[BUGFIX] Mark not set Install Tool password as secure 57/53757/5
authorFrans Saris <franssaris@gmail.com>
Mon, 21 Aug 2017 13:59:35 +0000 (15:59 +0200)
committerBenni Mack <benni@typo3.org>
Tue, 22 Aug 2017 20:24:37 +0000 (22:24 +0200)
To completely disable the Install Tool you can just leave the
`installToolPassword` value empty in your LocalConfiguration.
Problem here is that not all password hashing methods can handle an
empty value without giving PHP warnings.

This patch changes the password check in reporting to skip the install
password hashing/check when there is no password.

Releases: master, 8.7
Resolves: #82147
Change-Id: I399a505544203fc40435f8e82b3baa5b6abd0da5
Reviewed-on: https://review.typo3.org/53757
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wolfgang Klinger <wolfgang@wazum.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Sebastian Fischer <typo3@evoweb.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/install/Classes/Report/SecurityStatusReport.php

index d0f60ed..31cb0d6 100644 (file)
@@ -52,7 +52,7 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
         $validPassword = true;
         $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
         $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($installToolPassword);
-        if (is_object($saltFactory)) {
+        if ($installToolPassword !== '' && is_object($saltFactory)) {
             $validPassword = !$saltFactory->checkPassword('joh316', $installToolPassword);
         } elseif ($installToolPassword === md5('joh316')) {
             $validPassword = false;