Commit 12fe62b5 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Bug #5890 config.qfq.ini is public readable. Renamed file to config.qfq.php....

Bug #5890 config.qfq.ini is public readable. Renamed file to config.qfq.php. Implement a basic migration assistant to copy DB credentials to new config.qfq.php. All other values have to be copied to extmanager/qfq-configuration manually.
parent 2e0fce29
......@@ -172,7 +172,7 @@ Setup
* If the Extensionmanager stops after importing: check your memory limit in php.ini.
* Copy/rename the file *<site path>/typo3conf/ext/qfq/config.example.qfq.ini* to *config.qfq.in*.
* Copy/rename the file *<site path>/typo3conf/ext/qfq/config.example.qfq.php* to *config.qfq.php*.
Configure the necessary settings `configuration`_
The configuration file is outside the of extension directory, to not loose it during updates.
* When the QFQ Extension is called the first time on the Typo3 Frontend, the file *<ext_dir>/qfq/sql/formEditor.sql* will
......@@ -437,9 +437,9 @@ Extension Manager: QFQ Configuration
+-------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
.. _config-qfq-ini:
.. _config-qfq-php:
config.qfq.ini
config.qfq.php
--------------
+-------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+
......@@ -456,13 +456,13 @@ config.qfq.ini
Example: *typo3conf/config.qfq.ini*
Example: *typo3conf/config.qfq.php*
::
; QFQ configuration
;
; Save this file as: <site path>/typo3conf/config.qfq.ini
; Save this file as: <site path>/typo3conf/config.qfq.php
DB_1_USER = <DBUSER>
DB_1_SERVER = <DBSERVER>
......@@ -494,11 +494,11 @@ After parsing the configuration, the following variables will be set automatical
Custom variables
^^^^^^^^^^^^^^^^
It's also possible to setup custom variables in `config.qfq.ini`.
It's also possible to setup custom variables in `config.qfq.php`.
E.g. to setup a contact address and reuse the information inside your installation do:
* `config.qfq.in`::
* `config.qfq.php`::
ADMINISTRATIVE_CONTACT = john@doe.com
ADMINISTRATIVE_ADDRESS = John Doe, Hollywood Blvd. 1, L.A.
......@@ -776,7 +776,7 @@ in `indexQfq`. If specific forms or reports should use a different database than
A `Form` will:
* load the own definition from `indexQfq` (table `Form` and `FormElement`),
* loads and save data from/in `indexData` (config.qfq.in) / `dbIndex` (form.parameter.dbIndex),
* loads and save data from/in `indexData` (config.qfq.php) / `dbIndex` (form.parameter.dbIndex),
* retrieve extra information via `dbIndexExtra` - this is useful to offer information from a database and save them in a
different one.
......@@ -815,7 +815,7 @@ Note:
| C | appC3.edu | 'wAppC3' | <dbHostAppC3>, <dbnameC3>_t3 | <dbHostC3>, <dbnameSysC3>_db | <dbHostData>_db, <dbNameData>_db |
+---+----------------+--------------+-------------------------------+------------------------------+----------------------------------+
In config-qfq-ini_ mutliple database credentials can be prepared. Mandatory is at least one credential setup like
In config-qfq-php_ mutliple database credentials can be prepared. Mandatory is at least one credential setup like
`DB_1_USER`, `DB_1_SERVER`, `DB_1_PASSWORD`, `DB_1_NAME`. The number '1' indicates the `dbIndex`. Increment the number
to specify further database credential setups.
......@@ -1593,7 +1593,7 @@ To decide which Parameter should be placed on *Form.parameter* and which on *For
+-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
| ldapTimeLimit | 3 (default) | Maximum time to wait for an answer of the LDAP Server | x | x | TA, FSL |
+-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
| ldapUseBindCredentials | ldapUseBindCredentials=1 | Use LDAP_1_* crendentials from config-qfq-ini_ for ldap_bind()| x | x | TA, FSL |
| ldapUseBindCredentials | ldapUseBindCredentials=1 | Use LDAP_1_* crendentials from config-qfq-php_ for ldap_bind()| x | x | TA, FSL |
+-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
| typeAheadLdap | - | Enable LDAP as 'Typeahead' data source | | x | TA |
+-----------------------------+----------------------------------+---------------------------------------------------------------+------+-------------+----------+
......@@ -1619,7 +1619,7 @@ To decide which Parameter should be placed on *Form.parameter* and which on *For
* *typeAheadLimit*: there might be a hard limit on the server side (e.g. 100) - which can't be extended.
