From: William Desportes <williamdes@wdes.fr>
Date: Sun, 22 Mar 2020 17:46:13 +0100
Subject: Implement signSqlQuery and checkSqlQuerySignature for PMASA-2020-4

Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/

I imported both functions and kept the diff minimal

Author: William Desportes <williamdes@wdes.fr>

Origin: https://github.com/phpmyadmin/phpmyadmin/commit/4bf8bfcaa16dd90d7b36c2c3f5e2d36c7b249bd2
Origin: https://github.com/phpmyadmin/phpmyadmin/pull/15325
Origin: https://github.com/phpmyadmin/phpmyadmin/commit/80a7f0a75c72ec2b92216647ac66890ff58002f8
Origin: https://github.com/phpmyadmin/phpmyadmin/commit/0da6ad6ff47eef5449a25eea7cc09a14bd3dfce5
---
 libraries/Util.php | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/libraries/Util.php b/libraries/Util.php
index 9b6eba4..b0ae104 100644
--- a/libraries/Util.php
+++ b/libraries/Util.php
@@ -4980,5 +4980,35 @@ class Util
         }
         return trim((string)$value);
     }
+
+    /**
+     * Sign the sql query using hmac using the session token
+     *
+     * @param string $sqlQuery The sql query
+     * @return void
+     */
+    public static function signSqlQuery($sqlQuery)
+    {
+        /** @var array $cfg */
+        global $cfg;
+        $secret = isset($_SESSION[' HMAC_secret ']) ? $_SESSION[' HMAC_secret '] : '';
+        return hash_hmac('sha256', $sqlQuery, $secret . $cfg['blowfish_secret']);
+    }
+
+    /**
+     * Check that the sql query has a valid hmac signature
+     *
+     * @param string $sqlQuery The sql query
+     * @return void
+     */
+    public static function checkSqlQuerySignature($sqlQuery, $signature)
+    {
+        /** @var array $cfg */
+        global $cfg;
+        $secret = isset($_SESSION[' HMAC_secret ']) ? $_SESSION[' HMAC_secret '] : '';
+        $hmac = hash_hmac('sha256', $sqlQuery, $secret . $cfg['blowfish_secret']);
+        return hash_equals($hmac, $signature);
+    }
+
 }