[TASK] Use GU::hmac() instead of encryption key in FileWriter 37/41937/4
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Fri, 24 Jul 2015 16:32:04 +0000 (18:32 +0200)
committerHelmut Hummel <helmut.hummel@typo3.org>
Fri, 24 Jul 2015 17:03:46 +0000 (19:03 +0200)
There is a potential attack to get hold of a secret encryption key
if such key is hashed with a single hash function and a small additional
string. So if you want to include the encryption key in an hash, you need
to *ALWAYS* use GeneralUtility::hmac() and not any different hash function.

Additionally, don't mention AdditionalConfiguration as place for config
manipulation, as it is considered a hack from core point of view
(see comment #52705).

Change-Id: I8c3a5c11222251acfe86da1c17e7934998858000
Resolves: #68521
Relates: #52705
Releases: master
Reviewed-on: http://review.typo3.org/41937
Reviewed-by: Alexander Stehlik <alexander.stehlik@gmail.com>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

index 39d8baa..e602e21 100644 (file)
@@ -224,6 +224,6 @@ class FileWriter extends AbstractWriter {
         * @return string
        protected function getDefaultLogFileName() {
-               return sprintf($this->defaultLogFileTemplate, GeneralUtility::shortMD5('defaultLogFile' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']));
+               return sprintf($this->defaultLogFileTemplate, substr(GeneralUtility::hmac($this->defaultLogFileTemplate, 'defaultLogFile'), 0, 10));
index cb38694..e80e7eb 100644 (file)
@@ -54,6 +54,6 @@ which is replaced by :php:`$defaultLogFileTemplate` and the :php:`getDefaultLogF
-Adjust the log configuration according to your needs in your :code:`AdditionalConfiguration.php`.
+Adjust the log configuration according to your needs in your :code:`LocalConfiguration.php`.
 Adjust any Extension code affected by the changes if needed.