phpmyadmin
diff --git a/‎ChangeLog‎
Lines changed: 2 additions & 0 deletions b/‎ChangeLog‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎config.sample.inc.php‎
Lines changed: 2 additions & 2 deletions b/‎config.sample.inc.php‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎doc/config.rst‎
Lines changed: 40 additions & 8 deletions b/‎doc/config.rst‎
Lines changed: 40 additions & 8 deletions
diff --git a/‎doc/faq.rst‎
Lines changed: 31 additions & 0 deletions b/‎doc/faq.rst‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎doc/glossary.rst‎
Lines changed: 5 additions & 0 deletions b/‎doc/glossary.rst‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎doc/setup.rst‎
Lines changed: 2 additions & 2 deletions b/‎doc/setup.rst‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎libraries/classes/Charsets/Collation.php‎
Lines changed: 1 addition & 0 deletions b/‎libraries/classes/Charsets/Collation.php‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎libraries/classes/Config/ServerConfigChecks.php‎
Lines changed: 20 additions & 51 deletions b/‎libraries/classes/Config/ServerConfigChecks.php‎
Lines changed: 20 additions & 51 deletions
diff --git a/‎libraries/classes/Config/Settings.php‎
Lines changed: 3 additions & 4 deletions b/‎libraries/classes/Config/Settings.php‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎libraries/classes/Controllers/HomeController.php‎
Lines changed: 9 additions & 5 deletions b/‎libraries/classes/Controllers/HomeController.php‎
Lines changed: 9 additions & 5 deletions
@@ -36,6 +36,8 @@ phpMyAdmin - ChangeLog
 - issue        Fix PHP warning on GIS visualization when there is only one GIS column
 - issue #17728 Some select HTML tags will now have the correct UI style
 - issue #17734 PHP deprecations will only be shown when in a development environment
+- issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long
+- issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page
 
 5.2.0 (2022-05-10)
 - issue #16521 Upgrade Bootstrap to version 5
 
@@ -10,8 +10,8 @@
 declare(strict_types=1);
 
 /**
- * This is needed for cookie based authentication to encrypt password in
- * cookie. Needs to be 32 chars long.
+ * This is needed for cookie based authentication to encrypt the cookie.
+ * Needs to be a 32-bytes long string of random bytes. See FAQ 2.10.
  */
 $cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
 
 
@@ -1888,6 +1888,8 @@ Generic settings
     A secret key used to encrypt/decrypt the URL query string.
     Should be 32 bytes long.
 
+    .. seealso:: :ref:`faq2_10`
+
 Cookie authentication options
 -----------------------------
 
@@ -1896,25 +1898,55 @@ Cookie authentication options
     :type: string
     :default: ``''``
 
-    The "cookie" auth\_type uses AES algorithm to encrypt the password. If you
-    are using the "cookie" auth\_type, enter here a random passphrase of your
-    choice. It will be used internally by the AES algorithm: you won’t be
-    prompted for this passphrase.
+    The "cookie" auth\_type uses the :term:`Sodium` extension to encrypt the cookies (see :term:`Cookie`). If you are
+    using the "cookie" auth\_type, enter here a generated string of random bytes to be used as an encryption key. It
+    will be used internally by the :term:`Sodium` extension: you won't be prompted for this encryption key.
+
+    Since a binary string is usually not printable, it can be converted into a hexadecimal representation (using a
+    function like `sodium_bin2hex <https://www.php.net/sodium_bin2hex>`_) and then used in the configuration file. For
+    example:
+
+    .. code-block:: php
+
+        // The string is a hexadecimal representation of a 32-bytes long string of random bytes.
+        $cfg['blowfish_secret'] = sodium_hex2bin('f16ce59f45714194371b48fe362072dc3b019da7861558cd4ad29e4d6fb13851');
+
+    Using a binary string is recommended. However, if all 32 bytes of the string are visible
+    characters, then a function like `sodium_bin2hex <https://www.php.net/sodium_bin2hex>`_ is not required. For
+    example:
+
+    .. code-block:: php
 
-    The secret should be 32 characters long. Using shorter will lead to weaker security
-    of encrypted cookies, using longer will cause no harm.
+        // A string of 32 characters.
+        $cfg['blowfish_secret'] = 'JOFw435365IScA&Q!cDugr!lSfuAz*OW';
+
+    .. warning::
+
+        The encryption key must be 32 bytes long. If it is longer than the length of bytes, only the first 32 bytes will
+        be used, and if it is shorter, a new temporary key will be automatically generated for you. However, this
+        temporary key will only last for the duration of the session.
 
     .. note::
 
         The configuration is called blowfish_secret for historical reasons as
         Blowfish algorithm was originally used to do the encryption.
 
     .. versionchanged:: 3.1.0
+
         Since version 3.1.0 phpMyAdmin can generate this on the fly, but it
         makes a bit weaker security as this generated secret is stored in
         session and furthermore it makes impossible to recall user name from
         cookie.
 
+    .. versionchanged:: 5.2.0
+
+        Since version 5.2.0, phpMyAdmin uses the
+        `sodium\_crypto\_secretbox <https://www.php.net/sodium_crypto_secretbox>`_ and
+        `sodium\_crypto\_secretbox\_open <https://www.php.net/sodium_crypto_secretbox_open>`_ PHP functions to encrypt
+        and decrypt cookies, respectively.
+
+    .. seealso:: :ref:`faq2_10`
+
 .. config:option:: $cfg['CookieSameSite']
 
     :type: string
@@ -3809,8 +3841,8 @@ following example shows two of them:
 .. code-block:: php
 
     <?php
-    $cfg['blowfish_secret'] = 'multiServerExample70518';
-    // any string of your choice
+    // The string is a hexadecimal representation of a 32-bytes long string of random bytes.
+    $cfg['blowfish_secret'] = sodium_hex2bin('f16ce59f45714194371b48fe362072dc3b019da7861558cd4ad29e4d6fb13851');
     $i = 0;
 
     $i++; // server 1 :
 
@@ -867,6 +867,37 @@ If using PHP 5.4.0 or higher, you must set
 starting from phpMyAdmin version 4.0.4, session-based upload progress has
 been temporarily deactivated due to its problematic behavior.
 
+.. _faq2_10:
+
+2.10 How to generate a string of random bytes
+---------------------------------------------
+
+One way to generate a string of random bytes suitable for cryptographic use is using the
+`random_bytes <https://www.php.net/random_bytes>`_ :term:`PHP` function. Since this function returns a binary string,
+the returned value should be converted to printable format before being able to copy it.
+
+For example, the :config:option:`$cfg['blowfish_secret']` configuration directive requires a 32-bytes long string. The
+following command can be used to generate a hexadecimal representation of this string.
+
+.. code-block:: sh
+
+    php -r 'echo bin2hex(random_bytes(32)) . PHP_EOL;'
+
+The above example will output something similar to:
+
+.. code-block:: sh
+
+    f16ce59f45714194371b48fe362072dc3b019da7861558cd4ad29e4d6fb13851
+
+And then this hexadecimal value can be used in the configuration file.
+
+.. code-block:: php
+
+    $cfg['blowfish_secret'] = sodium_hex2bin('f16ce59f45714194371b48fe362072dc3b019da7861558cd4ad29e4d6fb13851');
+
+The `sodium_hex2bin <https://www.php.net/sodium_hex2bin>`_ is used here to convert the hexadecimal value back to the
+binary format.
+
 .. _faqlimitations:
 
 Known limitations
 
@@ -335,6 +335,11 @@ From Wikipedia, the free encyclopedia
 
       .. seealso:: <https://en.wikipedia.org/wiki/Server_(computing)>
 
+    Sodium
+      The Sodium PHP extension.
+
+      .. seealso:: `PHP manual for Sodium extension <https://www.php.net/manual/en/book.sodium.php>`_
+
     Storage Engines
       MySQL can use several different formats for storing data on disk, these
       are called storage engines or table types. phpMyAdmin allows a user to
 
@@ -587,8 +587,8 @@ simple configuration may look like this:
 .. code-block:: xml+php
 
     <?php
-    // use here a value of your choice at least 32 chars long
-    $cfg['blowfish_secret'] = '1{dd0`<Q),5XP_:R9UK%%8\"EEcyH#{o';
+    // The string is a hexadecimal representation of a 32-bytes long string of random bytes.
+    $cfg['blowfish_secret'] = sodium_hex2bin('f16ce59f45714194371b48fe362072dc3b019da7861558cd4ad29e4d6fb13851');
 
     $i=0;
     $i++;
 
@@ -344,6 +344,7 @@ private function getNameForLevel0(
             // Fall through to other unicode
             case 'ucs2':
             case 'utf8':
+            case 'utf8mb3':
             case 'utf16':
             case 'utf16le':
             case 'utf16be':
 
@@ -11,17 +11,17 @@
 use PhpMyAdmin\Sanitize;
 use PhpMyAdmin\Setup\Index as SetupIndex;
 use PhpMyAdmin\Url;
-use PhpMyAdmin\Util;
 
 use function __;
-use function count;
 use function function_exists;
 use function htmlspecialchars;
-use function implode;
 use function ini_get;
-use function preg_match;
+use function is_string;
+use function mb_strlen;
+use function sodium_crypto_secretbox_keygen;
 use function sprintf;
-use function strlen;
+
+use const SODIUM_CRYPTO_SECRETBOX_KEYBYTES;
 
