[TASK] Reports module uses internal data of salted passwords
authorDmitry Dulepov <dmitry@typo3.org>
Mon, 28 Nov 2011 12:12:39 +0000 (14:12 +0200)
committerDmitry Dulepov <dmitry@typo3.org>
Mon, 6 Feb 2012 12:37:11 +0000 (13:37 +0100)
Reports module changes from issue #30695 introduced a check
for the saltedpasswords extension and a report about users,
whose passwords are not protected by the saltedpasswords.
That check queries database directly and uses internal
knowledge of saltedpasswords about marking the password
with certain characters. This can break reports module
if saltedpasswords adds a new scheme to salt passwords.
Only saltedpasswords should know about those prefixes.
Other extensions should use the API of saltedpasswords
to query the information.

Change-Id: I335697612d9f58935320261278054fc1863871f4
Resolves: #32136
Releases: 4.7, 4.6, 4.5
Reviewed-on: http://review.typo3.org/7408
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
typo3/sysext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php
typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php

index a81639c..404e4e9 100644 (file)
@@ -267,12 +267,7 @@ class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvi
                                $messageDetail .= $flashMessage;
                        }
 
-                       $unsecureUserCount = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
-                               '*',
-                               'be_users',
-                               'password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('$%', 'be_users')
-                                       . ' AND password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('M$%', 'be_users')
-                       );
+                       $unsecureUserCount = tx_saltedpasswords_div::getNumberOfBackendUsersWithInsecurePassword();
                        if ($unsecureUserCount > 0) {
                                $value    = $GLOBALS['LANG']->getLL('status_insecure');
                                $severity = tx_reports_reports_status_Status::ERROR;
index 1af7e1e..356fb80 100644 (file)
@@ -48,6 +48,22 @@ class tx_saltedpasswords_div {
                 */
                const EXTKEY = 'saltedpasswords';
 
+               /**
+                * Calculates number of backend users, who have no saltedpasswords
+                * protection.
+                *
+                * @static
+                * @return int
+                */
+               public static function getNumberOfBackendUsersWithInsecurePassword() {
+                       $userCount = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
+                               '*',
+                               'be_users',
+                               'password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('$%', 'be_users')
+                                       . ' AND password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('M$%', 'be_users')
+                       );
+                       return $userCount;
+               }
 
                /**
                 * Returns extension configuration data from $TYPO3_CONF_VARS (configurable in Extension Manager)