[SECURITY][TASK] Blind more options in the configuration module 07/44807/5
authorGeorg Ringer <georg.ringer@gmail.com>
Thu, 19 Nov 2015 20:18:34 +0000 (21:18 +0100)
committerGeorg Ringer <georg.ringer@gmail.com>
Fri, 20 Nov 2015 08:56:47 +0000 (09:56 +0100)
The database credentials should not be shown in the configuration module.

Change-Id: I6037f343d9e6932e1293e463fe513e793e948762
Resolves: #71706
Resolves: #68905
Releases: master, 6.2
Reviewed-on: https://review.typo3.org/44807
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Martin Kutschker <martin.kutschker@ymail.com>
Tested-by: Martin Kutschker <martin.kutschker@ymail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
typo3/sysext/lowlevel/Classes/View/ConfigurationView.php

index 64c6bc8..b158a23 100644 (file)
@@ -50,6 +50,27 @@ class ConfigurationView extends BaseScriptClass
     protected $moduleTemplate;
 
     /**
+     * Blind configurations which should not be visible
+     *
+     * @var array
+     */
+    protected $blindedConfigurationOptions = [
+        'TYPO3_CONF_VARS' => [
+            'DB' => [
+                'database' => '******',
+                'host' => '******',
+                'password' => '******',
+                'port' => '******',
+                'socket' => '******',
+                'username' => '******'
+            ],
+            'SYS' => [
+                'encryptionKey' => '******'
+            ]
+        ]
+    ];
+
+    /**
      * Constructor
      */
     public function __construct()
@@ -175,7 +196,7 @@ class ConfigurationView extends BaseScriptClass
         // Update node:
         $update = 0;
         $node = GeneralUtility::_GET('node');
-        // If any plus-signs were clicked, it's registred.
+        // If any plus-signs were clicked, it's registered.
         if (is_array($node)) {
             $this->MOD_SETTINGS['node_' . $this->MOD_SETTINGS['function']] = $arrayBrowser->depthKeys($node, $this->MOD_SETTINGS['node_' . $this->MOD_SETTINGS['function']]);
             $update = 1;
@@ -193,9 +214,11 @@ class ConfigurationView extends BaseScriptClass
         if (GeneralUtility::_POST('search') && trim($search_field)) {
             $arrayBrowser->depthKeys = $arrayBrowser->getSearchKeys($theVar, '', $search_field, array());
         }
-        // mask the encryption key to not show it as plaintext in the configuration module
-        if ($theVar == $GLOBALS['TYPO3_CONF_VARS']) {
-            $theVar['SYS']['encryptionKey'] = '***** (length: ' . strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) . ' characters)';
+
+        // mask sensitive information
+        $varName = trim($arrayBrowser->varName, '$');
+        if (isset($this->blindedConfigurationOptions[$varName])) {
+            ArrayUtility::mergeRecursiveWithOverrule($theVar, $this->blindedConfigurationOptions[$varName]);
         }
         $tree = $arrayBrowser->tree($theVar, '', '');
         $this->view->assign('tree', $tree);