* *ldapUseBindCredentials* is only necessary if `anonymous` access is not possible. RDN and password has to be configured in
config-qfq-ini_.
config-qfq-php_.
.. _LDAP_Typeahead:
......@@ -2070,7 +2070,7 @@ Parameter
+-----------------------------+--------+----------------------------------------------------------------------------------------------------------+
| Name | Type | Description |
+=============================+========+==========================================================================================================+
| dbIndex | int | Database credential index, given via `config-qfq-ini`_ to let the current `Form` operate on the database.|
| dbIndex | int | Database credential index, given via `config-qfq-php`_ to let the current `Form` operate on the database.|
+-----------------------------+--------+----------------------------------------------------------------------------------------------------------+
| bsColumns | int | Wrap the whole form in '<div class="col-md-??"> |
+-----------------------------+--------+----------------------------------------------------------------------------------------------------------+
......@@ -6891,7 +6891,7 @@ Tip on Report: In case the query did not contain any double ticks, just wrap all
Error read file config.qfq.ini: syntax error on line xx
Error read file config.qfq.php: syntax error on line xx
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Check the given line number. If it's a SQL statement, enclose it in single or double ticks.
......@@ -6933,7 +6933,7 @@ is shown), than QFQ is the problem.
Search the given code in `typo3temp/logs/*`, in this example 20180612205917761fc593. You'll should find a stacktrace with
a more detailed message.
The error might occur if there are problematic characters in config.qfq.ini, like single or double ticks inside strings,
The error might occur if there are problematic characters in config.qfq.php, like single or double ticks inside strings,
wich are not enclosed (correctly).
.. _`javascriptProblem`:
......
; QFQ configuration
;
; Save this file as: <site path>/typo3conf/config.qfq.ini
DB_1_USER = <DBUSER>
DB_1_SERVER = <DBSERVER>
DB_1_PASSWORD = <DBPW>
DB_1_NAME = <DB>
; DB_2_USER = <DBUSER>
; DB_2_SERVER = <DBSERVER>
; DB_2_PASSWORD = <DBPW>
; DB_2_NAME = <DB>
; LDAP_1_RDN =
; LDAP_1_PASSWORD =
<?php
// QFQ configuration
//
// Save this file as: <site path>/typo3conf/config.qfq.php
return [
'DB_1_USER' => '<DBUSER>',
'DB_1_SERVER' => '<DBSERVER>',
'DB_1_PASSWORD' => '<DBPW>',
'DB_1_NAME' => '<DB>',
//DB_2_USER = <DBUSER>
//DB_2_SERVER = <DBSERVER>
//DB_2_PASSWORD = <DBPW>
//DB_2_NAME = <DB>
// DB_n ...
// ...
// LDAP_1_RDN =
// LDAP_1_PASSWORD =
];
......@@ -7,7 +7,8 @@
*/
const EXT_KEY = 'qfq';
const CONFIG_QFQ = "config.qfq.ini"; // QFQ configuration file: db access
const CONFIG_QFQ_INI = "config.qfq.ini"; // QFQ configuration file: db access
const CONFIG_QFQ_PHP = "config.qfq.php"; // QFQ configuration file: db access
const CONFIG_T3 = 'LocalConfiguration.php'; // T3 config file
const GFX_INFO = 'typo3conf/ext/qfq/Resources/Public/icons/note.gif';
......
