[SECURITY][TASK] Blind more options in the configuration module 09/44809/2
authorGeorg Ringer <georg.ringer@gmail.com>
Fri, 20 Nov 2015 09:09:03 +0000 (10:09 +0100)
committerMarkus Klein <markus.klein@typo3.org>
Fri, 20 Nov 2015 10:03:49 +0000 (11:03 +0100)
The database credentials should not be shown in the configuration module.

Change-Id: I6037f343d9e6932e1293e463fe513e793e948762
Resolves: #71706
Resolves: #68905
Releases: master, 6.2
Reviewed-on: https://review.typo3.org/44809
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/lowlevel/Classes/View/ConfigurationView.php

index d17216c..d95366a 100644 (file)
@@ -15,6 +15,7 @@ namespace TYPO3\CMS\Lowlevel\View;
  */
 
 use TYPO3\CMS\Backend\Utility\BackendUtility;
+use TYPO3\CMS\Core\Utility\ArrayUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
@@ -58,6 +59,27 @@ class ConfigurationView {
        public $content;
 
        /**
+        * Blind configurations which should not be visible
+        *
+        * @var array
+        */
+       protected $blindedConfigurationOptions = array(
+               'TYPO3_CONF_VARS' => array(
+                       'DB' => array(
+                               'database' => '******',
+                               'host' => '******',
+                               'password' => '******',
+                               'port' => '******',
+                               'socket' => '******',
+                               'username' => '******'
+                       ),
+                       'SYS' => array(
+                               'encryptionKey' => '******'
+                       )
+               )
+       );
+
+       /**
         * Constructor
         */
        public function __construct() {
@@ -208,9 +230,10 @@ class ConfigurationView {
                if (GeneralUtility::_POST('search') && trim($search_field)) {
                        $arrayBrowser->depthKeys = $arrayBrowser->getSearchKeys($theVar, '', $search_field, array());
                }
-               // mask the encryption key to not show it as plaintext in the configuration module
-               if ($theVar == $GLOBALS['TYPO3_CONF_VARS']) {
-                       $theVar['SYS']['encryptionKey'] = '***** (length: ' . strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) . ' characters)';
+               // mask sensitive information
+               $varName = trim($arrayBrowser->varName, '$');
+               if (isset($this->blindedConfigurationOptions[$varName])) {
+                       ArrayUtility::mergeRecursiveWithOverrule($theVar, $this->blindedConfigurationOptions[$varName]);
                }
                $tree = $arrayBrowser->tree($theVar, '', '');
                $this->content .= $this->doc->sectionEnd();