TYPO3_8-7/_security_status_8php_source.html

 <?php
 namespace TYPO3\CMS\Reports\Report\Status;

 /*
  * This file is part of the TYPO3 CMS project.
  *
  * It is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License, either version 2
  * of the License, or any later version.
  *
  * For the full copyright and license information, please read the
  * LICENSE.txt file that was distributed with this source code.
  *
  * The TYPO3 project - inspiring people to share!
  */

 use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
 use TYPO3\CMS\Core\Messaging\FlashMessage;
 use TYPO3\CMS\Core\TypoScript\ConfigurationForm;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Lang\LanguageService;
 use TYPO3\CMS\Reports\Status as ReportStatus;
 use TYPO3\CMS\Reports\StatusProviderInterface;
 use TYPO3\CMS\Saltedpasswords\Salt\SaltFactory;
 use TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility;
 use TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility;

 class SecurityStatus implements StatusProviderInterface
 {
     public function getStatus()
     {
         $statuses = [
             'trustedHostsPattern' => $this->getTrustedHostsPatternStatus(),
             'recordRegistration' => $this->getRecordRegistrationStatus(),
             'adminUserAccount' => $this->getAdminAccountStatus(),
             'fileDenyPattern' => $this->getFileDenyPatternStatus(),
             'htaccessUpload' => $this->getHtaccessUploadStatus(),
             'saltedpasswords' => $this->getSaltedPasswordsStatus(),
         ];
         return $statuses;
     }

     protected function getTrustedHostsPatternStatus()
     {
         $value = $this->getLanguageService()->getLL('status_ok');
         $message = '';
         $severity = ReportStatus::OK;
         if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] === GeneralUtility::ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL) {
             $value = $this->getLanguageService()->getLL('status_insecure');
             $severity = ReportStatus::ERROR;
             $message = $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_trustedhosts');
         }
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_trustedHostsPattern'), $value, $message, $severity);
     }

     protected function getRecordRegistrationStatus()
     {
         $value = $this->getLanguageService()->getLL('status_ok');
         $message = '';
         $severity = ReportStatus::OK;
         if (!empty($GLOBALS['TYPO3_CONF_VARS']['FE']['enableRecordRegistration'])) {
             $value = $this->getLanguageService()->getLL('status_insecure');
             $severity = ReportStatus::ERROR;
             $message = $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_recordregistration');
         }
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_recordRegistration'), $value, $message, $severity);
     }

     protected function getAdminAccountStatus()
     {
         $value = $this->getLanguageService()->getLL('status_ok');
         $message = '';
         $severity = ReportStatus::OK;

         $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('be_users');
         $queryBuilder->getRestrictions()
             ->removeAll()
             ->add(GeneralUtility::makeInstance(DeletedRestriction::class));

         $row = $queryBuilder
             ->select('uid', 'username', 'password')
             ->from('be_users')
             ->where(
                 $queryBuilder->expr()->eq(
                     'username',
                     $queryBuilder->createNamedParameter('admin', \PDO::PARAM_STR)
                 )
             )
             ->execute()
             ->fetch();

         if (!empty($row)) {
             $secure = true;
             $saltingObject = SaltFactory::getSaltingInstance($row['password']);
             if (is_object($saltingObject)) {
                 if ($saltingObject->checkPassword('password', $row['password'])) {
                     $secure = false;
                 }
             }
             // Check against plain MD5
             if ($row['password'] === '5f4dcc3b5aa765d61d8327deb882cf99') {
                 $secure = false;
             }
             if (!$secure) {
                 $value = $this->getLanguageService()->getLL('status_insecure');
                 $severity = ReportStatus::ERROR;
                 $editUserAccountUrl = BackendUtility::getModuleUrl(
                     'record_edit',
                     [
                         'edit[be_users][' . $row['uid'] . ']' => 'edit',
                         'returnUrl' => BackendUtility::getModuleUrl('system_ReportsTxreportsm1')
                     ]
                 );
                 $message = sprintf(
                     $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.backend_admin'),
                     '<a href="' . htmlspecialchars($editUserAccountUrl) . '">',
                     '</a>'
                 );
             }
         }
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_adminUserAccount'), $value, $message, $severity);
     }

     protected function getFileDenyPatternStatus()
     {
         $value = $this->getLanguageService()->getLL('status_ok');
         $message = '';
         $severity = ReportStatus::OK;
         $defaultParts = GeneralUtility::trimExplode('|', FILE_DENY_PATTERN_DEFAULT, true);
         $givenParts = GeneralUtility::trimExplode('|', $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], true);
         $result = array_intersect($defaultParts, $givenParts);
         if ($defaultParts !== $result) {
             $value = $this->getLanguageService()->getLL('status_insecure');
             $severity = ReportStatus::ERROR;
             $message = sprintf(
                 $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.file_deny_pattern_partsNotPresent'),
                 '<br /><pre>' . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT) . '</pre><br />'
             );
         }
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_fileDenyPattern'), $value, $message, $severity);
     }

     protected function getHtaccessUploadStatus()
     {
         $value = $this->getLanguageService()->getLL('status_ok');
         $message = '';
         $severity = ReportStatus::OK;
         if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
             && GeneralUtility::verifyFilenameAgainstDenyPattern('.htaccess')) {
             $value = $this->getLanguageService()->getLL('status_insecure');
             $severity = ReportStatus::ERROR;
             $message = $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.file_deny_htaccess');
         }
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_htaccessUploadProtection'), $value, $message, $severity);
     }

