TYPO3 CMS  TYPO3_6-2
SecurityStatus.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Reports\Report\Status;
3 
17 use TYPO3\CMS\Backend\Utility\BackendUtility;
18 use TYPO3\CMS\Core\Utility\GeneralUtility;
19 use TYPO3\CMS\Install\Service\EnableFileService;
20 
26 class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
27 
33  public function getStatus() {
34  $this->executeAdminCommand();
35  $statuses = array(
36  'adminUserAccount' => $this->getAdminAccountStatus(),
37  'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
38  'fileDenyPattern' => $this->getFileDenyPatternStatus(),
39  'htaccessUpload' => $this->getHtaccessUploadStatus(),
40  'installToolEnabled' => $this->getInstallToolProtectionStatus(),
41  'installToolPassword' => $this->getInstallToolPasswordStatus(),
42  'saltedpasswords' => $this->getSaltedPasswordsStatus(),
43  'cacheFloodingProtection' => $this->getCacheFloodingProtectionStatus()
44  );
45  return $statuses;
46  }
47 
51  protected function getCacheFloodingProtectionStatus() {
52  $value = $GLOBALS['LANG']->getLL('status_ok');
53  $message = '';
54  $severity = \TYPO3\CMS\Reports\Status::OK;
55  if (empty($GLOBALS['TYPO3_CONF_VARS']['FE']['cHashIncludePageId'])) {
56  $value = $GLOBALS['LANG']->getLL('status_insecure');
57  $severity = \TYPO3\CMS\Reports\Status::ERROR;
58  $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_cache_flooding');
59  }
60  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_cacheFloodingProtection'), $value, $message, $severity);
61  }
62 
68  protected function getAdminAccountStatus() {
69  $value = $GLOBALS['LANG']->getLL('status_ok');
70  $message = '';
71  $severity = \TYPO3\CMS\Reports\Status::OK;
72  $whereClause = 'username = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('admin', 'be_users') . \TYPO3\CMS\Backend\Utility\BackendUtility::deleteClause('be_users');
73  $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid, username, password', 'be_users', $whereClause);
74  if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
75  $secure = TRUE;
77  $saltingObject = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($row['password']);
78  if (is_object($saltingObject)) {
79  if ($saltingObject->checkPassword('password', $row['password'])) {
80  $secure = FALSE;
81  }
82  }
83  // Check against plain MD5
84  if ($row['password'] === '5f4dcc3b5aa765d61d8327deb882cf99') {
85  $secure = FALSE;
86  }
87  if (!$secure) {
88  $value = $GLOBALS['LANG']->getLL('status_insecure');
89  $severity = \TYPO3\CMS\Reports\Status::ERROR;
90  $editUserAccountUrl = 'alt_doc.php?returnUrl=' . rawurlencode(BackendUtility::getModuleUrl('system_ReportsTxreportsm1')) . '&edit[be_users][' . $row['uid'] . ']=edit';
91  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_admin'), '<a href="' . htmlspecialchars($editUserAccountUrl) . '">', '</a>');
92  }
93  }
94  $GLOBALS['TYPO3_DB']->sql_free_result($res);
95  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_adminUserAccount'), $value, $message, $severity);
96  }
97 
103  protected function getEncryptionKeyStatus() {
104  $value = $GLOBALS['LANG']->getLL('status_ok');
105  $message = '';
106  $severity = \TYPO3\CMS\Reports\Status::OK;
107  if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
108  $value = $GLOBALS['LANG']->getLL('status_insecure');
109  $severity = \TYPO3\CMS\Reports\Status::ERROR;
110  $url = 'install/index.php?redirect_url=index.php' . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
111  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_encryption'), '<a href="' . $url . '">', '</a>');
112  }
113  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_encryptionKey'), $value, $message, $severity);
114  }
115 
121  protected function getFileDenyPatternStatus() {
122  $value = $GLOBALS['LANG']->getLL('status_ok');
123  $message = '';