......@@ -19,6 +19,30 @@ require_once(__DIR__ . '/../helper/Support.php');
*/
class Config {
/**
* @param $configIni
* @param $configPhp
*/
private function migrateConfigIniToPhp($configIni, $configPhp) {
$config = parse_ini_file($configIni, false);
$pre = isset($config[SYSTEM_DB_NAME]) ? 'DB' : 'DB_1';
$content = '<?php' . PHP_EOL . 'return [' . PHP_EOL;
$content .= " '" . $pre . "_NAME' => '" . $config[$pre . '_NAME'] . "'," . PHP_EOL;
$content .= " '" . $pre . "_PASSWORD' => '" . $config[$pre . '_PASSWORD'] . "'," . PHP_EOL;
$content .= " '" . $pre . "_SERVER' => '" . $config[$pre . '_SERVER'] . "'," . PHP_EOL;
$content .= " '" . $pre . "_USER' => '" . $config[$pre . '_USER'] . "'," . PHP_EOL;
$content .= "];" . PHP_EOL;
// Write new config file
file_put_contents($configPhp, $content);
// Make old file unreadable
chmod($configIni, 000);
}
/**
* Read config.qfq.ini.
*
......@@ -46,11 +70,18 @@ class Config {
$configT3qfq = unserialize($all['EXT']['extConf'][EXT_KEY]);
unset($all);
}
$configIni = $pathTypo3Conf . '/' . CONFIG_QFQ;
$configIni = $pathTypo3Conf . '/' . CONFIG_QFQ_INI;
$configPhp = $pathTypo3Conf . '/' . CONFIG_QFQ_PHP;
}
// Migrate legacy config file.
if (is_readable($configIni) && !is_readable($configPhp)) {
$this->migrateConfigIniToPhp($configIni, $configPhp);
}
try {
$config = parse_ini_file($configIni, false);
$config = include_once($configPhp);
// in case $configIni doesn't exist: just skip
if ($config === false) {
$config = array();
......@@ -64,6 +95,7 @@ class Config {
$config = self::renameConfigElements($config);
$config = self::setDefaults($config);
self::checkDeprecated($config);
self::checkForAttack($config);
return $config;
......@@ -84,7 +116,7 @@ class Config {
case SYSTEM_VAR_ADD_BY_SQL:
$msg = 'Replaced by: ' . SYSTEM_FILL_STORE_SYSTEM_BY_SQL . '1|2|3';
}
throw new qfq\UserFormException ("Deprecated option in " . CONFIG_QFQ . ": " . SYSTEM_VAR_ADD_BY_SQL . " - " . $msg);
throw new qfq\UserFormException ("Deprecated option in " . CONFIG_QFQ_INI . ": " . SYSTEM_VAR_ADD_BY_SQL . " - " . $msg);
}
}
}
......
......@@ -307,7 +307,7 @@ class Store {
foreach ($names as $name) {
if (!isset($config[$name])) {
throw new qfq\UserFormException ("Missing configuration in `" . CONFIG_QFQ . "`: $name", ERROR_MISSING_CONFIG_INI_VALUE);
throw new qfq\UserFormException ("Missing configuration in `" . CONFIG_QFQ_INI . "`: $name", ERROR_MISSING_CONFIG_INI_VALUE);
}
}
}
......@@ -530,10 +530,8 @@ class Store {
} else {
self::setStore($_SESSION[SESSION_NAME][STORE_EXTRA], STORE_EXTRA, true);
}
}
/**
* Returns a pointer to this Class.
*
......@@ -868,7 +866,7 @@ class Store {
$db = new qfq\Database();
}
$errMsg = "More than 1 record found. " . CONFIG_QFQ . ": " . SYSTEM_FILL_STORE_SYSTEM_BY_SQL . "$ii";
$errMsg = "More than 1 record found. " . CONFIG_QFQ_INI . ": " . SYSTEM_FILL_STORE_SYSTEM_BY_SQL . "$ii";
$mode = ROW_EXPECT_0_1;
// If there is an error message defined, this means there should be exactly one record.
......
......@@ -82,7 +82,7 @@ abstract class AbstractDatabaseTest extends TestCase {
// $this->store->setVar('DB_1_NAME', $dbNamePhpUnit, STORE_SYSTEM);
$dbName = $this->store->getVar('DB_NAME_TEST', STORE_SYSTEM);
if ($dbName == '') {
throw new \qfq\CodeException('Missing DB_NAME_TEST in ' . CONFIG_QFQ, ERROR_MISSING_REQUIRED_PARAMETER);
throw new \qfq\CodeException('Missing DB_NAME_TEST in ' . CONFIG_QFQ_INI, ERROR_MISSING_REQUIRED_PARAMETER);
} else {
$this->store->setVar('DB_1_NAME', $dbName, STORE_SYSTEM);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment