[!!!][TASK] Remove lockSSL=3 option 43/43643/5
authorBenjamin Mack <benni@typo3.org>
Wed, 30 Sep 2015 05:48:55 +0000 (07:48 +0200)
committerHelmut Hummel <helmut.hummel@typo3.org>
Mon, 5 Oct 2015 10:29:47 +0000 (12:29 +0200)
The option $TYPO3_CONF_VARS[BE][lockSSL] to only redirect to SSL
for login is removed in favor of having SSL enabled all the
time (lockSSL=1 or lockSSL=2).

Resolves: #70229
Releases: master
Change-Id: Ia5399195836ab93a4eb29b6f27155eb1e9e07672
Reviewed-on: http://review.typo3.org/43643
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/backend/Classes/FrontendBackendUserAuthentication.php
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-70229-BE-lockSSL3OptionRemoved.rst [new file with mode: 0644]

index d7c106c..06ed76d 100755 (executable)
@@ -182,10 +182,8 @@ class FrontendBackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\B
                        }
                }
                // Check SSL (https)
-               if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] && (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] !== 3) {
-                       if (!GeneralUtility::getIndpEnv('TYPO3_SSL')) {
-                               return FALSE;
-                       }
+               if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] && !GeneralUtility::getIndpEnv('TYPO3_SSL')) {
+                       return FALSE;
                }
                // Finally a check from \TYPO3\CMS\Core\Authentication\BackendUserAuthentication::backendCheckLogin()
                if ($this->isUserAllowedToLogin()) {
index 0bab1b5..00705a3 100644 (file)
@@ -756,20 +756,6 @@ abstract class AbstractUserAuthentication {
                        if ($this->writeDevLog && !$activeLogin) {
                                GeneralUtility::devLog('User ' . $tempuser[$this->username_column] . ' authenticated from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')', \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication::class, -1);
                        }
-                       if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] === 3 && $this->user_table === 'be_users') {
-                               $requestStr = substr(GeneralUtility::getIndpEnv('TYPO3_REQUEST_SCRIPT'), strlen(GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir));
-                               $backendScript = \TYPO3\CMS\Backend\Utility\BackendUtility::getBackendScript();
-                               if ($requestStr == $backendScript && GeneralUtility::getIndpEnv('TYPO3_SSL')) {
-                                       list(, $url) = explode('://', GeneralUtility::getIndpEnv('TYPO3_SITE_URL'), 2);
-                                       list($server, $address) = explode('/', $url, 2);
-                                       if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSLPort']) {
-                                               $sslPortSuffix = ':' . (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSLPort'];
-                                               // strip port from server
-                                               $server = str_replace($sslPortSuffix, '', $server);
-                                       }
-                                       \TYPO3\CMS\Core\Utility\HttpUtility::redirect('http://' . $server . '/' . $address . TYPO3_mainDir . $backendScript);
-                               }
-                       }
                } elseif ($activeLogin || !empty($tempuserArr)) {
                        $this->loginFailure = TRUE;
                        if ($this->writeDevLog && empty($tempuserArr) && $activeLogin) {
index 5dd61e4..7ccaf98 100644 (file)
@@ -864,21 +864,13 @@ class Bootstrap {
         */
        public function checkSslBackendAndRedirectIfNeeded() {
                if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL']) {
-                       if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSLPort']) {
-                               $sslPortSuffix = ':' . (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSLPort'];
-                       } else {
-                               $sslPortSuffix = '';
-                       }
-                       if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] === 3) {
-                               $requestStr = substr(GeneralUtility::getIndpEnv('TYPO3_REQUEST_SCRIPT'), strlen(GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir));
-                               if ($requestStr === 'index.php' && !GeneralUtility::getIndpEnv('TYPO3_SSL')) {
-                                       list(, $url) = explode('://', GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL'), 2);
-                                       list($server, $address) = explode('/', $url, 2);
-                                       header('Location: https://' . $server . $sslPortSuffix . '/' . $address);
-                                       die;
-                               }
-                       } elseif (!GeneralUtility::getIndpEnv('TYPO3_SSL')) {
+                       if (!GeneralUtility::getIndpEnv('TYPO3_SSL')) {
                                if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] === 2) {
+                                       if ((int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSLPort']) {
+                                               $sslPortSuffix = ':' . (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSLPort'];
+                                       } else {
+                                               $sslPortSuffix = '';
+                                       }
                                        list(, $url) = explode('://', GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir, 2);
                                        list($server, $address) = explode('/', $url, 2);
                                        header('Location: https://' . $server . $sslPortSuffix . '/' . $address);
index 367066e..b38a9e4 100644 (file)
@@ -556,7 +556,7 @@ return array(
                'sessionTimeout' => 3600,                                               // Integer: seconds. Session time out for backend users. The value must be at least 180 to avoid side effects. Default is 3600 seconds = 1 hour.