124  $severity = \TYPO3\CMS\Reports\Status::OK;
125  $defaultParts = GeneralUtility::trimExplode('|', FILE_DENY_PATTERN_DEFAULT, TRUE);
126  $givenParts = GeneralUtility::trimExplode('|', $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], TRUE);
127  $result = array_intersect($defaultParts, $givenParts);
128  if ($defaultParts !== $result) {
129  $value = $GLOBALS['LANG']->getLL('status_insecure');
130  $severity = \TYPO3\CMS\Reports\Status::ERROR;
131  $url = 'install/index.php?redirect_url=index.php' . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
132  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.file_deny_pattern_partsNotPresent'), '<br /><pre>' . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT) . '</pre><br />');
133  }
134  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_fileDenyPattern'), $value, $message, $severity);
135  }
136 
143  protected function getHtaccessUploadStatus() {
144  $value = $GLOBALS['LANG']->getLL('status_ok');
145  $message = '';
146  $severity = \TYPO3\CMS\Reports\Status::OK;
147  if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT && GeneralUtility::verifyFilenameAgainstDenyPattern('.htaccess')) {
148  $value = $GLOBALS['LANG']->getLL('status_insecure');
149  $severity = \TYPO3\CMS\Reports\Status::ERROR;
150  $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.file_deny_htaccess');
151  }
152  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_htaccessUploadProtection'), $value, $message, $severity);
153  }
154 
160  protected function isMemcachedUsed() {
161  $memcachedUsed = FALSE;
162  $memcachedServers = $this->getConfiguredMemcachedServers();
163  if (count($memcachedServers)) {
164  $memcachedUsed = TRUE;
165  }
166  return $memcachedUsed;
167  }
168 
174  protected function executeAdminCommand() {
175  $command = GeneralUtility::_GET('adminCmd');
176  switch ($command) {
177  case 'remove_ENABLE_INSTALL_TOOL':
178  EnableFileService::removeInstallToolEnableFile();
179  break;
180  default:
181  // Do nothing
182  }
183  }
184 
190  protected function getInstallToolPasswordStatus() {
191  $value = $GLOBALS['LANG']->getLL('status_ok');
192  $message = '';
193  $severity = \TYPO3\CMS\Reports\Status::OK;
194  $validPassword = TRUE;
195  $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
196  $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($installToolPassword);
197  if (is_object($saltFactory)) {
198  $validPassword = !$saltFactory->checkPassword('joh316', $installToolPassword);
199  } elseif ($installToolPassword === md5('joh316')) {
200  $validPassword = FALSE;
201  }
202  if (!$validPassword) {
203  $value = $GLOBALS['LANG']->getLL('status_insecure');
204  $severity = \TYPO3\CMS\Reports\Status::ERROR;
205  $changeInstallToolPasswordUrl = BackendUtility::getModuleUrl('system_InstallInstall');
206  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.installtool_default_password'), '<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">', '</a>');
207  }
208  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_installToolPassword'), $value, $message, $severity);
209  }
210 
216  protected function getSaltedPasswordsStatus() {
217  $value = $GLOBALS['LANG']->getLL('status_ok');
218  $message = '';
219  $severity = \TYPO3\CMS\Reports\Status::OK;
221  $configCheck = GeneralUtility::makeInstance('TYPO3\\CMS\\Saltedpasswords\\Utility\\ExtensionManagerConfigurationUtility');
222  $message = '<p>' . $GLOBALS['LANG']->getLL('status_saltedPasswords_infoText') . '</p>';
223  $messageDetail = '';
224  $flashMessage = $configCheck->checkConfigurationBackend(array(), new \TYPO3\CMS\Core\TypoScript\ConfigurationForm());
225  if (strpos($flashMessage, 'message-error') !== FALSE) {
226  $value = $GLOBALS['LANG']->getLL('status_insecure');
227  $severity = \TYPO3\CMS\Reports\Status::ERROR;
228  $messageDetail .= $flashMessage;
229  }
