[FEATURE] Use salted Install Tool password 39/22739/4
authorNicole Cordes <typo3@cordes.co>
Wed, 31 Jul 2013 22:18:45 +0000 (00:18 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Wed, 28 Aug 2013 08:44:31 +0000 (10:44 +0200)
To enhanced the security this patch changes the Install Tool password
from md5 hash to a salted hashed password. Therefore the default
password in the FactoryConfiguration.php is changed. Old md5 hashes get
converted automatically during the boot process of the Install Tool. The
output of the calculated hash is reintroduced when an error occured.
The report modules were adjusted to be able to check salted hashed
passwords.

Resolves: #50613
Releases: 6.2
Change-Id: If02a43780c9c819ebd6da7cbf0acad305f805330
Reviewed-on: https://review.typo3.org/22739
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
typo3/sysext/backend/Classes/Utility/BackendUtility.php
typo3/sysext/core/Configuration/FactoryConfiguration.php
typo3/sysext/install/Classes/Controller/AbstractController.php
typo3/sysext/install/Classes/Controller/Action/Step/DatabaseData.php
typo3/sysext/install/Classes/Controller/Action/Tool/ImportantActions.php
typo3/sysext/install/Resources/Private/Partials/Action/Common/LoginForm.html
typo3/sysext/install/Resources/Private/Templates/Action/Common/InstallToolPasswordNotSet.html
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php

index 4eacae8..b2e7eec 100644 (file)
@@ -3950,11 +3950,6 @@ class BackendUtility {
                                        }
                                        break;
                        }
-                       // Check if the Install Tool Password is still default: joh316
-                       if ($GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] == md5('joh316')) {
-                               $url = 'install/index.php?redirect_url=index.php' . urlencode('?TYPO3_INSTALL[type]=about');
-                               $warnings['install_password'] = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_password'), '<a href="' . $url . '">', '</a>');
-                       }
                        // Check if there is still a default user 'admin' with password 'password' (MD5sum = 5f4dcc3b5aa765d61d8327deb882cf99)
                        $where_clause = 'username=' . $GLOBALS['TYPO3_DB']->fullQuoteStr('admin', 'be_users') . ' AND password=' . $GLOBALS['TYPO3_DB']->fullQuoteStr('5f4dcc3b5aa765d61d8327deb882cf99', 'be_users') . self::deleteClause('be_users');
                        $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid, username, password', 'be_users', $where_clause);
index 3de1fc9..43c6509 100644 (file)
@@ -8,7 +8,6 @@
 return array(
        'BE' => array(
                'explicitADmode' => 'explicitAllow',
-               'installToolPassword' => 'bacb98acf97e0b6112b1d1b650b84971',
                'loginSecurityLevel' => 'rsa',
        ),
        'DB' => array(
index 2b17585..8ca0d1b 100644 (file)
@@ -212,17 +212,37 @@ class AbstractController {
                $action = $this->getAction();
                $postValues = $this->getPostValues();
                if ($action === 'login') {
-                       if (isset($postValues['values']['password'])
-                               && md5($postValues['values']['password']) === $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword']
-                       ) {
+                       $password = '';
+                       $validPassword = FALSE;
+                       if (isset($postValues['values']['password'])) {
+                               $password = $postValues['values']['password'];
+                               $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
+                               $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($installToolPassword);
+                               if (is_object($saltFactory)) {
+                                       $validPassword = $saltFactory->checkPassword($password, $installToolPassword);
+                               } elseif (md5($password) === $installToolPassword) {
+                                       // Update install tool password
+                                       $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL, 'BE');
+                                       $configurationManager = $this->objectManager->get('TYPO3\\CMS\\Core\\Configuration\\ConfigurationManager');
+                                       $configurationManager->setLocalConfigurationValueByPath(
+                                               'BE/installToolPassword',
+                                               $saltFactory->getHashedPassword($password)
+                                       );
+                                       $validPassword = TRUE;
+                               }
+                       }
+                       if ($validPassword) {
                                $this->session->setAuthorized();
                                $this->sendLoginSuccessfulMail();
                                $this->redirect();
                        } else {
+                               $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL, 'BE');
+                               $hashedPassword = $saltFactory->getHashedPassword($password);
                                /** @var $message \TYPO3\CMS\Install\Status\ErrorStatus */
                                $message = $this->objectManager->get('TYPO3\\CMS\\Install\\Status\\ErrorStatus');
                                $message->setTitle('Login failed');
-                               $message->setMessage('Given password does not match the install tool login password.');
+                               $message->setMessage('Given password does not match the install tool login password. ' .
+                                       'Calculated hash: ' . $hashedPassword);
                                $this->sendLoginFailedMail();
                                $this->output($this->loginForm($message));
                        }
index 0124d4e..1b7caf7 100644 (file)
@@ -78,7 +78,7 @@ class DatabaseData extends Action\AbstractAction implements StepInterface {
                $this->getDatabase()->exec_INSERTquery('be_users', $adminUserFields);
 
