[TASK] Reports module uses internal data of salted passwords
authorDmitry Dulepov <dmitry@typo3.org>
Mon, 28 Nov 2011 12:12:39 +0000 (14:12 +0200)
committerDmitry Dulepov <dmitry@typo3.org>
Mon, 6 Feb 2012 12:36:28 +0000 (13:36 +0100)
Reports module changes from issue #30695 introduced a check
for the saltedpasswords extension and a report about users,
whose passwords are not protected by the saltedpasswords.
That check queries database directly and uses internal
knowledge of saltedpasswords about marking the password
with certain characters. This can break reports module
if saltedpasswords adds a new scheme to salt passwords.
Only saltedpasswords should know about those prefixes.
Other extensions should use the API of saltedpasswords
to query the information.

Change-Id: Ifd1eefb8e823e17612e72253ad3594c3956099c2
Resolves: #32136
Releases: 4.7, 4.6, 4.5
Reviewed-on: http://review.typo3.org/7407
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
typo3/sysext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php
typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php

index a514acc..29f0045 100644 (file)
@@ -280,12 +280,7 @@ class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvi
                                $messageDetail .= $flashMessage;
                        }
 
-                       $unsecureUserCount = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
-                               '*',
-                               'be_users',
-                               'password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('$%', 'be_users')
-                                       . ' AND password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('M$%', 'be_users')
-                       );
+                       $unsecureUserCount = tx_saltedpasswords_div::getNumberOfBackendUsersWithInsecurePassword();
                        if ($unsecureUserCount > 0) {
                                $value = $GLOBALS['LANG']->getLL('status_insecure');
                                $severity = tx_reports_reports_status_Status::ERROR;
@@ -361,4 +356,4 @@ if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLA
        include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php']);
 }
 
-?>
\ No newline at end of file
+?>
index 3ad5fab..e94fd9c 100644 (file)
@@ -46,6 +46,22 @@ class tx_saltedpasswords_div {
                 */
                const EXTKEY = 'saltedpasswords';
 
+               /**
+                * Calculates number of backend users, who have no saltedpasswords
+                * protection.
+                *
+                * @static
+                * @return int
+                */
+               public static function getNumberOfBackendUsersWithInsecurePassword() {
+                       $userCount = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
+                               '*',
+                               'be_users',
+                               'password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('$%', 'be_users')
+                                       . ' AND password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('M$%', 'be_users')
+                       );
+                       return $userCount;
+               }
 
                /**
                 * Returns extension configuration data from $TYPO3_CONF_VARS (configurable in Extension Manager)