‪TYPO3CMS  9.5
All Classes Namespaces Files Functions Variables Pages
SecurityStatus.php
Go to the documentation of this file.
1 <?php
2 declare(strict_types = 1);
3 namespace ‪TYPO3\CMS\Reports\Report\Status;
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
18 use Psr\Http\Message\ServerRequestInterface;
19 use ‪TYPO3\CMS\Backend\Routing\UriBuilder;
20 use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
21 use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
22 use ‪TYPO3\CMS\Core\Database\ConnectionPool;
23 use ‪TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
24 use ‪TYPO3\CMS\Core\Localization\LanguageService;
25 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
26 use ‪TYPO3\CMS\Reports\RequestAwareStatusProviderInterface;
27 use ‪TYPO3\CMS\Reports\Status as ReportStatus;
28 
32 class ‪SecurityStatus implements ‪RequestAwareStatusProviderInterface
33 {
37  protected ‪$request;
38 
45  public function ‪getStatus(ServerRequestInterface ‪$request = null)
46  {
47  $statuses = [
48  'trustedHostsPattern' => $this->‪getTrustedHostsPatternStatus(),
49  'adminUserAccount' => $this->‪getAdminAccountStatus(),
50  'fileDenyPattern' => $this->‪getFileDenyPatternStatus(),
51  'htaccessUpload' => $this->‪getHtaccessUploadStatus(),
52  ];
53 
54  if (‪$request !== null) {
55  $statuses['encryptedConnectionStatus'] = $this->‪getEncryptedConnectionStatus(‪$request);
56  $lockSslStatus = $this->‪getLockSslStatus(‪$request);
57  if ($lockSslStatus) {
58  $statuses['getLockSslStatus'] = $lockSslStatus;
59  }
60  }
61 
62  return $statuses;
63  }
64 
71  protected function ‪getEncryptedConnectionStatus(ServerRequestInterface ‪$request): ReportStatus
72  {
73  $value = $this->‪getLanguageService()->‪getLL('status_ok');
74  $message = '';
75  $severity = ReportStatus::OK;
76 
78  $normalizedParams = ‪$request->getAttribute('normalizedParams');
79 
80  if (!$normalizedParams->isHttps()) {
81  $value = $this->‪getLanguageService()->‪getLL('status_insecure');
82  $severity = ReportStatus::WARNING;
83  $message = $this->‪getLanguageService()->‪sL('LLL:EXT:reports/Resources/Private/Language/locallang_reports.xlf:status_encryptedConnectionStatus_insecure');
84  }
85 
86  return GeneralUtility::makeInstance(ReportStatus::class, $this->‪getLanguageService()->getLL('status_encryptedConnectionStatus'), $value, $message, $severity);
87  }
88 
93  protected function ‪getLockSslStatus(ServerRequestInterface ‪$request): ?ReportStatus
94  {
96  $normalizedParams = ‪$request->getAttribute('normalizedParams');
97 
98  if ($normalizedParams->isHttps()) {
99  $value = $this->‪getLanguageService()->‪getLL('status_ok');
100  $message = '';
101  $severity = ReportStatus::OK;
102 
103  if (!‪$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL']) {
104  $value = $this->‪getLanguageService()->‪getLL('status_insecure');
105  $message = $this->‪getLanguageService()->‪getLL('status_lockSslStatus_insecure');
106  $severity = ReportStatus::WARNING;
107  }
108 
109  return GeneralUtility::makeInstance(ReportStatus::class, $this->‪getLanguageService()->getLL('status_lockSslStatus'), $value, $message, $severity);
110  }
111 
112  return null;
113  }
114 
120  protected function ‪getTrustedHostsPatternStatus(): ReportStatus
121  {
122  $value = $this->‪getLanguageService()->‪getLL('status_ok');
123  $message = '';
124  $severity = ReportStatus::OK;
125 
126  if (‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] === ‪GeneralUtility::ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL) {
127  $value = $this->‪getLanguageService()->‪getLL('status_insecure');
128  $severity = ReportStatus::ERROR;
129  $message = $this->‪getLanguageService()->‪sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_trustedhosts');
130  }
131 
132  return GeneralUtility::makeInstance(ReportStatus::class, $this->‪getLanguageService()->getLL('status_trustedHostsPattern'), $value, $message, $severity);
133  }
134 
140  protected function ‪getAdminAccountStatus(): ReportStatus
141  {
142  $value = $this->‪getLanguageService()->‪getLL('status_ok');
143  $message = '';
144  $severity = ReportStatus::OK;
145 
146  $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('be_users');
147  $queryBuilder->getRestrictions()
148  ->removeAll()
149  ->add(GeneralUtility::makeInstance(DeletedRestriction::class));
150 
151  $row = $queryBuilder
152  ->select('uid', 'username', 'password')
153  ->from('be_users')
154  ->where(
155  $queryBuilder->expr()->eq(
156  'username',
157  $queryBuilder->createNamedParameter('admin', \PDO::PARAM_STR)
158  )
159  )
160  ->execute()
161  ->fetch();
162 
163  if (!empty($row)) {
164  try {
165  $hashInstance = GeneralUtility::makeInstance(PasswordHashFactory::class)->get($row['password'], 'BE');
166  if ($hashInstance->checkPassword('password', $row['password'])) {
167  // If the password for 'admin' user is 'password': bad idea!
168  // We're checking since the (very) old installer created instances like this in dark old times.
