d97593879686a681e4fc5c867ed2de9e3d9899a1
[Packages/TYPO3.CMS.git] / typo3 / sysext / reports / reports / status / class.tx_reports_reports_status_securitystatus.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2009-2011 Ingo Renner <ingo@typo3.org>
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 *
17 * This script is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * This copyright notice MUST APPEAR in all copies of the script!
23 ***************************************************************/
24
25
26 /**
27 * Performs several checks about the system's health
28 *
29 * @author Ingo Renner <ingo@typo3.org>
30 * @package TYPO3
31 * @subpackage reports
32 *
33 * $Id$
34 */
35 class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvider {
36
37 /**
38 * Determines the Install Tool's status, mainly concerning its protection.
39 *
40 * @return array List of statuses
41 * @see typo3/sysext/reports/interfaces/tx_reports_StatusProvider::getStatus()
42 */
43 public function getStatus() {
44 $this->executeAdminCommand();
45
46 $statuses = array(
47 'adminUserAccount' => $this->getAdminAccountStatus(),
48 'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
49 'fileDenyPattern' => $this->getFileDenyPatternStatus(),
50 'htaccessUpload' => $this->getHtaccessUploadStatus(),
51 'installToolEnabled' => $this->getInstallToolProtectionStatus(),
52 'installToolPassword' => $this->getInstallToolPasswordStatus(),
53 );
54
55 return $statuses;
56 }
57
58 /**
59 * Checks whether a an BE user account named admin with default password exists.
60 *
61 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether a default admin account exists
62 */
63 protected function getAdminAccountStatus() {
64 $value = $GLOBALS['LANG']->getLL('status_ok');
65 $message = '';
66 $severity = tx_reports_reports_status_Status::OK;
67
68 $whereClause = 'username = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('admin', 'be_users')
69 . ' AND password = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('5f4dcc3b5aa765d61d8327deb882cf99', 'be_users')
70 . t3lib_BEfunc::deleteClause('be_users');
71 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
72 'uid, username, password',
73 'be_users',
74 $whereClause
75 );
76 if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
77 $value = $GLOBALS['LANG']->getLL('status_insecure');
78 $severity = tx_reports_reports_status_Status::ERROR;
79
80 $editUserAccountUrl = 'alt_doc.php?returnUrl=mod.php?M=tools_txreportsM1&edit[be_users][' . $row['uid'] . ']=edit';
81 $message = sprintf(
82 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.backend_admin'),
83 '<a href="' . $editUserAccountUrl . '">',
84 '</a>'
85 );
86 }
87 $GLOBALS['TYPO3_DB']->sql_free_result($res);
88
89 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
90 $GLOBALS['LANG']->getLL('status_adminUserAccount'), $value, $message, $severity
91 );
92 }
93
94 /**
95 * Checks whether the encryption key is empty.
96 *
97 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the encryption key is empty or not
98 */
99 protected function getEncryptionKeyStatus() {
100 $value = $GLOBALS['LANG']->getLL('status_ok');
101 $message = '';
102 $severity = tx_reports_reports_status_Status::OK;
103
104 if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
105 $value = $GLOBALS['LANG']->getLL('status_insecure');
106 $severity = tx_reports_reports_status_Status::ERROR;
107
108 $url = 'install/index.php?redirect_url=index.php'
109 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
110
111 $message = sprintf(
112 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_encryption'),
113 '<a href="' . $url . '">',
114 '</a>'
115 );
116 }
117
118 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
119 $GLOBALS['LANG']->getLL('status_encryptionKey'), $value, $message, $severity
120 );
121 }
122
123 /**
124 * Checks if fileDenyPattern was changed which is dangerous on Apache
125 *
126 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the file deny pattern has changed
127 */
128 protected function getFileDenyPatternStatus() {
129 $value = $GLOBALS['LANG']->getLL('status_ok');
130 $message = '';
131 $severity = tx_reports_reports_status_Status::OK;
132
133 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT) {
134 $value = $GLOBALS['LANG']->getLL('status_insecure');
135 $severity = tx_reports_reports_status_Status::ERROR;
136
137 $url = 'install/index.php?redirect_url=index.php'
138 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
139
140 $message = sprintf(
141 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern'),
142 '<br /><pre>'
143 . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT)
144 . '</pre><br />'
145 );
146 }
147
148 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
149 $GLOBALS['LANG']->getLL('status_fileDenyPattern'), $value, $message, $severity
150 );
151 }
152
153 /**
154 * Checks if fileDenyPattern allows to upload .htaccess files which is
155 * dangerous on Apache.
