Bug #5890 config.qfq.ini is public readable. Renamed file to config.qfq.php....

Bug #5890 config.qfq.ini is public readable. Renamed file to config.qfq.php. Implement a basic migration assistant to copy DB credentials to new config.qfq.php. All other values have to be copied to extmanager/qfq-configuration manually.

extension/Documentation/Manual.rst

@@ -172,7 +172,7 @@ Setup
 
   * If the Extensionmanager stops after importing: check your memory limit in php.ini.
 
-* Copy/rename the file *<site path>/typo3conf/ext/qfq/config.example.qfq.ini* to *config.qfq.in*.
+* Copy/rename the file *<site path>/typo3conf/ext/qfq/config.example.qfq.php* to *config.qfq.php*.
   Configure the necessary settings `configuration`_
   The configuration file is outside the of extension directory, to not loose it during updates.
 * When the QFQ Extension is called the first time on the Typo3 Frontend, the file *<ext_dir>/qfq/sql/formEditor.sql* will
@@ -437,9 +437,9 @@ Extension Manager: QFQ Configuration
 +-------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
 
 
-.. _config-qfq-ini:
+.. _config-qfq-php:
 
-config.qfq.ini
+config.qfq.php
 --------------
 
 +-------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
@@ -456,13 +456,13 @@ config.qfq.ini
 
 
 
-Example: *typo3conf/config.qfq.ini*
+Example: *typo3conf/config.qfq.php*
 
 ::
 
 	; QFQ configuration
 	;
-	; Save this file as: <site path>/typo3conf/config.qfq.ini
+	; Save this file as: <site path>/typo3conf/config.qfq.php
 
 	DB_1_USER = <DBUSER>
 	DB_1_SERVER = <DBSERVER>
@@ -494,11 +494,11 @@ After parsing the configuration, the following variables will be set automatical
 Custom variables
 ^^^^^^^^^^^^^^^^
 
-It's also possible to setup custom variables in `config.qfq.ini`.
+It's also possible to setup custom variables in `config.qfq.php`.
 
 E.g. to setup a contact address and reuse the information inside your installation do:
 
- * `config.qfq.in`::
+ * `config.qfq.php`::
 
 		ADMINISTRATIVE_CONTACT = john@doe.com
 		ADMINISTRATIVE_ADDRESS = John Doe, Hollywood Blvd. 1, L.A.
@@ -776,7 +776,7 @@ in `indexQfq`. If specific forms or reports should use a different database than
 A `Form` will:
 
 * load the own definition from `indexQfq` (table `Form` and `FormElement`),
-* loads and save data from/in `indexData` (config.qfq.in) / `dbIndex` (form.parameter.dbIndex),
+* loads and save data from/in `indexData` (config.qfq.php) / `dbIndex` (form.parameter.dbIndex),
 * retrieve extra information via `dbIndexExtra` - this is useful to offer information from a database and save them in a
   different one.
 
@@ -815,7 +815,7 @@ Note:
 | C | appC3.edu      | 'wAppC3'     | <dbHostAppC3>, <dbnameC3>_t3  | <dbHostC3>, <dbnameSysC3>_db | <dbHostData>_db, <dbNameData>_db |
 +---+----------------+--------------+-------------------------------+------------------------------+----------------------------------+
 
-In config-qfq-ini_ mutliple database credentials can be prepared. Mandatory is at least one credential setup like
+In config-qfq-php_ mutliple database credentials can be prepared. Mandatory is at least one credential setup like
 `DB_1_USER`, `DB_1_SERVER`, `DB_1_PASSWORD`, `DB_1_NAME`. The number '1' indicates the `dbIndex`. Increment the number
 to specify further database credential setups.
 
@@ -1593,7 +1593,7 @@ To decide which Parameter should be placed on *Form.parameter* and which on *For
 +-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
 | ldapTimeLimit               | 3 (default)                      | Maximum time to wait for an answer of the LDAP Server         | x    | x           | TA, FSL  |
 +-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
-| ldapUseBindCredentials      | ldapUseBindCredentials=1         | Use LDAP_1_* crendentials from config-qfq-ini_ for ldap_bind()| x    | x           | TA, FSL  |
+| ldapUseBindCredentials      | ldapUseBindCredentials=1         | Use LDAP_1_* crendentials from config-qfq-php_ for ldap_bind()| x    | x           | TA, FSL  |
 +-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
 | typeAheadLdap               | -                                | Enable LDAP as 'Typeahead' data source                        |      | x           | TA       |
 +-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
@@ -1619,7 +1619,7 @@ To decide which Parameter should be placed on *Form.parameter* and which on *For
 
 * *typeAheadLimit*: there might be a hard limit on the server side (e.g. 100) - which can't be extended.
 * *ldapUseBindCredentials* is only necessary if `anonymous` access is not possible. RDN and password has to be configured in
-  config-qfq-ini_.
+  config-qfq-php_.
 
 .. _LDAP_Typeahead:
 
@@ -2070,7 +2070,7 @@ Parameter
 +-----------------------------+--------+----------------------------------------------------------------------------------------------------------+
 | Name                        | Type   | Description                                                                                              |
 +=============================+========+==========================================================================================================+
-| dbIndex                     | int    | Database credential index, given via `config-qfq-ini`_ to let the current `Form` operate on the database.|
+| dbIndex                     | int    | Database credential index, given via `config-qfq-php`_ to let the current `Form` operate on the database.|
 +-----------------------------+--------+----------------------------------------------------------------------------------------------------------+
 | bsColumns                   | int    | Wrap the whole form in '<div class="col-md-??">                                                          |
 +-----------------------------+--------+----------------------------------------------------------------------------------------------------------+
@@ -6891,7 +6891,7 @@ Tip on Report: In case the query did not contain any double ticks, just wrap all
 
 
 
-Error read file config.qfq.ini: syntax error on line xx
+Error read file config.qfq.php: syntax error on line xx
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Check the given line number. If it's a SQL statement, enclose it in single or double ticks.
@@ -6933,7 +6933,7 @@ is shown), than QFQ is the problem.
 Search the given code in `typo3temp/logs/*`, in this example 20180612205917761fc593. You'll should find a stacktrace with
 a more detailed message.
 
-The error might occur if there are problematic characters in config.qfq.ini, like single or double ticks inside strings,
+The error might occur if there are problematic characters in config.qfq.php, like single or double ticks inside strings,
  wich are not enclosed (correctly).
 
 .. _`javascriptProblem`:

extension/config.qfq.example.ini

-; QFQ configuration
-;
-; Save this file as: <site path>/typo3conf/config.qfq.ini
-
-DB_1_USER = <DBUSER>
-DB_1_SERVER = <DBSERVER>
-DB_1_PASSWORD = <DBPW>
-DB_1_NAME = <DB>
-
-; DB_2_USER = <DBUSER>
-; DB_2_SERVER = <DBSERVER>
-; DB_2_PASSWORD = <DBPW>
-; DB_2_NAME = <DB>
-
-; LDAP_1_RDN =
-; LDAP_1_PASSWORD =
-

extension/config.qfq.example.php

+<?php
+
+// QFQ configuration
+//
+// Save this file as: <site path>/typo3conf/config.qfq.php
+
+return [
+    'DB_1_USER' => '<DBUSER>',
+    'DB_1_SERVER' => '<DBSERVER>',
+    'DB_1_PASSWORD' => '<DBPW>',
+    'DB_1_NAME' => '<DB>',
+
+    //DB_2_USER = <DBUSER>
+    //DB_2_SERVER = <DBSERVER>
+    //DB_2_PASSWORD = <DBPW>
+    //DB_2_NAME = <DB>
+
+    // DB_n ...
+    // ...
+
+    // LDAP_1_RDN =
+    // LDAP_1_PASSWORD =
+];

extension/qfq/qfq/Constants.php

@@ -7,7 +7,8 @@
  */
 
 const EXT_KEY = 'qfq';
-const CONFIG_QFQ = "config.qfq.ini";  // QFQ configuration file: db access
+const CONFIG_QFQ_INI = "config.qfq.ini";  // QFQ configuration file: db access
+const CONFIG_QFQ_PHP = "config.qfq.php";  // QFQ configuration file: db access
 const CONFIG_T3 = 'LocalConfiguration.php'; // T3 config file
 
 const GFX_INFO = 'typo3conf/ext/qfq/Resources/Public/icons/note.gif';

extension/qfq/qfq/store/Config.php

@@ -19,6 +19,30 @@ require_once(__DIR__ . '/../helper/Support.php');
  */
 class Config {
 
