bit length I think this should be improved in the documentation.
Now the documentation mentions:

The secret should be 32 characters long. Using shorter will lead to weaker security of encrypted cookies, using longer will cause no harm.

Screenshot 2022-05-25 at 13 55 00

@nifaracing
Copy link

any News about this?

@williamdes
Copy link
Member

If it actually should always be 32 bit length I think this should be improved in the documentation.
Now the documentation mentions:
The secret should be 32 characters long. Using shorter will lead to weaker security of encrypted cookies, using longer will cause no harm.

I agree it should be re-phrased

A longer key will not be more secure because the software will not accept it

@williamdes williamdes pinned this issue Jun 8, 2022
@ankurk91
Copy link

ankurk91 commented Jun 26, 2022
edited

I generated secret using

openssl rand -base64 32

wWzOmmkU3VX5BBaToePoWv55m+g9I6suhnWmbrpXXtw=

i am still getting error.

PS.
I made it exactly 32 char long with this command, it worked
openssl rand -base64 22

@chrysthianprudencio
Copy link

I generated secret using

openssl rand -base64 32

wWzOmmkU3VX5BBaToePoWv55m+g9I6suhnWmbrpXXtw=

i am still getting error.

PS. I made it exactly 32 char long with this command, it worked openssl rand -base64 22

it worked thanks bro!!

@weikengchen
Copy link

I find a probably better solution is to do something like the following, so it is still a proper 32-byte key.

base64_decode('wWzOmmkU3VX5BBaToePoWv55m+g9I6suhnWmbrpXXtw=')

But I think it should be more user-friendly.

MauricioFauth added a commit to phpmyadmin/scripts that referenced this issue Sep 14, 2022
@MauricioFauth
Update blowfish_secret of demo servers to be 32 bytes long
53fd3f8 
Related to phpmyadmin/phpmyadmin#17369

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
@MauricioFauth MauricioFauth mentioned this issue Sep 14, 2022
Merged
3 tasks
@MauricioFauth MauricioFauth added the has-pr An issue that has a pull request pending that may fix this issue. The pull request may be incomplete label Sep 14, 2022
@MauricioFauth MauricioFauth self-assigned this Sep 29, 2022
@adityaerlangga
Copy link

yaa, in v5.2 its getting error

@williamdes
Copy link
Member

yaa, in v5.2 its getting error

try the latest 5.2 version in development (phpMyAdmin 5.2+snapshot) ;)

@robetus
Copy link

robetus commented Nov 20, 2022

I generated secret using

openssl rand -base64 32

wWzOmmkU3VX5BBaToePoWv55m+g9I6suhnWmbrpXXtw=

i am still getting error.

PS. I made it exactly 32 char long with this command, it worked openssl rand -base64 22

Thanks for that, worked great!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@MauricioFauth MauricioFauth

Labels
Bug A problem or regression with an existing feature has-pr An issue that has a pull request pending that may fix this issue. The pull request may be incomplete
Projects
None yet
Milestone
5.2.1
Development

No branches or pull requests