230  if (strpos($flashMessage, 'message-warning') !== FALSE) {
231  $severity = \TYPO3\CMS\Reports\Status::WARNING;
232  $messageDetail .= $flashMessage;
233  }
234  if (strpos($flashMessage, 'message-information') !== FALSE) {
235  $messageDetail .= $flashMessage;
236  }
237  $unsecureUserCount = \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::getNumberOfBackendUsersWithInsecurePassword();
238  if ($unsecureUserCount > 0) {
239  $value = $GLOBALS['LANG']->getLL('status_insecure');
240  $severity = \TYPO3\CMS\Reports\Status::ERROR;
241  $messageDetail .= '<div class="typo3-message message-warning">' . $GLOBALS['LANG']->getLL('status_saltedPasswords_notAllPasswordsHashed') . '</div>';
242  }
243  $message .= $messageDetail;
244  if (empty($messageDetail)) {
245  $message = '';
246  }
247  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_saltedPasswords'), $value, $message, $severity);
248  }
249 
255  protected function getInstallToolProtectionStatus() {
256  $enableInstallToolFile = PATH_site . EnableFileService::INSTALL_TOOL_ENABLE_FILE_PATH;
257  $value = $GLOBALS['LANG']->getLL('status_disabled');
258  $message = '';
259  $severity = \TYPO3\CMS\Reports\Status::OK;
260  if (EnableFileService::installToolEnableFileExists()) {
261  if (EnableFileService::isInstallToolEnableFilePermanent()) {
262  $severity = \TYPO3\CMS\Reports\Status::WARNING;
263  $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
264  $value = $GLOBALS['LANG']->getLL('status_enabledPermanently');
265  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_enabled'),
266  '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>');
267  $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
268  $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
269  } else {
270  if (EnableFileService::installToolEnableFileLifetimeExpired()) {
271  EnableFileService::removeInstallToolEnableFile();
272  } else {
273  $severity = \TYPO3\CMS\Reports\Status::NOTICE;
274  $disableInstallToolUrl = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL') . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
275  $value = $GLOBALS['LANG']->getLL('status_enabledTemporarily');
276  $message = sprintf($GLOBALS['LANG']->getLL('status_installEnabledTemporarily'),
277  '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>', floor((@filemtime($enableInstallToolFile) + EnableFileService::INSTALL_TOOL_ENABLE_FILE_LIFETIME - time()) / 60));
278  $message .= ' <a href="' . htmlspecialchars($disableInstallToolUrl) . '">' .
279  $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_enabled_cmd') . '</a>';
280  }
281  }
282  }
283  return GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_installTool'), $value, $message, $severity);
284  }
285 
286 }
TYPO3\CMS\Saltedpasswords\Salt\SaltFactory\getSaltingInstance
static getSaltingInstance($saltedHash='', $mode=TYPO3_MODE)
Definition: SaltFactory.php:83
TYPO3\CMS\Core\Utility\GeneralUtility\trimExplode
static trimExplode($delim, $string, $removeEmptyValues=FALSE, $limit=0)
Definition: GeneralUtility.php:1536
TYPO3\CMS\Core\Utility\GeneralUtility\verifyFilenameAgainstDenyPattern
static verifyFilenameAgainstDenyPattern($filename)
Definition: GeneralUtility.php:3911
TYPO3\CMS\Backend\Utility\BackendUtility\getModuleUrl
static getModuleUrl($moduleName, $urlParameters=array(), $backPathOverride=FALSE, $returnAbsoluteUrl=FALSE)
Definition: BackendUtility.php:3143
$result
if($list_of_literals) if(!empty($literals)) if(!empty($literals)) $result
Analyse literals to prepend the N char to them if their contents aren&#39;t numeric.
Definition: adodb-mssql_n.inc.php:148
$GLOBALS
if(!defined('TYPO3_MODE')) $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'][]
Definition: ext_localconf.php:5
TYPO3\CMS\Backend\Utility\BackendUtility\deleteClause
static deleteClause($table, $tableAlias='')
Definition: BackendUtility.php:71