                'IPmaskList' => '',                                                             // String: Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function \TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())
                'lockBeUserToDBmounts' => TRUE,                                 // Boolean: If set, the backend user is allowed to work only within his page-mount. It's advisable to leave this on because it makes security easy to manage.
-               'lockSSL' => 0,                                                                 // <p>Integer (0, 1, 2, 3). If &gt;0, If set (1,2,3), the backend can only be operated from an SSL-encrypted connection (https)</p><dl><dt>0</dt><dd>no locking (default)</dd><dt>1</dt><dd>only allow access via SSL</dd><dt>2</dt><dd>redirect user trying to access non-https admin-urls to SSL URLs instead</dd><dt>3</dt><dd>only the login is forced to SSL, then the user switches back to non-SSL-mode</dd></dl>
+               'lockSSL' => 0,                                                                 // <p>Integer (0, 1, 2). If &gt;0, If set (1,2), the backend can only be operated from an SSL-encrypted connection (https)</p><dl><dt>0</dt><dd>no locking (default)</dd><dt>1</dt><dd>only allow access via SSL</dd><dt>2</dt><dd>redirect user trying to access non-https admin-urls to SSL URLs instead</dd></dl>
                'lockSSLPort' => 0,                                                             // Integer: Use a non-standard HTTPS port for lockSSL. Set this value if you use lockSSL and the HTTPS port of your webserver is not 443.
                'enabledBeUserIPLock' => TRUE,                                  // Boolean: If set, the User/Group TSconfig option 'option.lockToIP' is enabled.
                'lockHashKeyWords' => 'useragent',                              // Keyword list (Strings comma separated). Currently only "useragent"; If set, then the BE user session is locked to the value of HTTP_USER_AGENT. This lowers the risk of session hi-jacking. However in some cases (like during development) you might need to switch the user agent while keeping the session. In this case you can disable that feature (e.g. with a blank string).
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-70229-BE-lockSSL3OptionRemoved.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-70229-BE-lockSSL3OptionRemoved.rst
new file mode 100644 (file)
index 0000000..4a1e729
--- /dev/null
@@ -0,0 +1,30 @@
+================================================
+Breaking: #70229 - BE-lockSSL = 3 option removed
+================================================
+
+Description
+===========
+
+The global option ``$TYPO3_CONF_VARS[BE][lockSSL]`` allows to lock the backend usage to be worked completely over SSL.
+Setting this option to "3" allowed to have only the backend login transmitted via SSL, but the rest forced to work
+via plain HTTP. Option "3" has been removed in favor of having a full SSL session for all communication between the
+server and the client / browser.
+
+
+Impact
+======
+
+Installations having ``lockSSL`` set to "3" will now behave just as it would be lockSSL=1.
+
+
+Affected Installations
+======================
+
+Any installation that has ``$TYPO3_CONF_VARS[BE][lockSSL]`` set to 3, only having SSL for the Backend login page.
+
+
+Migration
+=========
+
+It is recommended to set the ``$TYPO3_CONF_VARS[BE][lockSSL]`` option to 1 or 2, depending on the environment and the
+possibilities of having SSL available.
\ No newline at end of file