Follow-up to #12089: Cleanup: unescaped &
[Packages/TYPO3.CMS.git] / typo3 / sysext / reports / reports / status / class.tx_reports_reports_status_securitystatus.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2009 Ingo Renner <ingo@typo3.org>
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 *
17 * This script is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * This copyright notice MUST APPEAR in all copies of the script!
23 ***************************************************************/
24
25
26 /**
27 * Performs several checks about the system's health
28 *
29 * @author Ingo Renner <ingo@typo3.org>
30 * @package TYPO3
31 * @subpackage reports
32 */
33 class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvider {
34
35 /**
36 * Determines the Install Tool's status, mainly concerning its protection.
37 *
38 * @see typo3/sysext/reports/interfaces/tx_reports_StatusProvider::getStatus()
39 */
40 public function getStatus() {
41 $this->executeAdminCommand();
42
43 $statuses = array(
44 'adminUserAccount' => $this->getAdminAccountStatus(),
45 'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
46 'fileDenyPattern' => $this->getFileDenyPatternStatus(),
47 'htaccessUpload' => $this->getHtaccessUploadStatus(),
48 'installToolEnabled' => $this->getInstallToolProtectionStatus(),
49 'installToolPassword' => $this->getInstallToolPasswordStatus(),
50 );
51
52 return $statuses;
53 }
54
55 /**
56 * Checks whether a an BE user account named admin with default password exists.
57 *
58 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether a default admin account exists
59 */
60 protected function getAdminAccountStatus() {
61 $value = $GLOBALS['LANG']->getLL('status_ok');
62 $message = '';
63 $severity = tx_reports_reports_status_Status::OK;
64
65 $whereClause = 'username = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('admin', 'be_users')
66 . ' AND password = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('5f4dcc3b5aa765d61d8327deb882cf99', 'be_users')
67 . t3lib_BEfunc::deleteClause('be_users');
68 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
69 'uid, username, password',
70 'be_users',
71 $whereClause
72 );
73 if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
74 $value = $GLOBALS['LANG']->getLL('status_insecure');
75 $severity = tx_reports_reports_status_Status::ERROR;
76
77 $editUserAccountUrl = 'alt_doc.php?returnUrl=index.php&edit[be_users][' . $row['uid'] . ']=edit';
78 $message = sprintf(
79 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.backend_admin'),
80 '<a href="' . $editUserAccountUrl . '">',
81 '</a>'
82 );
83 }
84 $GLOBALS['TYPO3_DB']->sql_free_result($res);
85
86 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
87 'Admin User Account', $value, $message, $severity
88 );
89 }
90
91 /**
92 * Checks whether the encryption key is empty.
93 *
94 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the encryption key is empty or not
95 */
96 protected function getEncryptionKeyStatus() {
97 $value = $GLOBALS['LANG']->getLL('status_ok');
98 $message = '';
99 $severity = tx_reports_reports_status_Status::OK;
100
101 if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
102 $value = $GLOBALS['LANG']->getLL('status_insecure');
103 $severity = tx_reports_reports_status_Status::ERROR;
104
105 $url = 'install/index.php?redirect_url=index.php'
106 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
107
108 $message = sprintf(
109 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_encryption'),
110 '<a href="' . $url . '">',
111 '</a>'
112 );
113 }
114
115 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
116 'Encryption Key', $value, $message, $severity
117 );
118 }
119
120 /**
121 * Checks if fileDenyPattern was changed which is dangerous on Apache
122 *
123 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the file deny pattern has changed
124 */
125 protected function getFileDenyPatternStatus() {
126 $value = $GLOBALS['LANG']->getLL('status_ok');
127 $message = '';
128 $severity = tx_reports_reports_status_Status::OK;
129
130 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT) {
131 $value = $GLOBALS['LANG']->getLL('status_insecure');
132 $severity = tx_reports_reports_status_Status::ERROR;
133
134 $url = 'install/index.php?redirect_url=index.php'
135 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
136
137 $message = sprintf(
138 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern'),
139 '<br /><pre>'
140 . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT)
141 . '</pre><br />'
142 );
143 }
144
145 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
146 'File Deny Pattern', $value, $message, $severity
147 );
148 }
149
150 /**
151 * Checks if fileDenyPattern allows to upload .htaccess files which is
152 * dangerous on Apache.