                // Set password as install tool password
-               $configurationManager->setLocalConfigurationValueByPath('BE/installToolPassword', md5($password));
+               $configurationManager->setLocalConfigurationValueByPath('BE/installToolPassword', $hashedPassword);
 
                return $result;
        }
index fed62ff..bb0fc26 100644 (file)
@@ -112,7 +112,10 @@ class ImportantActions extends Action\AbstractAction implements Action\ActionInt
                } else {
                        /** @var \TYPO3\CMS\Core\Configuration\ConfigurationManager $configurationManager */
                        $configurationManager = $this->objectManager->get('TYPO3\\CMS\\Core\\Configuration\\ConfigurationManager');
-                       $configurationManager->setLocalConfigurationValueByPath('BE/installToolPassword', md5($values['newInstallToolPassword']));
+                       $configurationManager->setLocalConfigurationValueByPath(
+                               'BE/installToolPassword',
+                               $this->getHashedPassword($values['newInstallToolPassword'])
+                       );
                        /** @var $message \TYPO3\CMS\Install\Status\StatusInterface */
                        $message = $this->objectManager->get('TYPO3\\CMS\\Install\\Status\\OkStatus');
                        $message->setTitle('Install tool password changed');
index 0164acd..63097c2 100644 (file)
@@ -36,5 +36,6 @@
        <br /><br />
        If you don't know the current password, you can set a new one by setting the value of
        $TYPO3_CONF_VARS['BE']['installToolPassword'] in typo3conf/LocalConfiguration.php to
-       the md5() hash value of the password you desire.
+       the hash value of the password you desire. You can get the hash value of your password
+       by submitting the desired password with this form.
 </p>
\ No newline at end of file
index e8aefa2..6ac5de7 100644 (file)
@@ -15,7 +15,8 @@
                <p>
                        The file typo3conf/LocalConfiguration.php does not contain a password of the install tool.
                        This should have been set during installation. You can gain access to the install tool
-                       login form by setting ['BE']['installToolPassword'] to the md5 sum of any chosen password.
+                       login form by setting ['BE']['installToolPassword'] to the hash of your chosen password.
+                       You can get that hash by submitting the desired password with this form.
                </p>
        </div>
 </div>
index 344679d..d35479b 100644 (file)
@@ -183,7 +183,15 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
                $value = $GLOBALS['LANG']->getLL('status_ok');
                $message = '';
                $severity = \TYPO3\CMS\Reports\Status::OK;
-               if ($GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] == md5('joh316')) {
+               $validPassword = TRUE;
+               $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
+               $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($installToolPassword);
+               if (is_object($saltFactory)) {
+                       $validPassword = !$saltFactory->checkPassword('joh316', $installToolPassword);
+               } elseif ($installToolPassword === md5('joh316')) {
+                       $validPassword = FALSE;
+               }
+               if (!$validPassword) {
                        $value = $GLOBALS['LANG']->getLL('status_insecure');
                        $severity = \TYPO3\CMS\Reports\Status::ERROR;
                        $changeInstallToolPasswordUrl = 'mod.php?M=system_InstallInstall';