TYPO3  7.6
SecurityStatus.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Reports\Report\Status;
3 
4 /*
5  * This file is part of the TYPO3 CMS project.
6  *
7  * It is free software; you can redistribute it and/or modify it under
8  * the terms of the GNU General Public License, either version 2
9  * of the License, or any later version.
10  *
11  * For the full copyright and license information, please read the
12  * LICENSE.txt file that was distributed with this source code.
13  *
14  * The TYPO3 project - inspiring people to share!
15  */
16 
17 use TYPO3\CMS\Backend\Utility\BackendUtility;
18 use TYPO3\CMS\Core\Messaging\FlashMessage;
19 use TYPO3\CMS\Core\Utility\GeneralUtility;
20 use TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility;
21 
25 class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface
26 {
32  public function getStatus()
33  {
34  $statuses = array(
35  'trustedHostsPattern' => $this->getTrustedHostsPatternStatus(),
36  'adminUserAccount' => $this->getAdminAccountStatus(),
37  'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
38  'fileDenyPattern' => $this->getFileDenyPatternStatus(),
39  'htaccessUpload' => $this->getHtaccessUploadStatus(),
40  'saltedpasswords' => $this->getSaltedPasswordsStatus()
41  );
42  return $statuses;
43  }
44 
50  protected function getTrustedHostsPatternStatus()
51  {
52  $value = $GLOBALS['LANG']->getLL('status_ok');
53  $message = '';
54  $severity = \TYPO3\CMS\Reports\Status::OK;
55  if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] === GeneralUtility::ENV_TRUSTED_HOSTS_PATTERN_ALLOW_ALL) {
56  $value = $GLOBALS['LANG']->getLL('status_insecure');
57  $severity = \TYPO3\CMS\Reports\Status::ERROR;
58  $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_trustedhosts');
59  }
60  return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
61  $GLOBALS['LANG']->getLL('status_trustedHostsPattern'), $value, $message, $severity);
62  }
63 
69  protected function getAdminAccountStatus()
70  {
71  $value = $GLOBALS['LANG']->getLL('status_ok');
72  $message = '';
73  $severity = \TYPO3\CMS\Reports\Status::OK;
74  $whereClause = 'username = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('admin', 'be_users') .
75  BackendUtility::deleteClause('be_users');
76  $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid, username, password', 'be_users', $whereClause);
77  $row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res);
78  if (!empty($row)) {
79  $secure = true;
81  $saltingObject = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($row['password']);
82  if (is_object($saltingObject)) {
83  if ($saltingObject->checkPassword('password', $row['password'])) {
84  $secure = false;
85  }
86  }
87  // Check against plain MD5
88  if ($row['password'] === '5f4dcc3b5aa765d61d8327deb882cf99') {
89  $secure = false;
90  }
91  if (!$secure) {
92  $value = $GLOBALS['LANG']->getLL('status_insecure');
93  $severity = \TYPO3\CMS\Reports\Status::ERROR;
94  $editUserAccountUrl = BackendUtility::getModuleUrl(
95  'record_edit',
96  array(
97  'edit[be_users][' . $row['uid'] . ']' => 'edit',
98  'returnUrl' => BackendUtility::getModuleUrl('system_ReportsTxreportsm1')
99  )
100  );
101  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_admin'),
102  '<a href="' . htmlspecialchars($editUserAccountUrl) . '">', '</a>');
103  }
104  }
105  $GLOBALS['TYPO3_DB']->sql_free_result($res);
106  return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
107  $GLOBALS['LANG']->getLL('status_adminUserAccount'), $value, $message, $severity);
108  }
109 
115  protected function getEncryptionKeyStatus()
116  {
117  $value = $GLOBALS['LANG']->getLL('status_ok');
118  $message = '';
119  $severity = \TYPO3\CMS\Reports\Status::OK;
120  if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
121  $value = $GLOBALS['LANG']->getLL('status_insecure');
122  $severity = \TYPO3\CMS\Reports\Status::ERROR;
123  $url = 'install/index.php?redirect_url=index.php' . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
