[BUGFIX] Additions to fileDenyPattern give security warning in BE
authorsteffenk <info@sk-typo3.de>
Thu, 3 Mar 2011 19:02:24 +0000 (20:02 +0100)
committerAndreas Wolf <andreas.wolf@ikt-werk.de>
Tue, 8 Mar 2011 17:39:20 +0000 (18:39 +0100)
The check is wrong. Instead of checking if the entry is equal to default entry, it should check if any parts of the default value are removed.

As it's a security warning, this should be stated in the warning, so change the wording.

Change-Id: If20d362bef39a4d8533a54e8124b4913b9dcb55e
Resolves: #M17817
Reviewed-on: http://review.typo3.org/1031
Tested-by: Andreas Wolf <andreas.wolf@ikt-werk.de>
Reviewed-by: Steffen Ritter <info@rs-websystems.de>
Tested-by: Steffen Ritter <info@rs-websystems.de>
Reviewed-by: Andreas Wolf <andreas.wolf@ikt-werk.de>
t3lib/class.t3lib_befunc.php
typo3/sysext/lang/locallang_core.xml
typo3/sysext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php

index 4c2f6e5..9f3bb50 100644 (file)
@@ -4398,10 +4398,13 @@ final class t3lib_BEfunc {
                                        '</a>');
                        }
 
-                               // Check if fileDenyPattern was changed which is dangerous on Apache
-                       if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT) {
+                               // Check if parts of fileDenyPattern were removed which is dangerous on Apache
+                       $defaultParts = t3lib_div::trimExplode('|', FILE_DENY_PATTERN_DEFAULT, TRUE);
+                       $givenParts = t3lib_div::trimExplode('|', $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], TRUE);
+                       $result = array_intersect($defaultParts, $givenParts);
+                       if ($defaultParts !== $result) {
                                $warnings['file_deny_pattern'] = sprintf(
-                                       $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern'),
+                                       $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern_partsNotPresent'),
                                                '<br /><pre>' . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT) . '</pre><br />');
                        }
 
index a6f433f..c861279 100755 (executable)
@@ -271,6 +271,7 @@ Would you like to save now in order to refresh the display?</label>
                        <label index="warning.install_password">The Install Tool is still using the default password &quot;joh316&quot;. Update this within the %sAbout section%s of the Install Tool.</label>
                        <label index="warning.backend_admin">The default backend user "admin" with password &quot;password&quot; is still present. %sEdit this account%s, either deleting it completely or changing the username and password.</label>
                        <label index="warning.file_deny_pattern">The value of fileDenyPattern is not set to its default:%s If TYPO3 is running on Apache, a customized value might enable backend or frontend users to execute malicious php scripts.</label>
+                       <label index="warning.file_deny_pattern_partsNotPresent">Security Risk! The new value of fileDenyPattern misses parts of its default:%s If TYPO3 is running on Apache, a customized value might enable backend or frontend users to execute malicious php scripts.</label>
                        <label index="warning.file_deny_htaccess">The current value of fileDenyPattern allows to upload/create files with the name ".htaccess". If TYPO3 is running on Apache, this enables backend or frontend users to create and execute php scripts. Please reset the value of fileDenyPattern to its default.</label>
                        <label index="warning.install_enabled">The Install Tool is permanently enabled. Delete the file &quot;%s&quot; when you have finished setting up TYPO3.</label>
                        <label index="warning.install_enabled_cmd">Click to remove the file now!</label>
index d975938..25e4ece 100644 (file)
@@ -130,7 +130,10 @@ class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvi
                $message  = '';
                $severity = tx_reports_reports_status_Status::OK;
 
-               if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT) {
+               $defaultParts = t3lib_div::trimExplode('|', FILE_DENY_PATTERN_DEFAULT, TRUE);
+               $givenParts = t3lib_div::trimExplode('|', $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], TRUE);
+               $result = array_intersect($defaultParts, $givenParts);
+               if ($defaultParts !== $result) {
                        $value    = $GLOBALS['LANG']->getLL('status_insecure');
                        $severity = tx_reports_reports_status_Status::ERROR;
 
@@ -138,7 +141,7 @@ class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvi
                                . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
 
                        $message = sprintf(
-                               $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern'),
+                               $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern_partsNotPresent'),
                                '<br /><pre>'
                                . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT)
                                . '</pre><br />'