Skip to content

GitLab

Commit 5c08cea2 authored by Carsten Rose's avatar Carsten Rose
Browse files

Hashing is fine including salt.

parent 0bf1454f
Pipeline #1476 passed with stage
in 2 minutes and 8 seconds
Hide whitespace changes
Inline Side-by-side
extension/Documentation/Manual.rst
View file @ 5c08cea2
......@@ -1233,30 +1233,32 @@ Rules for CheckType Auto (by priority):
Escape
------
Variables used in SQL Statements might cause trouble by using: NUL (ASCII 0), \\n, \\r, \\, ', ", and Control-Z.
a) Variables used in SQL Statements might cause trouble by using: NUL (ASCII 0), \\n, \\r, \\, ', ", or Control-Z.
b) Converting content like 'password' hashing.
To protect the web application the following `escape` types are available:
The following `escape` and `hashing` types are available:
* 'm' - `real_escape_string() <http://php.net/manual/en/mysqli.real-escape-string.php>`_ (m = mysql)
* 'l' - LDAP search filter values will be escaped: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER).
* 'L' - LDAP DN values will be escaped. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN).
* 's' - single ticks will be escaped. str_replace() of ' against \\'.
* 'd' - double ticks will be escaped: str_replace() of " against \\".
* 'C' - colon ':' will be escaped: str_replace() of : against \\:.
* 'l' - LDAP search filter values: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER).
* 'L' - LDAP DN values. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN).
* 's' - Single ticks ' will be escaped against \\'.
* 'd' - double ticks " will be escaped against \\".
* 'C' - colon ':' will be escaped against \\:.
* 'c' - config - the escape type configured in `configuration`_.
* 'p' - password hashing: depends on the hashing type in the current Typo3 installation, including any salting.
* '' - the escape type configured in `configuration`_.
* '-' - no escaping.
* The `escape` type is defined by the fourth parameter of the variable. E.g.: `{{name:FE:alnumx:m}}` (m = mysql).
* It's possible to combine different `escape` types, they will be processed in the order given. E.g. `{{name:FE:alnumx:Ls}}` (L, s).
* Escaping is typically necessary for SQL or LDAP queries.
* Escaping is typically necessary for all user supplied content, especially if they are processed via SQL or LDAP queries.
* Be careful when escaping nested variables. Best is to escape **only** the most outer variable.
* In configuration_ a global `escapeTypeDefault` can be defined. The configured escape type applies to all substituted
variables, who *do not* contain a *specific* escape type.
* Additionally a `defaultEscapeType` can be defined per `Form` (separate field in the *Form editor*). This overwrites the
global definition of `configuration`. By default, every `Form.defaultEscapeType` = 'c' (=config), which means the setting
in `configuration`_.
* To suppress a default escape type, define the `escape type` = '-' on the specific variable. E.g.: `{{name:FE:alnumx:-}}`.
* To suppress an escape type, define the `escape type` = '-' on the specific variable. E.g.: `{{name:FE:alnumx:-}}`.
.. _`variable-default`:
......
extension/Source/core/Evaluate.php
View file @ 5c08cea2
......@@ -12,7 +12,7 @@ use qfq;
require_once(__DIR__ . '/../core/store/Store.php');
require_once(__DIR__ . '/../core/database/Database.php');
require_once(__DIR__ . '/../core/typo3/FePassword.php');
require_once(__DIR__ . '/../core/typo3/Password.php');
require_once(__DIR__ . '/helper/Support.php');
require_once(__DIR__ . '/helper/OnString.php');
require_once(__DIR__ . '/helper/KeyValueStringParser.php');
......@@ -392,7 +392,7 @@ class Evaluate {
case TOKEN_ESCAPE_NONE: // do nothing
break;
case TOKEN_ESCAPE_PASSWORD_T3FE:
$fePassword = new FePassword();
$fePassword = new Password();
$value = $fePassword->getHash($value);
break;
default:
......
extension/Source/core/exceptions/ErrorHandler.php
View file @ 5c08cea2
......@@ -37,10 +37,6 @@ class ErrorHandler {
$store = Store::getInstance();
if($store->getVar(SYSTEM_THROW_GENERAL_ERROR, STORE_SYSTEM) == 'yes'){
// Check if the error happens inside TYPO3 - don't care.
// if(strpos($file,'/typo3_src')){
// return false;
// }
// Do not show too much to the user. E.g. 'ldap_bind()' might have problems, but the user should not see the
// file and line number. Often the filename is part of the message >> don't show the message to the user.
throw new CodeException(json_encode(
......
extension/Source/core/typo3/FePassword.php extension/Source/core/typo3/Password.php
View file @ 5c08cea2
......@@ -16,29 +16,26 @@ use qfq;
* Class FePassword
* @package qfq
*/
class FePassword {
class Password {
/**
* Based on https://github.com/derhansen/fe_change_pwd/blob/master/Classes/Service/FrontendUserService.php
* Based on https://docs.typo3.org/typo3cms/extensions/saltedpasswords/8.7/DevelopersGuide/Index.html
* Convert a cleartext password to a hash. Respects if 'salted passwords' are enabled.
*
* @param string $newPassword
* @return string
*/
public function getHash($newPassword) {
// Use md5 as fallback
$password = md5($newPassword);
// If salted passwords is enabled, salt the new password
if (SaltedPasswordsUtility::isUsageEnabled('FE')) {
$objSalt = SaltFactory::getSaltingInstance(null);
if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('FE')) {
$objSalt = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL);
if (is_object($objSalt)) {
$password = $objSalt->getHashedPassword($newPassword);
$password = $objSalt->getHashedPassword($password);
}
}
$userTable = $GLOBALS['TSFE']->fe_user()->user_table;
$userUid = $GLOBALS['TSFE']->fe_user()->user['uid'];
return $password;
// $sql = "UPDATE $userTable SET password=? WHERE uid=?" $password $uid
}
}
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment