‪TYPO3CMS  9.5
SecurityStatusReport.php
Go to the documentation of this file.
1 <?php
2 namespace ‪TYPO3\CMS\Install\Report;
3 
4 /*
5  * This file is part of the TYPO3 CMS project.
6  *
7  * It is free software; you can redistribute it and/or modify it under
8  * the terms of the GNU General Public License, either version 2
9  * of the License, or any later version.
10  *
11  * For the full copyright and license information, please read the
12  * LICENSE.txt file that was distributed with this source code.
13  *
14  * The TYPO3 project - inspiring people to share!
15  */
16 
17 use ‪TYPO3\CMS\Core\Core\Environment;
18 use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
19 use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
20 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
21 use ‪TYPO3\CMS\Install\Service\EnableFileService;
22 use ‪TYPO3\CMS\Install\SystemEnvironment\ServerResponse\ServerResponseCheck;
23 use ‪TYPO3\CMS\Reports\Status;
24 
29 class ‪SecurityStatusReport implements ‪\TYPO3\CMS\Reports\StatusProviderInterface
30 {
36  public function ‪getStatus()
37  {
38  $this->‪executeAdminCommand();
39  return [
40  'installToolPassword' => $this->‪getInstallToolPasswordStatus(),
41  'installToolProtection' => $this->‪getInstallToolProtectionStatus(),
42  'serverResponseStatus' => GeneralUtility::makeInstance(ServerResponseCheck::class)->asStatus(),
43  ];
44  }
45 
51  protected function ‪getInstallToolPasswordStatus()
52  {
53  // @todo @deprecated: This should be removed in TYPO3 v10.0 when install tool allows proper hashes only
54  $value = ‪$GLOBALS['LANG']->getLL('status_ok');
55  $message = '';
56  $severity = ‪Status::OK;
57  $isDefaultPassword = false;
58  $installToolPassword = ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
59  $hashInstance = null;
60  $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
61  try {
62  $hashInstance = $hashFactory->get($installToolPassword, 'BE');
63  } catch (‪InvalidPasswordHashException $e) {
64  // $hashInstance stays null
65  $value = ‪$GLOBALS['LANG']->getLL('status_wrongValue');
66  $message = $e->getMessage();
67  $severity = ‪Status::ERROR;
68  }
69  if ($installToolPassword !== '' && $hashInstance !== null) {
70  $isDefaultPassword = $hashInstance->checkPassword('joh316', $installToolPassword);
71  } elseif ($installToolPassword === 'bacb98acf97e0b6112b1d1b650b84971') {
72  // using MD5 of legacy default password 'joh316'
73  $isDefaultPassword = true;
74  }
75  if ($isDefaultPassword) {
76  $value = ‪$GLOBALS['LANG']->getLL('status_insecure');
77  $severity = ‪Status::ERROR;
79  $uriBuilder = GeneralUtility::makeInstance(\‪TYPO3\CMS\Backend\Routing\UriBuilder::class);
80  $changeInstallToolPasswordUrl = (string)$uriBuilder->buildUriFromRoute('tools_toolssettings');
81  $message = sprintf(
82  ‪$GLOBALS['LANG']->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.installtool_default_password'),
83  '<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">',
84  '</a>'
85  );
86  }
87  return GeneralUtility::makeInstance(
88  Status::class,
89  ‪$GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installToolPassword'),
90  $value,
91  $message,
92  $severity
93  );
94  }
95 
101  protected function ‪getInstallToolProtectionStatus()
102  {
103  $enableInstallToolFile = ‪Environment::getPublicPath() . '/' . ‪EnableFileService::INSTALL_TOOL_ENABLE_FILE_PATH;
104  $value = ‪$GLOBALS['LANG']->getLL('status_disabled');
105  $message = '';
106  $severity = ‪Status::OK;
107  if (‪EnableFileService::installToolEnableFileExists()) {
108  if (‪EnableFileService::isInstallToolEnableFilePermanent()) {
109  $severity = ‪Status::WARNING;
110  $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
111  $value = ‪$GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledPermanently');
112  $message = sprintf(
113  ‪$GLOBALS['LANG']->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled'),
114  '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>'
115  );
116  $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
117  ‪$GLOBALS['LANG']->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