     protected function getSaltedPasswordsStatus()
     {
         $value = $this->getLanguageService()->getLL('status_ok');
         $severity = ReportStatus::OK;
         $configCheck = GeneralUtility::makeInstance(ExtensionManagerConfigurationUtility::class);
         $message = '<p>' . $this->getLanguageService()->getLL('status_saltedPasswords_infoText') . '</p>';
         $messageDetail = '';
         $resultCheck = $configCheck->checkConfigurationBackend([], new ConfigurationForm());
         switch ($resultCheck['errorType']) {
             case FlashMessage::INFO:
                 $messageDetail .= $resultCheck['html'];
                 break;
             case FlashMessage::WARNING:
                 $severity = ReportStatus::WARNING;
                 $messageDetail .= $resultCheck['html'];
                 break;
             case FlashMessage::ERROR:
                 $value = $this->getLanguageService()->getLL('status_insecure');
                 $severity = ReportStatus::ERROR;
                 $messageDetail .= $resultCheck['html'];
                 break;
             default:
         }
         $unsecureUserCount = SaltedPasswordsUtility::getNumberOfBackendUsersWithInsecurePassword();
         if ($unsecureUserCount > 0) {
             $value = $this->getLanguageService()->getLL('status_insecure');
             $severity = ReportStatus::ERROR;
             $messageDetail .= '<div class="panel panel-warning">' .
                 '<div class="panel-body">' .
                     $this->getLanguageService()->getLL('status_saltedPasswords_notAllPasswordsHashed') .
                 '</div>' .
             '</div>';
         }
         $message .= $messageDetail;
         if (empty($messageDetail)) {
             $message = '';
         }
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_saltedPasswords'), $value, $message, $severity);
     }

     protected function getLanguageService()
     {
         return $GLOBALS['LANG'];
     }
 }
TYPO3\CMS\Reports\StatusProviderInterface
Definition: StatusProviderInterface.php:20

TYPO3\CMS\Core\Messaging\AbstractMessage\INFO
const INFO
Definition: AbstractMessage.php:26

GeneralUtility

ConfigurationForm

TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility\getNumberOfBackendUsersWithInsecurePassword
static getNumberOfBackendUsersWithInsecurePassword()
Definition: SaltedPasswordsUtility.php:35

TYPO3\CMS\Core\Messaging\AbstractMessage\WARNING
const WARNING
Definition: AbstractMessage.php:28

TYPO3\CMS\Reports\Report\Status\SecurityStatus\getLanguageService
getLanguageService()
Definition: SecurityStatus.php:243

ExtensionManagerConfigurationUtility

TYPO3\CMS\Reports\Report\Status\SecurityStatus\getHtaccessUploadStatus
getHtaccessUploadStatus()
Definition: SecurityStatus.php:180

TYPO3\CMS\Core\Utility\GeneralUtility\ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL
const ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL
Definition: GeneralUtility.php:48

TYPO3\CMS\Saltedpasswords\Salt\SaltFactory\getSaltingInstance
static getSaltingInstance($saltedHash='', $mode=TYPO3_MODE)
Definition: SaltFactory.php:83

BackendUtility

ConnectionPool

TYPO3\CMS\Core\Utility\GeneralUtility\trimExplode
static trimExplode($delim, $string, $removeEmptyValues=false, $limit=0)
Definition: GeneralUtility.php:1300

TYPO3\CMS\Reports\Report\Status\SecurityStatus\getFileDenyPatternStatus
getFileDenyPatternStatus()
Definition: SecurityStatus.php:155

TYPO3\CMS\Core\Utility\GeneralUtility\verifyFilenameAgainstDenyPattern
static verifyFilenameAgainstDenyPattern($filename)
Definition: GeneralUtility.php:3415

TYPO3\CMS\Core\Utility\GeneralUtility\makeInstance
static makeInstance($className,... $constructorArguments)
Definition: GeneralUtility.php:3945

TYPO3\CMS\Core\TypoScript\ConfigurationForm
Definition: ConfigurationForm.php:23

Status

SaltedPasswordsUtility

TYPO3\CMS\Reports\Report\Status\SecurityStatus\getTrustedHostsPatternStatus
getTrustedHostsPatternStatus()
Definition: SecurityStatus.php:58

FlashMessage

TYPO3\CMS\Reports\Report\Status\SecurityStatus
Definition: SecurityStatus.php:33

TYPO3\CMS\Reports\Report\Status\SecurityStatus\getRecordRegistrationStatus
getRecordRegistrationStatus()
Definition: SecurityStatus.php:76

DeletedRestriction

TYPO3\CMS\Reports\Report\Status
Definition: ConfigurationStatus.php:2

StatusProviderInterface

TYPO3\CMS\Reports\Report\Status\SecurityStatus\getStatus
getStatus()
Definition: SecurityStatus.php:40

TYPO3\CMS\Core\Messaging\AbstractMessage\ERROR
const ERROR
Definition: AbstractMessage.php:29

$GLOBALS
if(TYPO3_MODE==='BE') $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tsfebeuserauth.php']['frontendEditingController']['default']
Definition: ext_localconf.php:38

SaltFactory

LanguageService