[BUGFIX] Remove wrong parameters for log entries and remove REMOTE_HOST 32/57832/2
authorMarkus Klein <markus.klein@typo3.org>
Tue, 7 Aug 2018 21:31:58 +0000 (23:31 +0200)
committerAndreas Fernandez <a.fernandez@scripting-base.de>
Thu, 9 Aug 2018 10:00:21 +0000 (12:00 +0200)
Patch https://review.typo3.org/57313 introduced a number of wrong
log entry calls, which provide too much data for sprintf().
This patch removes those unneeded entries.

Moreover, this patch removes the REMOTE_HOST from log entries as those
would exact matching of the IP address, which is not desired. (GDPR)

Resolves: #85773
Related: #85316
Releases: master
Change-Id: Ic7eb288efde53f6232ee699e6786d965a67d2e7f
Reviewed-on: https://review.typo3.org/57832
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Łukasz Uznański <l.uznanski@macopedia.pl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Classes/Authentication/AuthenticationService.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
typo3/sysext/install/Classes/Authentication/AuthenticationService.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php

index 55db936..acb853a 100644 (file)
@@ -774,13 +774,13 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
 
             // User logged in - write that to the log!
             if ($this->writeStdLog && $activeLogin) {
-                $this->writelog(255, 1, 0, 1, 'User %s logged in from ###IP### (%s)', [$tempuser[$this->username_column], GeneralUtility::getIndpEnv('REMOTE_HOST')], '', '', '');
+                $this->writelog(255, 1, 0, 1, 'User %s logged in from ###IP###', [$tempuser[$this->username_column]], '', '', '');
             }
             if ($activeLogin) {
-                $this->logger->info('User ' . $tempuser[$this->username_column] . ' logged in from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')');
+                $this->logger->info('User ' . $tempuser[$this->username_column] . ' logged in from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR'));
             }
             if (!$activeLogin) {
-                $this->logger->debug('User ' . $tempuser[$this->username_column] . ' authenticated from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')');
+                $this->logger->debug('User ' . $tempuser[$this->username_column] . ' authenticated from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR'));
             }
         } else {
             // User was not authenticated, so we should reuse the existing anonymous session
index 5758633..a545b6c 100644 (file)
@@ -57,20 +57,19 @@ class AuthenticationService extends AbstractAuthenticationService
         }
         if ((string)$this->login['uident_text'] === '') {
             // Failed Login attempt (no password given)
-            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP### (%s) for username \'%s\' with an empty password!', [
-                $this->authInfo['REMOTE_HOST'], $this->login['uname']
+            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP### for username \'%s\' with an empty password!', [
+                $this->login['uname']
             ]);
-            $this->logger->warning(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
+            $this->logger->warning(sprintf('Login-attempt from %s, for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->login['uname']));
             return false;
         }
 
         $user = $this->fetchUserRecord($this->login['uname']);
         if (!is_array($user)) {
             // Failed login attempt (no username found)
-            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP### (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_HOST'], $this->login['uname']]);
+            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP###, username \'%s\' not found!!', [$this->login['uname']]);
             $this->logger->info('Login-attempt from username \'' . $this->login['uname'] . '\' not found!', [
-                'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR'],
-                'REMOTE_HOST' => $this->authInfo['REMOTE_HOST'],
+                'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR']
             ]);
         } else {
             $this->logger->debug('User found', [
@@ -172,10 +171,10 @@ class AuthenticationService extends AbstractAuthenticationService
             // Could not find a responsible hash algorithm for given password. This is unusual since other
             // authentication services would usually be called before this one with higher priority. We thus log
             // the failed login but still return '100' to proceed with other services that may follow.
-            $message = 'Login-attempt from ###IP### (%s), username \'%s\', no suitable hash method found!';
-            $this->writeLogMessage($message, $this->authInfo['REMOTE_HOST'], $submittedUsername);
-            $this->writelog(255, 3, 3, 1, $message, [$this->authInfo['REMOTE_HOST'], $submittedUsername]);
-            $this->logger->info(sprintf($message, $this->authInfo['REMOTE_HOST'], $submittedUsername));
+            $message = 'Login-attempt from ###IP###, username \'%s\', no suitable hash method found!';
+            $this->writeLogMessage($message, $submittedUsername);
+            $this->writelog(255, 3, 3, 1, $message, [$submittedUsername]);
+            $this->logger->info(sprintf($message, $submittedUsername));
             // Not responsible, check other services
             return 100;
         }
@@ -183,19 +182,19 @@ class AuthenticationService extends AbstractAuthenticationService
         if (!$isValidPassword) {
             // Failed login attempt - wrong password
             $this->writeLogMessage(TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'', $submittedUsername);
-            $message = 'Login-attempt from ###IP### (%s), username \'%s\', password not accepted!';
-            $this->writelog(255, 3, 3, 1, $message, [$this->authInfo['REMOTE_HOST'], $submittedUsername]);
-            $this->logger->info(sprintf($message, $this->authInfo['REMOTE_HOST'], $submittedUsername));
+            $message = 'Login-attempt from ###IP###, username \'%s\', password not accepted!';
+            $this->writelog(255, 3, 3, 1, $message, [$submittedUsername]);
+            $this->logger->info(sprintf($message, $submittedUsername));
             // Responsible, authentication failed, do NOT check other services
             return 0;
         }
 
         if (!$isDomainLockMet) {
             // Password ok, but configured domain lock not met
-            $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';
-            $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $configuredDomainLock, $this->authInfo['HTTP_HOST']);
-            $this->writelog(255, 3, 3, 1, $errorMessage, [$this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $configuredDomainLock, $this->authInfo['HTTP_HOST']]);
-            $this->logger->info(sprintf($errorMessage, $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $configuredDomainLock, $this->authInfo['HTTP_HOST']));
+            $errorMessage = 'Login-attempt from ###IP###, username \'%s\', locked domain \'%s\' did not match \'%s\'!';
+            $this->writeLogMessage($errorMessage, $user[$this->db_user['username_column']], $configuredDomainLock, $this->authInfo['HTTP_HOST']);
+            $this->writelog(255, 3, 3, 1, $errorMessage, [$user[$this->db_user['username_column']], $configuredDomainLock, $this->authInfo['HTTP_HOST']]);
+            $this->logger->info(sprintf($errorMessage, $user[$this->db_user['username_column']], $configuredDomainLock, $this->authInfo['HTTP_HOST']));
             // Responsible, authentication ok, but domain lock not ok, do NOT check other services
             return 0;
         }
index 00838da..c7a0d81 100644 (file)
@@ -2638,14 +2638,11 @@ This is a dump of the failures:
     private function emailAtLogin()
     {
         // Send notify-mail
-        $subject = 'At "' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '"' . ' from '
-            . GeneralUtility::getIndpEnv('REMOTE_ADDR')
-            . (GeneralUtility::getIndpEnv('REMOTE_HOST') ? ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')' : '');
+        $subject = 'At "' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '"' . ' from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR');
         $msg = sprintf(
-            'User "%s" logged in from %s (%s) at "%s" (%s)',
+            'User "%s" logged in from %s at "%s" (%s)',
             $this->user['username'],
             GeneralUtility::getIndpEnv('REMOTE_ADDR'),
-            GeneralUtility::getIndpEnv('REMOTE_HOST'),
             $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'],
             GeneralUtility::getIndpEnv('HTTP_HOST')
         );
index e6fc4d0..87a8d63 100644 (file)
@@ -88,8 +88,7 @@ class AuthenticationService
                 ->setBody('There has been an Install Tool login at TYPO3 site'
                     . ' \'' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '\''
                     . ' (' . GeneralUtility::getIndpEnv('HTTP_HOST') . ')'
-                    . ' from remote address \'' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . '\''
-                    . ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')')
+                    . ' from remote address \'' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . '\'')
                 ->send();
         }
     }
@@ -111,8 +110,7 @@ class AuthenticationService
                     . ' \'' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '\''
                     . ' (' . GeneralUtility::getIndpEnv('HTTP_HOST') . ')'
                     . ' The last 5 characters of the MD5 hash of the password tried was \'' . substr(md5($formValues['password']), -5) . '\''
-                    . ' remote address was \'' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . '\''
-                    . ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')')
+                    . ' remote address was \'' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . '\'')
                 ->send();
         }
     }
index 15de46f..1b70ee8 100644 (file)
@@ -166,30 +166,28 @@ class SaltedPasswordService extends AbstractAuthenticationService
             $validPasswd = $this->compareUident($user, $this->login);
             if (!$validPasswd) {
                 // Failed login attempt (wrong password)
-                $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', password not accepted!';
+                $errorMessage = 'Login-attempt from ###IP###, username \'%s\', password not accepted!';
                 // No delegation to further services
                 if ($this->authenticationFailed) {
                     $this->writeLogMessage(TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'', $this->login['uname']);
                     $OK = 0;
                 } else {
-                    $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']);
+                    $this->writeLogMessage($errorMessage, $this->login['uname']);
                 }
                 $this->writelog(255, 3, 3, 1, $errorMessage, [
-                    $this->authInfo['REMOTE_HOST'],
                     $this->login['uname']
                 ]);
-                $this->logger->info(sprintf($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
+                $this->logger->info(sprintf($errorMessage, $this->login['uname']));
             } elseif ($validPasswd && $user['lockToDomain'] && strcasecmp($user['lockToDomain'], $this->authInfo['HTTP_HOST'])) {
                 // Lock domain didn't match, so error:
-                $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';
-                $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']);
+                $errorMessage = 'Login-attempt from ###IP###, username \'%s\', locked domain \'%s\' did not match \'%s\'!';
+                $this->writeLogMessage($errorMessage, $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']);
                 $this->writelog(255, 3, 3, 1, $errorMessage, [
-                    $this->authInfo['REMOTE_HOST'],
                     $user[$this->db_user['username_column']],
                     $user['lockToDomain'],
                     $this->authInfo['HTTP_HOST']
                 ]);
-                $this->logger->info(sprintf($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
+                $this->logger->info(sprintf($errorMessage, $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
                 $OK = 0;
             } elseif ($validPasswd) {
                 $this->writeLogMessage(TYPO3_MODE . ' Authentication successful for username \'%s\'', $this->login['uname']);