[BUGFIX] Properly check install tool password in report 18/61318/4
authorMathias Brodala <mbrodala@pagemachine.de>
Thu, 18 Jul 2019 09:05:43 +0000 (11:05 +0200)
committerBenjamin Franzke <bfr@qbus.de>
Sun, 21 Jul 2019 23:19:30 +0000 (01:19 +0200)
Also output a report message in case of unsupported hash algorithm.

Resolves: #88794
Releases: master, 9.5
Change-Id: I1ba4efd321f4d2d5bc35b65bb7caac0581fe0a39
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61318
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
typo3/sysext/install/Classes/Report/SecurityStatusReport.php

index f00ca4a..da9151b 100644 (file)
@@ -53,7 +53,7 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
         $value = $this->getLanguageService()->getLL('status_ok');
         $message = '';
         $severity = Status::OK;
-        $validPassword = true;
+        $isDefaultPassword = false;
         $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
         $hashInstance = null;
         $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
@@ -61,13 +61,16 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
             $hashInstance = $hashFactory->get($installToolPassword, 'BE');
         } catch (InvalidPasswordHashException $e) {
             // $hashInstance stays null
+            $value = $this->getLanguageService()->getLL('status_wrongValue');
+            $message = $e->getMessage();
+            $severity = Status::ERROR;
         }
-        if ($installToolPassword !== '' && $hashInstance === null) {
-            $validPassword = !$hashFactory->checkPassword('joh316', $installToolPassword);
+        if ($installToolPassword !== '' && $hashInstance !== null) {
+            $isDefaultPassword = $hashInstance->checkPassword('joh316', $installToolPassword);
         } elseif ($installToolPassword === md5('joh316')) {
-            $validPassword = false;
+            $isDefaultPassword = true;
         }
-        if (!$validPassword) {
+        if ($isDefaultPassword) {
             $value = $this->getLanguageService()->getLL('status_insecure');
             $severity = Status::ERROR;
             /** @var \TYPO3\CMS\Backend\Routing\UriBuilder $uriBuilder */