[BUGFIX] Throw exception if encryption key is not set 85/53785/3
authorHelmut Hummel <typo3@helhum.io>
Thu, 17 Aug 2017 16:41:39 +0000 (18:41 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Tue, 22 Aug 2017 20:27:04 +0000 (22:27 +0200)
The encryption key is a vital part to ensure security
of TYPO3. Not having it set (by accident) can lead
to severe security issues.

Therefore enforce it to be set and throw an exception
in case it isn't, instead of just reporting a warning.

Releases: master, 8.7, 7.6
Resolves: #82169
Change-Id: I79c73558d0968ae89a2867d6d5264530f434e1a3
Reviewed-on: https://review.typo3.org/53785
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/core/Build/Configuration/FunctionalTestsConfiguration.php
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php

index af815d5..24f29b6 100644 (file)
@@ -5,5 +5,6 @@ return [
         'debugExceptionHandler' => '',
         'trustedHostsPattern' => '.*',
         'setDBinit' => 'SET SESSION sql_mode = \'STRICT_ALL_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY\';',
+       'encryptionKey' => 'i-am-not-a-secure-encryption-key',
     ]
 ];
index ecf5e97..145644f 100644 (file)
@@ -173,7 +173,12 @@ class Bootstrap
             ->defineLoggingAndExceptionConstants()
             ->unsetReservedGlobalVariables()
             ->initializeTypo3DbGlobal();
-
+        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
+            throw new \RuntimeException(
+                'TYPO3 Encryption is empty. $GLOBALS[\'TYPO3_CONF_VARS\'][\'SYS\'][\'encryptionKey\'] needs to be set for TYPO3 to work securely',
+                1502987245
+            );
+        }
         return $this;
     }
 
index c564a57..68c83d2 100644 (file)
@@ -34,7 +34,6 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface
         $statuses = [
             'trustedHostsPattern' => $this->getTrustedHostsPatternStatus(),
             'adminUserAccount' => $this->getAdminAccountStatus(),
-            'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
             'fileDenyPattern' => $this->getFileDenyPatternStatus(),
             'htaccessUpload' => $this->getHtaccessUploadStatus(),
             'saltedpasswords' => $this->getSaltedPasswordsStatus(),
@@ -125,27 +124,6 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface
     }
 
     /**
-     * Checks whether the encryption key is empty.
-     *
-     * @return \TYPO3\CMS\Reports\Status An object representing whether the encryption key is empty or not
-     */
-    protected function getEncryptionKeyStatus()
-    {
-        $value = $GLOBALS['LANG']->getLL('status_ok');
-        $message = '';
-        $severity = \TYPO3\CMS\Reports\Status::OK;
-        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
-            $value = $GLOBALS['LANG']->getLL('status_insecure');
-            $severity = \TYPO3\CMS\Reports\Status::ERROR;
-            $url = 'install/index.php?redirect_url=index.php' . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
-            $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_encryption'),
-                '<a href="' . $url . '">', '</a>');
-        }
-        return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
-            $GLOBALS['LANG']->getLL('status_encryptionKey'), $value, $message, $severity);
-    }
-
-    /**
      * Checks if fileDenyPattern was changed which is dangerous on Apache
      *
      * @return \TYPO3\CMS\Reports\Status An object representing whether the file deny pattern has changed