 /**
  * Performs various compatibility, security and consistency checks on current config
@@ -247,9 +247,12 @@ protected function performConfigChecksServersSetBlowfishSecret(
         $cookieAuthServer,
         $blowfishSecretSet
     ): array {
-        if ($cookieAuthServer && $blowfishSecret === null) {
+        if (
+            $cookieAuthServer
+            && (! is_string($blowfishSecret) || mb_strlen($blowfishSecret, '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES)
+        ) {
             $blowfishSecretSet = true;
-            $this->cfg->set('blowfish_secret', Util::generateRandom(32));
+            $this->cfg->set('blowfish_secret', sodium_crypto_secretbox_keygen());
         }
 
         return [
@@ -345,55 +348,21 @@ protected function performConfigChecksCookieAuthUsed(
     ): void {
         // $cfg['blowfish_secret']
         // it's required for 'cookie' authentication
-        if (! $cookieAuthUsed) {
-            return;
-        }
-
-        if ($blowfishSecretSet) {
-            // 'cookie' auth used, blowfish_secret was generated
-            SetupIndex::messagesSet(
-                'notice',
-                'blowfish_secret_created',
-                Descriptions::get('blowfish_secret'),
-                Sanitize::sanitizeMessage(__(
-                    'You didn\'t have blowfish secret set and have enabled '
-                    . '[kbd]cookie[/kbd] authentication, so a key was automatically '
-                    . 'generated for you. It is used to encrypt cookies; you don\'t need to '
-                    . 'remember it.'
-                ))
-            );
-
-            return;
-        }
-
-        $blowfishWarnings = [];
-        // check length
-        if (strlen($blowfishSecret) < 32) {
-            // too short key
-            $blowfishWarnings[] = __('Key is too short, it should have at least 32 characters.');
-        }
-
-        // check used characters
-        $hasDigits = (bool) preg_match('/\d/', $blowfishSecret);
-        $hasChars = (bool) preg_match('/\S/', $blowfishSecret);
-        $hasNonword = (bool) preg_match('/\W/', $blowfishSecret);
-        if (! $hasDigits || ! $hasChars || ! $hasNonword) {
-            $blowfishWarnings[] = Sanitize::sanitizeMessage(
-                __(
-                    'Key should contain letters, numbers [em]and[/em] special characters.'
-                )
-            );
-        }
-
-        if (empty($blowfishWarnings)) {
+        if (! $cookieAuthUsed || ! $blowfishSecretSet) {
             return;
         }
 
+        // 'cookie' auth used, blowfish_secret was generated
         SetupIndex::messagesSet(
-            'error',
-            'blowfish_warnings' . count($blowfishWarnings),
+            'notice',
+            'blowfish_secret_created',
             Descriptions::get('blowfish_secret'),
-            implode('<br>', $blowfishWarnings)
+            Sanitize::sanitizeMessage(__(
+                'You didn\'t have blowfish secret set and have enabled '
+                . '[kbd]cookie[/kbd] authentication, so a key was automatically '
+                . 'generated for you. It is used to encrypt cookies; you don\'t need to '
+                . 'remember it.'
+            ))
         );
     }
 
 
@@ -118,10 +118,9 @@ final class Settings
     public $AllowThirdPartyFraming;
 
     /**
-     * The 'cookie' auth_type uses AES algorithm to encrypt the password. If
-     * at least one server configuration uses 'cookie' auth_type, enter here a
-     * pass phrase that will be used by AES. The maximum length seems to be 46
-     * characters.
+     * The 'cookie' auth_type uses the Sodium extension to encrypt the cookies. If at least one server configuration
+     * uses 'cookie' auth_type, enter here a generated string of random bytes to be used as an encryption key. The
+     * encryption key must be 32 bytes long.
      *
      * @var string
      */
 
@@ -318,19 +318,23 @@ private function checkRequirements(): void
          * Check if user does not have defined blowfish secret and it is being used.
          */
         if (! empty($_SESSION['encryption_key'])) {
-            if (empty($GLOBALS['cfg']['blowfish_secret'])) {
+            $encryptionKeyLength = mb_strlen($GLOBALS['cfg']['blowfish_secret'], '8bit');
+            if ($encryptionKeyLength < SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
                 $this->errors[] = [
                     'message' => __(
-                        'The configuration file now needs a secret passphrase (blowfish_secret).'
+                        'The configuration file needs a valid key for cookie encryption.'
+                        . ' A temporary key was automatically generated for you.'
+                        . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].'
                     ),
                     'severity' => 'warning',
                 ];
-            } elseif (mb_strlen($GLOBALS['cfg']['blowfish_secret'], '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+            } elseif ($encryptionKeyLength > SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
                 $this->errors[] = [
                     'message' => sprintf(
                         __(
-                            'The secret passphrase in configuration (blowfish_secret) is not the correct length.'
-                            . ' It should be %d bytes long.'
+                            'The cookie encryption key in the configuration file is longer than necessary.'
+                            . ' It should only be %d bytes long.'
+                            . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].'
                         ),
                         SODIUM_CRYPTO_SECRETBOX_KEYBYTES
                     ),