+    /**
+     * @param $configIni
+     * @param $configPhp
+     */
+    private function migrateConfigIniToPhp($configIni, $configPhp) {
+
+        $config = parse_ini_file($configIni, false);
+
+        $pre = isset($config[SYSTEM_DB_NAME]) ? 'DB' : 'DB_1';
+
+        $content = '<?php' . PHP_EOL . 'return [' . PHP_EOL;
+        $content .= "  '" . $pre . "_NAME' => '" . $config[$pre . '_NAME'] . "'," . PHP_EOL;
+        $content .= "  '" . $pre . "_PASSWORD' => '" . $config[$pre . '_PASSWORD'] . "'," . PHP_EOL;
+        $content .= "  '" . $pre . "_SERVER' => '" . $config[$pre . '_SERVER'] . "'," . PHP_EOL;
+        $content .= "  '" . $pre . "_USER' => '" . $config[$pre . '_USER'] . "'," . PHP_EOL;
+        $content .= "];" . PHP_EOL;
+
+        // Write new config file
+        file_put_contents($configPhp, $content);
+
+        // Make old file unreadable
+        chmod($configIni, 000);
+    }
+
     /**
      * Read config.qfq.ini.
      *
@@ -46,11 +70,18 @@ class Config {
                 $configT3qfq = unserialize($all['EXT']['extConf'][EXT_KEY]);
                 unset($all);
             }
-            $configIni = $pathTypo3Conf . '/' . CONFIG_QFQ;
+            $configIni = $pathTypo3Conf . '/' . CONFIG_QFQ_INI;
+            $configPhp = $pathTypo3Conf . '/' . CONFIG_QFQ_PHP;
+        }
+
+        // Migrate legacy config file.
+        if (is_readable($configIni) && !is_readable($configPhp)) {
+            $this->migrateConfigIniToPhp($configIni, $configPhp);
         }
 
         try {
-            $config = parse_ini_file($configIni, false);
+            $config = include_once($configPhp);
+
             // in case $configIni doesn't exist: just skip
             if ($config === false) {
                 $config = array();
@@ -64,6 +95,7 @@ class Config {
         $config = self::renameConfigElements($config);
         $config = self::setDefaults($config);
         self::checkDeprecated($config);
+
         self::checkForAttack($config);
 
         return $config;
@@ -84,7 +116,7 @@ class Config {
                     case SYSTEM_VAR_ADD_BY_SQL:
                         $msg = 'Replaced by: ' . SYSTEM_FILL_STORE_SYSTEM_BY_SQL . '1|2|3';
                 }
-                throw new qfq\UserFormException ("Deprecated option in " . CONFIG_QFQ . ": " . SYSTEM_VAR_ADD_BY_SQL . " - " . $msg);
+                throw new qfq\UserFormException ("Deprecated option in " . CONFIG_QFQ_INI . ": " . SYSTEM_VAR_ADD_BY_SQL . " - " . $msg);
             }
         }
     }

extension/qfq/qfq/store/Store.php

@@ -307,7 +307,7 @@ class Store {
 
         foreach ($names as $name) {
             if (!isset($config[$name])) {
-                throw new qfq\UserFormException ("Missing configuration in `" . CONFIG_QFQ . "`: $name", ERROR_MISSING_CONFIG_INI_VALUE);
+                throw new qfq\UserFormException ("Missing configuration in `" . CONFIG_QFQ_INI . "`: $name", ERROR_MISSING_CONFIG_INI_VALUE);
             }
         }
     }
@@ -530,10 +530,8 @@ class Store {
         } else {
             self::setStore($_SESSION[SESSION_NAME][STORE_EXTRA], STORE_EXTRA, true);
         }
-
     }
 
-
     /**
      * Returns a pointer to this Class.
      *
@@ -868,7 +866,7 @@ class Store {
                 $db = new qfq\Database();
             }
 
-            $errMsg = "More than 1 record found. " . CONFIG_QFQ . ": " . SYSTEM_FILL_STORE_SYSTEM_BY_SQL . "$ii";
+            $errMsg = "More than 1 record found. " . CONFIG_QFQ_INI . ": " . SYSTEM_FILL_STORE_SYSTEM_BY_SQL . "$ii";
             $mode = ROW_EXPECT_0_1;
 
             // If there is an error message defined, this means there should be exactly one record.

extension/qfq/tests/phpunit/AbstractDatabaseTest.php

@@ -82,7 +82,7 @@ abstract class AbstractDatabaseTest extends TestCase {
 //        $this->store->setVar('DB_1_NAME', $dbNamePhpUnit, STORE_SYSTEM);
         $dbName = $this->store->getVar('DB_NAME_TEST', STORE_SYSTEM);
         if ($dbName == '') {
-            throw new \qfq\CodeException('Missing DB_NAME_TEST in ' . CONFIG_QFQ, ERROR_MISSING_REQUIRED_PARAMETER);
+            throw new \qfq\CodeException('Missing DB_NAME_TEST in ' . CONFIG_QFQ_INI, ERROR_MISSING_REQUIRED_PARAMETER);
         } else {
             $this->store->setVar('DB_1_NAME', $dbName, STORE_SYSTEM);
         }