118  } else {
119  if (‪EnableFileService::installToolEnableFileLifetimeExpired()) {
120  ‪EnableFileService::removeInstallToolEnableFile();
121  } else {
122  $severity = ‪Status::NOTICE;
123  $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
124  $value = ‪$GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_enabledTemporarily');
125  $message = sprintf(
126  ‪$GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installEnabledTemporarily'),
127  '<code style="white-space: nowrap;">' . $enableInstallToolFile . '</code>',
128  floor((@filemtime($enableInstallToolFile) + ‪EnableFileService::INSTALL_TOOL_ENABLE_FILE_LIFETIME - time()) / 60)
129  );
130  $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
131  ‪$GLOBALS['LANG']->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
132  }
133  }
134  }
135  return GeneralUtility::makeInstance(
136  Status::class,
137  ‪$GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_installTool'),
138  $value,
139  $message,
140  $severity
141  );
142  }
143 
147  protected function ‪executeAdminCommand()
148  {
149  $command = GeneralUtility::_GET('adminCmd');
150  switch ($command) {
151  case 'remove_ENABLE_INSTALL_TOOL':
152  ‪EnableFileService::removeInstallToolEnableFile();
153  break;
154  default:
155  // Do nothing
156  }
157  }
158 }
‪TYPO3\CMS\Reports\StatusProviderInterface
Definition: StatusProviderInterface.php:21
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory
Definition: PasswordHashFactory.php:25
‪TYPO3\CMS\Install\Report\SecurityStatusReport\getStatus
‪Status[] getStatus()
Definition: SecurityStatusReport.php:36
‪TYPO3\CMS\Core\Core\Environment\getPublicPath
‪static string getPublicPath()
Definition: Environment.php:153
‪TYPO3\CMS\Install\Service\EnableFileService\installToolEnableFileLifetimeExpired
‪static bool installToolEnableFileLifetimeExpired()
Definition: EnableFileService.php:146
‪TYPO3\CMS\Reports\Status\NOTICE
‪const NOTICE
Definition: Status.php:23
‪TYPO3
‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException
Definition: InvalidPasswordHashException.php:22
‪TYPO3\CMS\Reports\Status\ERROR
‪const ERROR
Definition: Status.php:27
‪TYPO3\CMS\Install\Report
Definition: EnvironmentStatusReport.php:2
‪TYPO3\CMS\Install\Service\EnableFileService\INSTALL_TOOL_ENABLE_FILE_PATH
‪const INSTALL_TOOL_ENABLE_FILE_PATH
Definition: EnableFileService.php:28
‪TYPO3\CMS\Install\Service\EnableFileService
Definition: EnableFileService.php:24
‪TYPO3\CMS\Install\Report\SecurityStatusReport\getInstallToolProtectionStatus
‪Status getInstallToolProtectionStatus()
Definition: SecurityStatusReport.php:101
‪TYPO3\CMS\Install\Report\SecurityStatusReport
Definition: SecurityStatusReport.php:30
‪TYPO3\CMS\Install\Service\EnableFileService\INSTALL_TOOL_ENABLE_FILE_LIFETIME
‪const INSTALL_TOOL_ENABLE_FILE_LIFETIME
Definition: EnableFileService.php:38
‪TYPO3\CMS\Install\Report\SecurityStatusReport\getInstallToolPasswordStatus
‪Status getInstallToolPasswordStatus()
Definition: SecurityStatusReport.php:51
‪TYPO3\CMS\Reports\Status\OK
‪const OK
Definition: Status.php:25
‪TYPO3\CMS\Reports\Status
Definition: Status.php:22
‪TYPO3\CMS\Install\Report\SecurityStatusReport\executeAdminCommand
‪executeAdminCommand()
Definition: SecurityStatusReport.php:147
‪TYPO3\CMS\Install\Service\EnableFileService\removeInstallToolEnableFile
‪static bool removeInstallToolEnableFile()
Definition: EnableFileService.php:75
‪TYPO3\CMS\Install\Service\EnableFileService\installToolEnableFileExists
‪static bool installToolEnableFileExists()
Definition: EnableFileService.php:100
‪TYPO3\CMS\Install\SystemEnvironment\ServerResponse\ServerResponseCheck
Definition: ServerResponseCheck.php:37
‪TYPO3\CMS\Reports\Status\WARNING
‪const WARNING
Definition: Status.php:26
‪TYPO3\CMS\Install\Service\EnableFileService\isInstallToolEnableFilePermanent
‪static bool isInstallToolEnableFilePermanent()
Definition: EnableFileService.php:130
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:5
‪TYPO3\CMS\Core\Core\Environment
Definition: Environment.php:39
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:45