[TASK] Reports module uses internal data of salted passwords
authorDmitry Dulepov <dmitry@typo3.org>
Mon, 28 Nov 2011 12:12:39 +0000 (14:12 +0200)
committerSteffen Ritter <info@rs-websystems.de>
Fri, 16 Dec 2011 13:00:43 +0000 (14:00 +0100)
Reports module changes from issue #30695 introduced a check
for the saltedpasswords extension and a report about users,
whose passwords are not protected by the saltedpasswords.
That check queries database directly and uses internal
knowledge of saltedpasswords about marking the password
with certain characters. This can break reports module
if saltedpasswords adds a new scheme to salt passwords.
Only saltedpasswords should know about those prefixes.
Other extensions should use the API of saltedpasswords
to query the information.

Change-Id: Iec27610c2227ed15537f37b53e1b26443b5a276f
Resolves: #32136
Releases: 4.7, 4.6, 4.5
Reviewed-on: http://review.typo3.org/6953
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
typo3/sysext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php
typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php

index 2a04ed4..dcf77ce 100644 (file)
@@ -286,12 +286,7 @@ class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvi
                                $message .= $flashMessage;
                        }
 
-                       $unsecureUserCount = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
-                               '*',
-                               'be_users',
-                               'password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('$%', 'be_users')
-                                       . ' AND password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('M$%', 'be_users')
-                       );
+                       $unsecureUserCount = tx_saltedpasswords_div::getNumberOfBackendUsersWithInsecurePassword();
                        if ($unsecureUserCount > 0) {
                                $value    = $GLOBALS['LANG']->getLL('status_insecure');
                                $severity = tx_reports_reports_status_Status::ERROR;
index 3ad5fab..e94fd9c 100644 (file)
@@ -46,6 +46,22 @@ class tx_saltedpasswords_div {
                 */
                const EXTKEY = 'saltedpasswords';
 
+               /**
+                * Calculates number of backend users, who have no saltedpasswords
+                * protection.
+                *
+                * @static
+                * @return int
+                */
+               public static function getNumberOfBackendUsersWithInsecurePassword() {
+                       $userCount = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
+                               '*',
+                               'be_users',
+                               'password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('$%', 'be_users')
+                                       . ' AND password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('M$%', 'be_users')
+                       );
+                       return $userCount;
+               }
 
                /**
                 * Returns extension configuration data from $TYPO3_CONF_VARS (configurable in Extension Manager)