169  $uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
170  $value = $this->‪getLanguageService()->‪getLL('status_insecure');
171  $severity = ReportStatus::ERROR;
172  $editUserAccountUrl = (string)$uriBuilder->buildUriFromRoute(
173  'record_edit',
174  [
175  'edit[be_users][' . $row['uid'] . ']' => 'edit',
176  'returnUrl' => (string)$uriBuilder->buildUriFromRoute('system_reports')
177  ]
178  );
179  $message = sprintf(
180  $this->‪getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.backend_admin'),
181  '<a href="' . htmlspecialchars($editUserAccountUrl) . '">',
182  '</a>'
183  );
184  }
185  } catch (‪InvalidPasswordHashException $e) {
186  // No hash class handling for current hash could be found. Not good, but ok in this case.
187  }
188  }
189 
190  return GeneralUtility::makeInstance(ReportStatus::class, $this->‪getLanguageService()->getLL('status_adminUserAccount'), $value, $message, $severity);
191  }
192 
198  protected function ‪getFileDenyPatternStatus(): ReportStatus
199  {
200  $value = $this->‪getLanguageService()->‪getLL('status_ok');
201  $message = '';
202  $severity = ReportStatus::OK;
203  $defaultParts = GeneralUtility::trimExplode('|', FILE_DENY_PATTERN_DEFAULT, true);
204  $givenParts = GeneralUtility::trimExplode('|', ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], true);
205  $result = array_intersect($defaultParts, $givenParts);
206 
207  if ($defaultParts !== $result) {
208  $value = $this->‪getLanguageService()->‪getLL('status_insecure');
209  $severity = ReportStatus::ERROR;
210  $message = sprintf(
211  $this->‪getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.file_deny_pattern_partsNotPresent'),
212  '<br /><pre>' . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT) . '</pre><br />'
213  );
214  }
215 
216  return GeneralUtility::makeInstance(ReportStatus::class, $this->‪getLanguageService()->getLL('status_fileDenyPattern'), $value, $message, $severity);
217  }
218 
225  protected function ‪getHtaccessUploadStatus(): ReportStatus
226  {
227  $value = $this->‪getLanguageService()->‪getLL('status_ok');
228  $message = '';
229  $severity = ReportStatus::OK;
230 
231  if (‪$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
232  && GeneralUtility::verifyFilenameAgainstDenyPattern('.htaccess')) {
233  $value = $this->‪getLanguageService()->‪getLL('status_insecure');
234  $severity = ReportStatus::ERROR;
235  $message = $this->‪getLanguageService()->‪sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.file_deny_htaccess');
236  }
237 
238  return GeneralUtility::makeInstance(ReportStatus::class, $this->‪getLanguageService()->getLL('status_htaccessUploadProtection'), $value, $message, $severity);
239  }
240 
244  protected function ‪getLanguageService(): ‪LanguageService
245  {
246  return ‪$GLOBALS['LANG'];
247  }
248 }
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory
Definition: PasswordHashFactory.php:25
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\$request
‪ServerRequestInterface $request
Definition: SecurityStatus.php:36
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getTrustedHostsPatternStatus
‪ReportStatus getTrustedHostsPatternStatus()
Definition: SecurityStatus.php:119
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getLockSslStatus
‪ReportStatus getLockSslStatus(ServerRequestInterface $request)
Definition: SecurityStatus.php:92
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getHtaccessUploadStatus
‪ReportStatus getHtaccessUploadStatus()
Definition: SecurityStatus.php:224
‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException
Definition: InvalidPasswordHashException.php:22
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getFileDenyPatternStatus
‪ReportStatus getFileDenyPatternStatus()
Definition: SecurityStatus.php:197
‪TYPO3\CMS\Reports\StatusProviderInterface\getStatus
‪array getStatus()
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getStatus
‪ReportStatus[] getStatus(ServerRequestInterface $request=null)
Definition: SecurityStatus.php:44
‪TYPO3\CMS\Core\Localization\LanguageService\sL
‪string sL($input)
Definition: LanguageService.php:158
‪TYPO3\CMS\Reports\Status
Definition: Status.php:22
‪TYPO3\CMS\Core\Utility\GeneralUtility\ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL
‪const ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL
Definition: GeneralUtility.php:54
‪TYPO3\CMS\Backend\Routing\UriBuilder
Definition: UriBuilder.php:35
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getLanguageService
‪LanguageService getLanguageService()
Definition: SecurityStatus.php:243
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus
Definition: SecurityStatus.php:33
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:5
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getEncryptedConnectionStatus
‪ReportStatus getEncryptedConnectionStatus(ServerRequestInterface $request)
Definition: SecurityStatus.php:70
‪TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction
Definition: DeletedRestriction.php:26
‪TYPO3\CMS\Reports\Report\Status\SecurityStatus\getAdminAccountStatus
‪ReportStatus getAdminAccountStatus()
Definition: SecurityStatus.php:139
‪TYPO3\CMS\Reports\Report\Status
Definition: ConfigurationStatus.php:2
‪TYPO3\CMS\Core\Localization\LanguageService
Definition: LanguageService.php:29
‪TYPO3\CMS\Reports\RequestAwareStatusProviderInterface
Definition: RequestAwareStatusProviderInterface.php:24
‪TYPO3\CMS\Core\Database\ConnectionPool
Definition: ConnectionPool.php:44
‪TYPO3\CMS\Core\Localization\LanguageService\getLL
‪string getLL($index)
Definition: LanguageService.php:118
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:45