‪TYPO3CMS  10.4
SecurityStatusReport.php
Go to the documentation of this file.
1 <?php
2 
3 /*
4  * This file is part of the TYPO3 CMS project.
5  *
6  * It is free software; you can redistribute it and/or modify it under
7  * the terms of the GNU General Public License, either version 2
8  * of the License, or any later version.
9  *
10  * For the full copyright and license information, please read the
11  * LICENSE.txt file that was distributed with this source code.
12  *
13  * The TYPO3 project - inspiring people to share!
14  */
15 
16 namespace ‪TYPO3\CMS\Install\Report;
17 
18 use ‪TYPO3\CMS\Backend\Routing\UriBuilder;
19 use ‪TYPO3\CMS\Core\Core\Environment;
20 use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
21 use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
22 use ‪TYPO3\CMS\Core\Localization\LanguageService;
23 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
24 use ‪TYPO3\CMS\Install\Service\EnableFileService;
25 use ‪TYPO3\CMS\Install\SystemEnvironment\ServerResponse\ServerResponseCheck;
26 use ‪TYPO3\CMS\Reports\Status;
27 use ‪TYPO3\CMS\Reports\StatusProviderInterface;
28 
33 class ‪SecurityStatusReport implements ‪StatusProviderInterface
34 {
40  public function ‪getStatus()
41  {
42  $this->‪executeAdminCommand();
43  return [
44  'installToolPassword' => $this->‪getInstallToolPasswordStatus(),
45  'installToolProtection' => $this->‪getInstallToolProtectionStatus(),
46  'serverResponseStatus' => GeneralUtility::makeInstance(ServerResponseCheck::class)->asStatus(),
47  ];
48  }
49 
55  protected function ‪getInstallToolPasswordStatus()
56  {
57  // @todo @deprecated: This should be removed in TYPO3 v10.0 when install tool allows proper hashes only
58  $value = $this->‪getLanguageService()->‪getLL('status_ok');
59  $message = '';
60  $severity = ‪Status::OK;
61  $isDefaultPassword = false;
62  $installToolPassword = ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
63  $hashInstance = null;
64  $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
65  try {
66  $hashInstance = $hashFactory->get($installToolPassword, 'BE');
67  } catch (‪InvalidPasswordHashException $e) {
68  // $hashInstance stays null
69  $value = $this->‪getLanguageService()->‪getLL('status_wrongValue');
70  $message = $e->getMessage();
71  $severity = ‪Status::ERROR;
72  }
73  if ($installToolPassword !== '' && $hashInstance !== null) {
74  $isDefaultPassword = $hashInstance->checkPassword('joh316', $installToolPassword);
75  } elseif ($installToolPassword === 'bacb98acf97e0b6112b1d1b650b84971') {
76  // using MD5 of legacy default password 'joh316'
77  $isDefaultPassword = true;
78  }
79  if ($isDefaultPassword) {
80  $value = $this->‪getLanguageService()->‪getLL('status_insecure');
81  $severity = ‪Status::ERROR;
83  $uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
84  $changeInstallToolPasswordUrl = (string)$uriBuilder->buildUriFromRoute('tools_toolssettings');
85  $message = sprintf(
86  $this->‪getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.installtool_default_password'),
87  '<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">',
88  '</a>'
89  );
90  }
91  return GeneralUtility::makeInstance(
92  Status::class,
93  $this->‪getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installToolPassword'),
94  $value,
95  $message,
96  $severity
97  );
98  }
99 
105  protected function ‪getInstallToolProtectionStatus()
106  {
107  $enableInstallToolFile = ‪Environment::getPublicPath() . '/' . ‪EnableFileService::INSTALL_TOOL_ENABLE_FILE_PATH;
108  $value = $this->‪getLanguageService()->‪getLL('status_disabled');
109  $message = '';
110  $severity = ‪Status::OK;
111  if (‪EnableFileService::installToolEnableFileExists()) {
112  if (‪EnableFileService::isInstallToolEnableFilePermanent()) {
113  $severity = ‪Status::WARNING;
114  $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
115  $value = $this->‪getLanguageService()->‪sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledPermanently');
116  $message = sprintf(
117  $this->‪getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled'),
118  '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>'
119  );
120  $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
121  $this->‪getLanguageService()->‪sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
122  } else {
123  if (‪EnableFileService::installToolEnableFileLifetimeExpired()) {
124  ‪EnableFileService::removeInstallToolEnableFile();
125  } else {
126  $severity = ‪Status::NOTICE;
127  $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