153 *
154 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether it's possible to upload .htaccess files
155 */
156 protected function getHtaccessUploadStatus() {
157 $value = $GLOBALS['LANG']->getLL('status_ok');
158 $message = '';
159 $severity = tx_reports_reports_status_Status::OK;
160
161 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT && t3lib_div::verifyFilenameAgainstDenyPattern('.htaccess')) {
162 $value = $GLOBALS['LANG']->getLL('status_insecure');
163 $severity = tx_reports_reports_status_Status::ERROR;
164 $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_htaccess');
165 }
166
167 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
168 '.htaccess Upload Protection', $value, $message, $severity
169 );
170 }
171
172 /**
173 * Checks whether memcached is configured, if that's the case we asume it's also used.
174 *
175 * @return boolean True if memcached is used, false otherwise.
176 */
177 protected function isMemcachedUsed() {
178 $memcachedUsed = false;
179
180 $memcachedServers = $this->getConfiguredMemcachedServers();
181 if (count($memcachedServers)) {
182 $memcachedUsed = true;
183 }
184
185 return $memcachedUsed;
186 }
187
188
189 /**
190 * Executes commands like removing the Install Tool enable file.
191 *
192 * @return void
193 */
194 protected function executeAdminCommand() {
195 $command = t3lib_div::_GET('adminCmd');
196
197 switch($command) {
198 case 'remove_ENABLE_INSTALL_TOOL':
199 unlink(PATH_site . 'typo3conf/ENABLE_INSTALL_TOOL');
200 break;
201 }
202 }
203
204 /**
205 * Checks whether the Install Tool password is set to its default value.
206 *
207 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing the security of the install tool password
208 */
209 protected function getInstallToolPasswordStatus() {
210 $value = $GLOBALS['LANG']->getLL('status_ok');
211 $message = '';
212 $severity = tx_reports_reports_status_Status::OK;
213
214 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] == md5('joh316')) {
215 $value = $GLOBALS['LANG']->getLL('status_insecure');
216 $severity = tx_reports_reports_status_Status::ERROR;
217
218 $changeInstallToolPasswordUrl = 'install/index.php?redirect_url=index.php'
219 . urlencode('?TYPO3_INSTALL[type]=about');
220
221 $message = sprintf(
222 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_password'),
223 '<a href="' . $changeInstallToolPasswordUrl . '">',
224 '</a>'
225 );
226 }
227
228 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
229 'Install Tool Password', $value, $message, $severity
230 );
231 }
232
233
234
235 /**
236 * Checks for the existance of the ENABLE_INSTALL_TOOL file.
237 *
238 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether ENABLE_INSTALL_TOOL exists
239 */
240 protected function getInstallToolProtectionStatus() {
241 $enableInstallToolFile = PATH_site . 'typo3conf/ENABLE_INSTALL_TOOL';
242 $value = $GLOBALS['LANG']->getLL('status_disabled');
243 $message = '';
244 $severity = tx_reports_reports_status_Status::OK;
245
246 $enableInstallToolFileExists = is_file($enableInstallToolFile);
247
248 if ($enableInstallToolFileExists || ($enableInstallToolFileExists && trim(file_get_contents($enableInstallToolFile)) === 'KEEP_FILE')) {
249 $value = $GLOBALS['LANG']->getLL('status_enabled');
250 $severity = tx_reports_reports_status_Status::WARNING;
251
252 $disableInstallToolUrl = t3lib_div::getIndpEnv('TYPO3_REQUEST_URL')
253 . '&amp;adminCmd=remove_ENABLE_INSTALL_TOOL';
254
255 $message = sprintf(
256 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled'),
257 '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>');
258 $message .= ' <a href="' . $disableInstallToolUrl . '">'
259 . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled_cmd')
260 . '</a>';
261 }
262
263 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
264 'Install Tool', $value, $message, $severity
265 );
266 }
267
268 }
269
270
271 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_systemstatus.php']) {
272 include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_systemstatus.php']);
273 }
274
275 ?>