Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
typo3
qfq
Commits
5c08cea2
Commit
5c08cea2
authored
Feb 02, 2019
by
Carsten Rose
Browse files
Hashing is fine including salt.
parent
0bf1454f
Pipeline
#1476
passed with stage
in 2 minutes and 8 seconds
Changes
4
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
extension/Documentation/Manual.rst
View file @
5c08cea2
...
...
@@ -1233,30 +1233,32 @@ Rules for CheckType Auto (by priority):
Escape
------
Variables used in SQL Statements might cause trouble by using: NUL (ASCII 0), \\n, \\r, \\, ', ", and Control-Z.
a) Variables used in SQL Statements might cause trouble by using: NUL (ASCII 0), \\n, \\r, \\, ', ", or Control-Z.
b) Converting content like 'password' hashing.
T
o protect the web application t
he following `escape` types are available:
The following `escape`
and `hashing`
types are available:
* 'm' - `real_escape_string() <http://php.net/manual/en/mysqli.real-escape-string.php>`_ (m = mysql)
* 'l' - LDAP search filter values
will be escaped
: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER).
* 'L' - LDAP DN values
will be escaped
. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN).
* 's' -
s
ingle ticks will be escaped
. str_replace() of '
against \\'.
* 'd' - double ticks will be escaped
: str_replace() of "
against \\".
* 'C' - colon ':' will be escaped
: str_replace() of :
against \\:.
* 'l' - LDAP search filter values: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER).
* 'L' - LDAP DN values. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN).
* 's' -
S
ingle ticks
'
will be escaped against \\'.
* 'd' - double ticks
"
will be escaped against \\".
* 'C' - colon ':' will be escaped against \\:.
* 'c' - config - the escape type configured in `configuration`_.
* 'p' - password hashing: depends on the hashing type in the current Typo3 installation, including any salting.
* '' - the escape type configured in `configuration`_.
* '-' - no escaping.
* The `escape` type is defined by the fourth parameter of the variable. E.g.: `{{name:FE:alnumx:m}}` (m = mysql).
* It's possible to combine different `escape` types, they will be processed in the order given. E.g. `{{name:FE:alnumx:Ls}}` (L, s).
* Escaping is typically necessary for SQL or LDAP queries.
* Escaping is typically necessary for
all user supplied content, especially if they are processed via
SQL or LDAP queries.
* Be careful when escaping nested variables. Best is to escape **only** the most outer variable.
* In configuration_ a global `escapeTypeDefault` can be defined. The configured escape type applies to all substituted
variables, who *do not* contain a *specific* escape type.
* Additionally a `defaultEscapeType` can be defined per `Form` (separate field in the *Form editor*). This overwrites the
global definition of `configuration`. By default, every `Form.defaultEscapeType` = 'c' (=config), which means the setting
in `configuration`_.
* To suppress a
default
escape type, define the `escape type` = '-' on the specific variable. E.g.: `{{name:FE:alnumx:-}}`.
* To suppress a
n
escape type, define the `escape type` = '-' on the specific variable. E.g.: `{{name:FE:alnumx:-}}`.
.. _`variable-default`:
...
...
extension/Source/core/Evaluate.php
View file @
5c08cea2
...
...
@@ -12,7 +12,7 @@ use qfq;
require_once
(
__DIR__
.
'/../core/store/Store.php'
);
require_once
(
__DIR__
.
'/../core/database/Database.php'
);
require_once
(
__DIR__
.
'/../core/typo3/
Fe
Password.php'
);
require_once
(
__DIR__
.
'/../core/typo3/Password.php'
);
require_once
(
__DIR__
.
'/helper/Support.php'
);
require_once
(
__DIR__
.
'/helper/OnString.php'
);
require_once
(
__DIR__
.
'/helper/KeyValueStringParser.php'
);
...
...
@@ -392,7 +392,7 @@ class Evaluate {
case
TOKEN_ESCAPE_NONE
:
// do nothing
break
;
case
TOKEN_ESCAPE_PASSWORD_T3FE
:
$fePassword
=
new
Fe
Password
();
$fePassword
=
new
Password
();
$value
=
$fePassword
->
getHash
(
$value
);
break
;
default
:
...
...
extension/Source/core/exceptions/ErrorHandler.php
View file @
5c08cea2
...
...
@@ -37,10 +37,6 @@ class ErrorHandler {
$store
=
Store
::
getInstance
();
if
(
$store
->
getVar
(
SYSTEM_THROW_GENERAL_ERROR
,
STORE_SYSTEM
)
==
'yes'
){
// Check if the error happens inside TYPO3 - don't care.
// if(strpos($file,'/typo3_src')){
// return false;
// }
// Do not show too much to the user. E.g. 'ldap_bind()' might have problems, but the user should not see the
// file and line number. Often the filename is part of the message >> don't show the message to the user.
throw
new
CodeException
(
json_encode
(
...
...
extension/Source/core/typo3/
Fe
Password.php
→
extension/Source/core/typo3/Password.php
View file @
5c08cea2
...
...
@@ -16,29 +16,26 @@ use qfq;
* Class FePassword
* @package qfq
*/
class
Fe
Password
{
class
Password
{
/**
* Based on https://github.com/derhansen/fe_change_pwd/blob/master/Classes/Service/FrontendUserService.php
* Based on https://docs.typo3.org/typo3cms/extensions/saltedpasswords/8.7/DevelopersGuide/Index.html
* Convert a cleartext password to a hash. Respects if 'salted passwords' are enabled.
*
* @param string $newPassword
* @return string
*/
public
function
getHash
(
$newPassword
)
{
// Use md5 as fallback
$password
=
md5
(
$newPassword
);
// If salted passwords is enabled, salt the new password
if
(
SaltedPasswordsUtility
::
isUsageEnabled
(
'FE'
))
{
$objSalt
=
SaltFactory
::
getSaltingInstance
(
null
);
if
(
\
TYPO3\CMS\Saltedpasswords\Utility\
SaltedPasswordsUtility
::
isUsageEnabled
(
'FE'
))
{
$objSalt
=
\
TYPO3\CMS\Saltedpasswords\Salt\
SaltFactory
::
getSaltingInstance
(
NULL
);
if
(
is_object
(
$objSalt
))
{
$password
=
$objSalt
->
getHashedPassword
(
$
newP
assword
);
$password
=
$objSalt
->
getHashedPassword
(
$
p
assword
);
}
}
$userTable
=
$GLOBALS
[
'TSFE'
]
->
fe_user
()
->
user_table
;
$userUid
=
$GLOBALS
[
'TSFE'
]
->
fe_user
()
->
user
[
'uid'
];
return
$password
;
// $sql = "UPDATE $userTable SET password=? WHERE uid=?" $password $uid
}
}
\ No newline at end of file
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment