[FEATURE] Introduce status report for ExceptionHandler 35/62735/3
authorSusanne Moog <look@susi.dev>
Wed, 11 Dec 2019 08:42:40 +0000 (09:42 +0100)
committerDaniel Goerz <daniel.goerz@posteo.de>
Thu, 16 Jan 2020 11:35:00 +0000 (12:35 +0100)
The DebugExceptionHandler will display full error messages
and stack traces and should not be used in production.

To mitigate the information disclosure, a new status report has
been introduced:
- if display errors is set to 1 (-> uses DebugExceptionHandler setting)
  and context is Production an Error is displayed
- if display errors is set to 1 (-> uses DebugExceptionHandler setting)
  and context is Development a Warning is displayed
- if the production exception handler setting is configured to use the
  DebugExceptionHandler an Error is displayed

Resolves: #89978
Releases: master
Change-Id: I0f4eb357cf2c0a8012ed2e12a8c9f63073d3a19c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62735
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Tobi Kretschmann <tobi@tobishome.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Tobi Kretschmann <tobi@tobishome.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
typo3/sysext/core/Documentation/Changelog/master/Feature-89978-IntroduceStatusReportForInsecureExceptionHandlerSettings.rst [new file with mode: 0644]
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/reports/Resources/Private/Language/locallang_reports.xlf

diff --git a/typo3/sysext/core/Documentation/Changelog/master/Feature-89978-IntroduceStatusReportForInsecureExceptionHandlerSettings.rst b/typo3/sysext/core/Documentation/Changelog/master/Feature-89978-IntroduceStatusReportForInsecureExceptionHandlerSettings.rst
new file mode 100644 (file)
index 0000000..5fcb907
--- /dev/null
@@ -0,0 +1,27 @@
+.. include:: ../../Includes.txt
+
+=================================================================================
+Feature: #89978 - Introduce Status Report for insecure exception handler settings
+=================================================================================
+
+See :issue:`89978`
+
+Description
+===========
+
+When using a debug exception handler in production (either by configuring it explicitly or by using the wrong application context) stack traces may disclose information. To avoid such setups a new status report has been introduced, that warns administrators if a debug exception handler is configured.
+
+
+Impact
+======
+
+To mitigate the information disclosure, a new status report has
+been introduced:
+- if display errors is set to 1 (-> uses DebugExceptionHandler setting)
+  and context is Production an Error is displayed
+- if display errors is set to 1 (-> uses DebugExceptionHandler setting)
+  and context is Development a Warning is displayed
+- if the production exception handler setting is configured to use the
+  DebugExceptionHandler an Error is displayed
+
+.. index:: Backend, LocalConfiguration, ext:reports
\ No newline at end of file
index a05187c..d435a1d 100644 (file)
@@ -17,6 +17,7 @@ namespace TYPO3\CMS\Reports\Report\Status;
 
 use Psr\Http\Message\ServerRequestInterface;
 use TYPO3\CMS\Backend\Routing\UriBuilder;
+use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
 use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
 use TYPO3\CMS\Core\Database\ConnectionPool;
@@ -49,6 +50,7 @@ class SecurityStatus implements RequestAwareStatusProviderInterface
             'adminUserAccount' => $this->getAdminAccountStatus(),
             'fileDenyPattern' => $this->getFileDenyPatternStatus(),
             'htaccessUpload' => $this->getHtaccessUploadStatus(),
+            'exceptionHandler' => $this->getExceptionHandlerStatus()
         ];
 
         if ($request !== null) {
@@ -238,6 +240,25 @@ class SecurityStatus implements RequestAwareStatusProviderInterface
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_htaccessUploadProtection'), $value, $message, $severity);
     }
 
+    protected function getExceptionHandlerStatus(): ReportStatus
+    {
+        $value = $this->getLanguageService()->getLL('status_ok');
+        $message = '';
+        $severity = ReportStatus::OK;
+        if (
+            strpos($GLOBALS['TYPO3_CONF_VARS']['SYS']['productionExceptionHandler'], 'Debug') !== false ||
+            (Environment::getContext()->isProduction() && (int)$GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] === 1)
+        ) {
+            $value = $this->getLanguageService()->getLL('status_insecure');
+            $severity = ReportStatus::ERROR;
+            $message = $this->getLanguageService()->getLL('status_exceptionHandler_errorMessage');
+        } elseif ((int)$GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] === 1) {
+            $severity = ReportStatus::WARNING;
+            $message = $this->getLanguageService()->getLL('status_exceptionHandler_warningMessage');
+        }
+        return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_exceptionHandler'), $value, $message, $severity);
+    }
+
     /**
      * @return LanguageService
      */
index bd5813e..db3d6e1 100644 (file)
                        <trans-unit id="status_htaccessUploadProtection" resname="status_htaccessUploadProtection">
                                <source>.htaccess Upload Protection</source>
                        </trans-unit>
+                       <trans-unit id="status_exceptionHandler" resname="status_exceptionHandler">
+                               <source>Exception Handler / Error Reporting</source>
+                       </trans-unit>
+                       <trans-unit id="status_exceptionHandler_warningMessage" resname="status_exceptionHandler_warningMessage">
+                               <source>Display Errors is set to 1 - errors will be displayed with the DebugExceptionHandler including stack traces.</source>
+                       </trans-unit>
+                       <trans-unit id="status_exceptionHandler_errorMessage" resname="status_exceptionHandler_errorMessage">
+                               <source>Debug Exception Handler enabled in Production Context - will show full error messages including stack traces.</source>
+                       </trans-unit>
                        <trans-unit id="status_installToolPassword" resname="status_installToolPassword">
                                <source>Install Tool Password</source>
                        </trans-unit>