[BUGFIX] Mark not set Install Tool password as secure 86/53786/3
authorFrans Saris <franssaris@gmail.com>
Mon, 21 Aug 2017 13:59:35 +0000 (15:59 +0200)
committerFrans Saris <franssaris@gmail.com>
Wed, 23 Aug 2017 07:07:43 +0000 (09:07 +0200)
To completely disable the Install Tool you can just leave the
`installToolPassword` value empty in your LocalConfiguration.
Problem here is that not all password hashing methods can handle an
empty value without giving PHP warnings.

This patch changes the password check in reporting to skip the install
password hashing/check when there is no password.

Releases: master, 8.7
Resolves: #82147
Change-Id: I399a505544203fc40435f8e82b3baa5b6abd0da5
Reviewed-on: https://review.typo3.org/53786
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Frans Saris <franssaris@gmail.com>
Tested-by: Frans Saris <franssaris@gmail.com>
typo3/sysext/install/Classes/Report/SecurityStatusReport.php

index d0f60ed..e30920a 100644 (file)
@@ -52,7 +52,7 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
         $validPassword = true;
         $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
         $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($installToolPassword);
-        if (is_object($saltFactory)) {
+        if ($installToolPassword !== '' && is_object($saltFactory)) {
             $validPassword = !$saltFactory->checkPassword('joh316', $installToolPassword);
         } elseif ($installToolPassword === md5('joh316')) {
             $validPassword = false;
@@ -61,11 +61,19 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
             $value = $GLOBALS['LANG']->getLL('status_insecure');
             $severity = Status::ERROR;
             $changeInstallToolPasswordUrl = BackendUtility::getModuleUrl('system_extinstall');
-            $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.installtool_default_password'),
-                '<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">', '</a>');
+            $message = sprintf(
+                $GLOBALS['LANG']->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.installtool_default_password'),
+                '<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">',
+                '</a>'
+            );
         }
-        return GeneralUtility::makeInstance(Status::class,
-            $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installToolPassword'), $value, $message, $severity);
+        return GeneralUtility::makeInstance(
+            Status::class,
+            $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installToolPassword'),
+            $value,
+            $message,
+            $severity
+        );
     }
 
     /**
@@ -84,8 +92,10 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
                 $severity = Status::WARNING;
                 $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
                 $value = $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledPermanently');
-                $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_enabled'),
-                    '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>');
+                $message = sprintf(
+                    $GLOBALS['LANG']->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_enabled'),
+                    '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>'
+                );
                 $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
                     $GLOBALS['LANG']->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
             } else {
@@ -95,15 +105,23 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
                     $severity = Status::NOTICE;
                     $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
                     $value = $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledTemporarily');
-                    $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installEnabledTemporarily'),
-                        '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>', floor((@filemtime($enableInstallToolFile) + EnableFileService::INSTALL_TOOL_ENABLE_FILE_LIFETIME - time()) / 60));
+                    $message = sprintf(
+                        $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installEnabledTemporarily'),
+                        '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>',
+                        floor((@filemtime($enableInstallToolFile) + EnableFileService::INSTALL_TOOL_ENABLE_FILE_LIFETIME - time()) / 60)
+                    );
                     $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
                         $GLOBALS['LANG']->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
                 }
             }
         }
-        return GeneralUtility::makeInstance(Status::class,
-            $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installTool'), $value, $message, $severity);
+        return GeneralUtility::makeInstance(
+            Status::class,
+            $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installTool'),
+            $value,
+            $message,
+            $severity
+        );
     }
 
     /**