124  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_encryption'),
125  '<a href="' . $url . '">', '</a>');
126  }
127  return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
128  $GLOBALS['LANG']->getLL('status_encryptionKey'), $value, $message, $severity);
129  }
130 
136  protected function getFileDenyPatternStatus()
137  {
138  $value = $GLOBALS['LANG']->getLL('status_ok');
139  $message = '';
140  $severity = \TYPO3\CMS\Reports\Status::OK;
141  $defaultParts = GeneralUtility::trimExplode('|', FILE_DENY_PATTERN_DEFAULT, true);
142  $givenParts = GeneralUtility::trimExplode('|', $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], true);
143  $result = array_intersect($defaultParts, $givenParts);
144  if ($defaultParts !== $result) {
145  $value = $GLOBALS['LANG']->getLL('status_insecure');
146  $severity = \TYPO3\CMS\Reports\Status::ERROR;
147  $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.file_deny_pattern_partsNotPresent'),
148  '<br /><pre>' . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT) . '</pre><br />');
149  }
150  return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
151  $GLOBALS['LANG']->getLL('status_fileDenyPattern'), $value, $message, $severity);
152  }
153 
160  protected function getHtaccessUploadStatus()
161  {
162  $value = $GLOBALS['LANG']->getLL('status_ok');
163  $message = '';
164  $severity = \TYPO3\CMS\Reports\Status::OK;
165  if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
166  && GeneralUtility::verifyFilenameAgainstDenyPattern('.htaccess')) {
167  $value = $GLOBALS['LANG']->getLL('status_insecure');
168  $severity = \TYPO3\CMS\Reports\Status::ERROR;
169  $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.file_deny_htaccess');
170  }
171  return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
172  $GLOBALS['LANG']->getLL('status_htaccessUploadProtection'), $value, $message, $severity);
173  }
174 
180  protected function isMemcachedUsed()
181  {
182  $memcachedUsed = false;
183  $memcachedServers = $this->getConfiguredMemcachedServers();
184  if (!empty($memcachedServers)) {
185  $memcachedUsed = true;
186  }
187  return $memcachedUsed;
188  }
189 
195  protected function getSaltedPasswordsStatus()
196  {
197  $value = $GLOBALS['LANG']->getLL('status_ok');
198  $severity = \TYPO3\CMS\Reports\Status::OK;
200  $configCheck = GeneralUtility::makeInstance(\TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility::class);
201  $message = '<p>' . $GLOBALS['LANG']->getLL('status_saltedPasswords_infoText') . '</p>';
202  $messageDetail = '';
203  $resultCheck = $configCheck->checkConfigurationBackend(array(), new \TYPO3\CMS\Core\TypoScript\ConfigurationForm());
204  switch ($resultCheck['errorType']) {
205  case FlashMessage::INFO:
206  $messageDetail .= $resultCheck['html'];
207  break;
208  case FlashMessage::WARNING;
209  $severity = \TYPO3\CMS\Reports\Status::WARNING;
210  $messageDetail .= $resultCheck['html'];
211  break;
212  case FlashMessage::ERROR:
213  $value = $GLOBALS['LANG']->getLL('status_insecure');
214  $severity = \TYPO3\CMS\Reports\Status::ERROR;
215  $messageDetail .= $resultCheck['html'];
216  break;
217  default:
218  }
219  $unsecureUserCount = SaltedPasswordsUtility::getNumberOfBackendUsersWithInsecurePassword();
220  if ($unsecureUserCount > 0) {
221  $value = $GLOBALS['LANG']->getLL('status_insecure');
222  $severity = \TYPO3\CMS\Reports\Status::ERROR;
223  $messageDetail .= '<div class="panel panel-warning">' .
224  '<div class="panel-body">' .
225  $GLOBALS['LANG']->getLL('status_saltedPasswords_notAllPasswordsHashed') .
226  '</div>' .
227  '</div>';
228  }
229  $message .= $messageDetail;
230  if (empty($messageDetail)) {
231  $message = '';
232  }
233  return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
234  $GLOBALS['LANG']->getLL('status_saltedPasswords'), $value, $message, $severity);
235  }
236 }
Generated on Wed Nov 11 2015 01:52:03 for TYPO3 by   doxygen 1.8.3