156 *
157 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether it's possible to upload .htaccess files
158 */
159 protected function getHtaccessUploadStatus() {
160 $value = $GLOBALS['LANG']->getLL('status_ok');
161 $message = '';
162 $severity = tx_reports_reports_status_Status::OK;
163
164 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT && t3lib_div::verifyFilenameAgainstDenyPattern('.htaccess')) {
165 $value = $GLOBALS['LANG']->getLL('status_insecure');
166 $severity = tx_reports_reports_status_Status::ERROR;
167 $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_htaccess');
168 }
169
170 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
171 $GLOBALS['LANG']->getLL('status_htaccessUploadProtection'), $value, $message, $severity
172 );
173 }
174
175 /**
176 * Checks whether memcached is configured, if that's the case we asume it's also used.
177 *
178 * @return boolean True if memcached is used, false otherwise.
179 */
180 protected function isMemcachedUsed() {
181 $memcachedUsed = FALSE;
182
183 $memcachedServers = $this->getConfiguredMemcachedServers();
184 if (count($memcachedServers)) {
185 $memcachedUsed = TRUE;
186 }
187
188 return $memcachedUsed;
189 }
190
191
192 /**
193 * Executes commands like removing the Install Tool enable file.
194 *
195 * @return void
196 */
197 protected function executeAdminCommand() {
198 $command = t3lib_div::_GET('adminCmd');
199
200 switch ($command) {
201 case 'remove_ENABLE_INSTALL_TOOL':
202 unlink(PATH_site . 'typo3conf/ENABLE_INSTALL_TOOL');
203 break;
204 }
205 }
206
207 /**
208 * Checks whether the Install Tool password is set to its default value.
209 *
210 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing the security of the install tool password
211 */
212 protected function getInstallToolPasswordStatus() {
213 $value = $GLOBALS['LANG']->getLL('status_ok');
214 $message = '';
215 $severity = tx_reports_reports_status_Status::OK;
216
217 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] == md5('joh316')) {
218 $value = $GLOBALS['LANG']->getLL('status_insecure');
219 $severity = tx_reports_reports_status_Status::ERROR;
220
221 $changeInstallToolPasswordUrl = 'install/index.php?redirect_url=index.php'
222 . urlencode('?TYPO3_INSTALL[type]=about');
223
224 $message = sprintf(
225 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_password'),
226 '<a href="' . $changeInstallToolPasswordUrl . '">',
227 '</a>'
228 );
229 }
230
231 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
232 $GLOBALS['LANG']->getLL('status_installToolPassword'), $value, $message, $severity
233 );
234 }
235
236
237
238 /**
239 * Checks for the existance of the ENABLE_INSTALL_TOOL file.
240 *
241 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether ENABLE_INSTALL_TOOL exists
242 */
243 protected function getInstallToolProtectionStatus() {
244 $enableInstallToolFile = PATH_site . 'typo3conf/ENABLE_INSTALL_TOOL';
245 $value = $GLOBALS['LANG']->getLL('status_disabled');
246 $message = '';
247 $severity = tx_reports_reports_status_Status::OK;
248
249 $enableInstallToolFileExists = is_file($enableInstallToolFile);
250
251 if ($enableInstallToolFileExists) {
252
253 if (trim(file_get_contents($enableInstallToolFile)) === 'KEEP_FILE') {
254
255 $severity = tx_reports_reports_status_Status::WARNING;
256
257 $disableInstallToolUrl = t3lib_div::getIndpEnv('TYPO3_REQUEST_URL')
258 . '&amp;adminCmd=remove_ENABLE_INSTALL_TOOL';
259
260 $value = $GLOBALS['LANG']->getLL('status_enabledPermanently');
261
262 $message = sprintf(
263 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled'),
264 '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>');
265 $message .= ' <a href="' . $disableInstallToolUrl . '">'
266 . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled_cmd')
267 . '</a>';
268
269 } else {
270
271 $enableInstallToolFileTtl = filemtime($enableInstallToolFile) + 3600 - time();
272
273 if ($enableInstallToolFileTtl <= 0) {
274
275 unlink($enableInstallToolFile);
276
277 } else {
278
279 $severity = tx_reports_reports_status_Status::NOTICE;
280
281 $disableInstallToolUrl = t3lib_div::getIndpEnv('TYPO3_REQUEST_URL')
282 . '&amp;adminCmd=remove_ENABLE_INSTALL_TOOL';
283
284 $value = $GLOBALS['LANG']->getLL('status_enabledTemporarily');
285
286 $message = sprintf(
287 $GLOBALS['LANG']->getLL('status_installEnabledTemporarily'),
288 '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>', floor($enableInstallToolFileTtl/60) );
289 $message .= ' <a href="' . $disableInstallToolUrl . '">'
290 . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled_cmd')
291 . '</a>';
292 }
293 }
294 }
295
296 return t3lib_div::makeInstance('tx_reports_reports_status_Status',
297 $GLOBALS['LANG']->getLL('status_installTool'), $value, $message, $severity
298 );
299 }
300
301 }
302
303
304 if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php'])) {
305 include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php']);
306 }
307
308 ?>