[BUGFIX] Throw exception if encryption key is not set 24/53724/6
authorHelmut Hummel <typo3@helhum.io>
Thu, 17 Aug 2017 16:41:39 +0000 (18:41 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Tue, 22 Aug 2017 19:53:08 +0000 (21:53 +0200)
The encryption key is a vital part to ensure security
of TYPO3. Not having it set (by accident) can lead
to severe security issues.

Therefore enforce it to be set and throw an exception
in case it isn't, instead of just reporting a warning.

Releases: master, 8.7, 7.6
Resolves: #82169
Change-Id: I79c73558d0968ae89a2867d6d5264530f434e1a3
Reviewed-on: https://review.typo3.org/53724
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/lang/Resources/Private/Language/locallang_core.xlf
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php

index 1923f23..8853b4e 100644 (file)
@@ -173,7 +173,12 @@ class Bootstrap
             ->setFinalCachingFrameworkCacheConfiguration()
             ->unsetReservedGlobalVariables()
             ->loadBaseTca();
-
+        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
+            throw new \RuntimeException(
+                'TYPO3 Encryption is empty. $GLOBALS[\'TYPO3_CONF_VARS\'][\'SYS\'][\'encryptionKey\'] needs to be set for TYPO3 to work securely',
+                1502987245
+            );
+        }
         return $this;
     }
 
index 4b98c47..be72997 100644 (file)
@@ -1162,9 +1162,6 @@ Do you want to refresh it now?</source>
                        <trans-unit id="warning.install_trustedhosts">
                                <source>The trusted hosts pattern check is disabled. Please define the allowed hosts in the [SYS][trustedHostsPattern] section of the Install Tool.</source>
                        </trans-unit>
-                       <trans-unit id="warning.install_encryption">
-                               <source>The encryption key is not set. Set it in the %sBasic Configuration section%s of the Install Tool.</source>
-                       </trans-unit>
                        <trans-unit id="warning.install_update">
                                <source>This installation is not configured for the TYPO3 version it is running. If you did so intentionally, this message can be safely ignored. If you are unsure, visit the Update Wizard section of the %sInstall Tool%s to see how TYPO3 would change.</source>
                        </trans-unit>
index 12cd429..d48b5ab 100644 (file)
@@ -42,7 +42,6 @@ class SecurityStatus implements StatusProviderInterface
         $statuses = [
             'trustedHostsPattern' => $this->getTrustedHostsPatternStatus(),
             'adminUserAccount' => $this->getAdminAccountStatus(),
-            'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
             'fileDenyPattern' => $this->getFileDenyPatternStatus(),
             'htaccessUpload' => $this->getHtaccessUploadStatus(),
             'saltedpasswords' => $this->getSaltedPasswordsStatus(),
@@ -130,29 +129,6 @@ class SecurityStatus implements StatusProviderInterface
     }
 
     /**
-     * Checks whether the encryption key is empty.
-     *
-     * @return \TYPO3\CMS\Reports\Status An object representing whether the encryption key is empty or not
-     */
-    protected function getEncryptionKeyStatus()
-    {
-        $value = $this->getLanguageService()->getLL('status_ok');
-        $message = '';
-        $severity = ReportStatus::OK;
-        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
-            $value = $this->getLanguageService()->getLL('status_insecure');
-            $severity = ReportStatus::ERROR;
-            $url = 'install/index.php?redirect_url=index.php' . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
-            $message = sprintf(
-                $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_encryption'),
-                '<a href="' . $url . '">',
-                '</a>'
-            );
-        }
-        return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_encryptionKey'), $value, $message, $severity);
-    }
-
-    /**
      * Checks if fileDenyPattern was changed which is dangerous on Apache
      *
      * @return \TYPO3\CMS\Reports\Status An object representing whether the file deny pattern has changed