SecurityStatusReport.php 7.6 KB
Newer Older
1
<?php
2

3
4
5
6
7
8
9
10
11
12
13
14
15
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */

16
17
namespace TYPO3\CMS\Install\Report;

18
use TYPO3\CMS\Backend\Routing\UriBuilder;
19
use TYPO3\CMS\Core\Core\Environment;
20
21
use TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
22
use TYPO3\CMS\Core\Localization\LanguageService;
23
24
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Install\Service\EnableFileService;
25
use TYPO3\CMS\Install\SystemEnvironment\ServerResponse\ServerResponseCheck;
26
use TYPO3\CMS\Reports\Status;
27
use TYPO3\CMS\Reports\StatusProviderInterface;
28
29

/**
30
 * Provides a status report of the security of the install tool
31
 * @internal This class is only meant to be used within EXT:install and is not part of the TYPO3 Core API.
32
 */
33
class SecurityStatusReport implements StatusProviderInterface
34
35
36
37
38
39
40
41
42
{
    /**
     * Compiles a collection of system status checks as a status report.
     *
     * @return Status[]
     */
    public function getStatus()
    {
        $this->executeAdminCommand();
43
        return [
44
            'installToolPassword' => $this->getInstallToolPasswordStatus(),
45
46
            'installToolProtection' => $this->getInstallToolProtectionStatus(),
            'serverResponseStatus' => GeneralUtility::makeInstance(ServerResponseCheck::class)->asStatus(),
47
        ];
48
    }
49

50
51
52
53
54
55
56
    /**
     * Checks whether the Install Tool password is set to its default value.
     *
     * @return Status An object representing the security of the install tool password
     */
    protected function getInstallToolPasswordStatus()
    {
57
        // @todo @deprecated: This should be removed in TYPO3 v10.0 when install tool allows proper hashes only
58
        $value = $this->getLanguageService()->getLL('status_ok');
59
60
        $message = '';
        $severity = Status::OK;
61
        $isDefaultPassword = false;
62
        $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
Christian Kuhn's avatar
Christian Kuhn committed
63
        $hashInstance = null;
64
        $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
Christian Kuhn's avatar
Christian Kuhn committed
65
        try {
66
            $hashInstance = $hashFactory->get($installToolPassword, 'BE');
67
        } catch (InvalidPasswordHashException $e) {
Christian Kuhn's avatar
Christian Kuhn committed
68
            // $hashInstance stays null
69
70
71
            $value = $this->getLanguageService()->getLL('status_wrongValue');
            $message = $e->getMessage();
            $severity = Status::ERROR;
Christian Kuhn's avatar
Christian Kuhn committed
72
        }
73
74
        if ($installToolPassword !== '' && $hashInstance !== null) {
            $isDefaultPassword = $hashInstance->checkPassword('joh316', $installToolPassword);
75
76
        } elseif ($installToolPassword === 'bacb98acf97e0b6112b1d1b650b84971') {
            // using MD5 of legacy default password 'joh316'
77
            $isDefaultPassword = true;
78
        }
79
        if ($isDefaultPassword) {
80
            $value = $this->getLanguageService()->getLL('status_insecure');
81
            $severity = Status::ERROR;
82
            /** @var \TYPO3\CMS\Backend\Routing\UriBuilder $uriBuilder */
83
            $uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
84
            $changeInstallToolPasswordUrl = (string)$uriBuilder->buildUriFromRoute('tools_toolssettings');
85
            $message = sprintf(
86
                $this->getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.installtool_default_password'),
87
88
89
                '<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">',
                '</a>'
            );
90
        }
91
92
        return GeneralUtility::makeInstance(
            Status::class,
93
            $this->getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installToolPassword'),
94
95
96
97
            $value,
            $message,
            $severity
        );
98
    }
99

100
101
102
103
104
105
106
    /**
     * Checks for the existence of the ENABLE_INSTALL_TOOL file.
     *
     * @return Status An object representing whether ENABLE_INSTALL_TOOL exists
     */
    protected function getInstallToolProtectionStatus()
    {
107
        $enableInstallToolFile = Environment::getPublicPath() . '/' . EnableFileService::INSTALL_TOOL_ENABLE_FILE_PATH;
108
        $value = $this->getLanguageService()->getLL('status_disabled');
109
110
111
112
113
114
        $message = '';
        $severity = Status::OK;
        if (EnableFileService::installToolEnableFileExists()) {
            if (EnableFileService::isInstallToolEnableFilePermanent()) {
                $severity = Status::WARNING;
                $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
115
                $value = $this->getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledPermanently');
116
                $message = sprintf(
117
                    $this->getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled'),
118
119
                    '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>'
                );
120
                $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
121
                    $this->getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
122
123
124
125
126
127
            } else {
                if (EnableFileService::installToolEnableFileLifetimeExpired()) {
                    EnableFileService::removeInstallToolEnableFile();
                } else {
                    $severity = Status::NOTICE;
                    $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
128
                    $value = $this->getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledTemporarily');
129
                    $message = sprintf(
130
                        $this->getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installEnabledTemporarily'),
131
132
133
                        '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>',
                        floor((@filemtime($enableInstallToolFile) + EnableFileService::INSTALL_TOOL_ENABLE_FILE_LIFETIME - time()) / 60)
                    );
134
                    $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
135
                        $this->getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
136
137
138
                }
            }
        }
139
140
        return GeneralUtility::makeInstance(
            Status::class,
141
            $this->getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installTool'),
142
143
144
145
            $value,
            $message,
            $severity
        );
146
    }
147

148
149
150
151
152
153
154
155
156
157
158
159
160
161
    /**
     * Executes commands like removing the Install Tool enable file.
     */
    protected function executeAdminCommand()
    {
        $command = GeneralUtility::_GET('adminCmd');
        switch ($command) {
            case 'remove_ENABLE_INSTALL_TOOL':
                EnableFileService::removeInstallToolEnableFile();
                break;
            default:
                // Do nothing
        }
    }
162
163
164
165
166
167
168
169

    /**
     * @return LanguageService|null
     */
    protected function getLanguageService(): ?LanguageService
    {
        return $GLOBALS['LANG'] ?? null;
    }
170
}