[TASK] Implement check for saltedpasswords in reports module
authorSteffen Ritter <info@rs-websystems.de>
Mon, 24 Oct 2011 22:38:58 +0000 (00:38 +0200)
committerXavier Perseguers <xavier@typo3.org>
Mon, 24 Oct 2011 23:52:49 +0000 (01:52 +0200)
The reports module should show a warning, if saltedpasswords is
not installed or not configured correctly.

Change-Id: Icbd31378a05f02f20de5e43a63465c119f72a6d3
Resolves: #30695
Releases: 4.6, 4.5
Reviewed-on: http://review.typo3.org/6275
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
typo3/sysext/reports/reports/locallang.xlf
typo3/sysext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php

index d608d34..533f68a 100644 (file)
                        <trans-unit id="status_encryptionKey" xml:space="preserve">
                                <source>Encryption Key</source>
                        </trans-unit>
+                       <trans-unit id="status_saltedPasswords" xml:space="preserve">
+                               <source>Backend user password hashes</source>
+                       </trans-unit>
+                       <trans-unit id="status_saltedPasswords_infoText" xml:space="preserve">
+                               <source>During the configuration check of saltedpasswords the following issues have been found:</source>
+                       </trans-unit>
+                       <trans-unit id="status_saltedPasswords_notInstalled" xml:space="preserve">
+                               <source>The saltedpasswords extension is not installed. The passwords are only hashed with md5 which is considered to be insecure. Install and configure the saltedpasswords extension and run the scheduler task to convert all passwords to salted hashes.</source>
+                       </trans-unit>
+                       <trans-unit id="status_saltedPasswords_notAllPasswordsHashed" xml:space="preserve">
+                               <source>Some backend user passwords are found to be only md5 hashed. Run the scheduler task to convert all passwords to salted hashes.</source>
+                       </trans-unit>
                        <trans-unit id="status_fileDenyPattern" xml:space="preserve">
                                <source>File Deny Pattern</source>
                        </trans-unit>
index 8a6fe67..0a9911c 100644 (file)
@@ -48,6 +48,7 @@ class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvi
                        'htaccessUpload'      => $this->getHtaccessUploadStatus(),
                        'installToolEnabled'  => $this->getInstallToolProtectionStatus(),
                        'installToolPassword' => $this->getInstallToolPasswordStatus(),
+                       'saltedpasswords'     => $this->getSaltedPasswordsStatus()
                );
 
                return $statuses;
@@ -234,7 +235,53 @@ class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvi
                );
        }
 
+       /**
+        * Checks whether the Install Tool password is set to its default value.
+        *
+        * @return      tx_reports_reports_status_Status        An tx_reports_reports_status_Status object representing the security of the saltedpassswords extension
+        */
+       protected function getSaltedPasswordsStatus() {
+               $value    = $GLOBALS['LANG']->getLL('status_ok');
+               $message  = '';
+               $severity = tx_reports_reports_status_Status::OK;
+
+               if (!t3lib_extMgm::isLoaded('saltedpasswords')) {
+                       $value    = $GLOBALS['LANG']->getLL('status_insecure');
+                       $severity = tx_reports_reports_status_Status::ERROR;
+                       $message .= $GLOBALS['LANG']->getLL('status_saltedPasswords_notInstalled');
+               } else {
+                       /** @var tx_saltedpasswords_emconfhelper $configCheck */
+                       $configCheck = t3lib_div::makeInstance('tx_saltedpasswords_emconfhelper');
+                       $message .= '<p>' . $GLOBALS['LANG']->getLL('status_saltedPasswords_infoText') . '</p>';
+                       $flashMessage = $configCheck->checkConfigurationBackend(array(), new t3lib_tsStyleConfig());
+
+                       if (strpos($flashMessage, 'message-error') !== FALSE ||
+                               strpos($flashMessage, 'message-warning') !== FALSE ||
+                               strpos($flashMessage, 'message-information') !== FALSE
+                       ) {
+                               $value    = $GLOBALS['LANG']->getLL('status_insecure');
+                               $severity = tx_reports_reports_status_Status::ERROR;
+                               $message .= $flashMessage;
+                       }
 
+                       $unsecureUserCount = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
+                               '*',
+                               'be_users',
+                               'password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('$%', 'be_users')
+                                       . ' AND password NOT LIKE ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('M$%', 'be_users')
+                       );
+                       if ($unsecureUserCount > 0) {
+                               $value    = $GLOBALS['LANG']->getLL('status_insecure');
+                               $severity = tx_reports_reports_status_Status::ERROR;
+                               $message .= '<div class="typo3-message message-warning">' .
+                                               $GLOBALS['LANG']->getLL('status_saltedPasswords_notAllPasswordsHashed') .'</div>';
+                       }
+               }
+
+               return t3lib_div::makeInstance('tx_reports_reports_status_Status',
+                       $GLOBALS['LANG']->getLL('status_saltedPasswords'), $value, $message, $severity
+               );
+       }
 
        /**
         * Checks for the existance of the ENABLE_INSTALL_TOOL file.