128  $value = $this->‪getLanguageService()->‪sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledTemporarily');
129  $message = sprintf(
130  $this->‪getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installEnabledTemporarily'),
131  '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>',
132  floor((@filemtime($enableInstallToolFile) + ‪EnableFileService::INSTALL_TOOL_ENABLE_FILE_LIFETIME - time()) / 60)
133  );
134  $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
135  $this->‪getLanguageService()->‪sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
136  }
137  }
138  }
139  return GeneralUtility::makeInstance(
140  Status::class,
141  $this->‪getLanguageService()->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installTool'),
142  $value,
143  $message,
144  $severity
145  );
146  }
147 
151  protected function ‪executeAdminCommand()
152  {
153  $command = GeneralUtility::_GET('adminCmd');
154  switch ($command) {
155  case 'remove_ENABLE_INSTALL_TOOL':
156  ‪EnableFileService::removeInstallToolEnableFile();
157  break;
158  default:
159  // Do nothing
160  }
161  }
162 
166  protected function ‪getLanguageService(): ?‪LanguageService
167  {
168  return ‪$GLOBALS['LANG'] ?? null;
169  }
170 }
‪TYPO3\CMS\Reports\StatusProviderInterface
Definition: StatusProviderInterface.php:22
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory
Definition: PasswordHashFactory.php:27
‪TYPO3\CMS\Install\Report\SecurityStatusReport\getStatus
‪Status[] getStatus()
Definition: SecurityStatusReport.php:40
‪TYPO3\CMS\Core\Core\Environment\getPublicPath
‪static string getPublicPath()
Definition: Environment.php:180
‪TYPO3\CMS\Install\Report\SecurityStatusReport\getLanguageService
‪LanguageService null getLanguageService()
Definition: SecurityStatusReport.php:166
‪TYPO3\CMS\Install\Service\EnableFileService\installToolEnableFileLifetimeExpired
‪static bool installToolEnableFileLifetimeExpired()
Definition: EnableFileService.php:148
‪TYPO3\CMS\Reports\Status\NOTICE
‪const NOTICE
Definition: Status.php:25
‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException
Definition: InvalidPasswordHashException.php:26
‪TYPO3\CMS\Reports\Status\ERROR
‪const ERROR
Definition: Status.php:29
‪TYPO3\CMS\Install\Report
Definition: EnvironmentStatusReport.php:16
‪TYPO3\CMS\Install\Service\EnableFileService\INSTALL_TOOL_ENABLE_FILE_PATH
‪const INSTALL_TOOL_ENABLE_FILE_PATH
Definition: EnableFileService.php:30
‪TYPO3\CMS\Install\Service\EnableFileService
Definition: EnableFileService.php:26
‪TYPO3\CMS\Install\Report\SecurityStatusReport\getInstallToolProtectionStatus
‪Status getInstallToolProtectionStatus()
Definition: SecurityStatusReport.php:105
‪TYPO3\CMS\Install\Report\SecurityStatusReport
Definition: SecurityStatusReport.php:34
‪TYPO3\CMS\Install\Service\EnableFileService\INSTALL_TOOL_ENABLE_FILE_LIFETIME
‪const INSTALL_TOOL_ENABLE_FILE_LIFETIME
Definition: EnableFileService.php:40
‪TYPO3\CMS\Core\Localization\LanguageService\sL
‪string sL($input)
Definition: LanguageService.php:194
‪TYPO3\CMS\Install\Report\SecurityStatusReport\getInstallToolPasswordStatus
‪Status getInstallToolPasswordStatus()
Definition: SecurityStatusReport.php:55
‪TYPO3\CMS\Reports\Status\OK
‪const OK
Definition: Status.php:27
‪TYPO3\CMS\Reports\Status
Definition: Status.php:24
‪TYPO3\CMS\Install\Report\SecurityStatusReport\executeAdminCommand
‪executeAdminCommand()
Definition: SecurityStatusReport.php:151
‪TYPO3\CMS\Install\Service\EnableFileService\removeInstallToolEnableFile
‪static bool removeInstallToolEnableFile()
Definition: EnableFileService.php:77
‪TYPO3\CMS\Install\Service\EnableFileService\installToolEnableFileExists
‪static bool installToolEnableFileExists()
Definition: EnableFileService.php:102
‪TYPO3\CMS\Backend\Routing\UriBuilder
Definition: UriBuilder.php:38
‪TYPO3\CMS\Install\SystemEnvironment\ServerResponse\ServerResponseCheck
Definition: ServerResponseCheck.php:42
‪TYPO3\CMS\Reports\Status\WARNING
‪const WARNING
Definition: Status.php:28
‪TYPO3\CMS\Install\Service\EnableFileService\isInstallToolEnableFilePermanent
‪static bool isInstallToolEnableFilePermanent()
Definition: EnableFileService.php:132
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:5
‪TYPO3\CMS\Core\Core\Environment
Definition: Environment.php:40
‪TYPO3\CMS\Core\Localization\LanguageService
Definition: LanguageService.php:42
‪TYPO3\CMS\Core\Localization\LanguageService\getLL
‪string getLL($index)
Definition: LanguageService.php:154
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:46