Skip to content

GitLab

Commit e3cce23e authored by Carsten Rose's avatar Carsten Rose
Browse files

Merge remote-tracking branch 'origin/master'

parents 2bc34b5b 88b42abb
Pipeline #1502 passed with stage
in 2 minutes and 20 seconds
Hide whitespace changes
Inline Side-by-side
extension/Documentation/Manual.rst
View file @ e3cce23e
......@@ -1233,30 +1233,32 @@ Rules for CheckType Auto (by priority):
Escape
------
Variables used in SQL Statements might cause trouble by using: NUL (ASCII 0), \\n, \\r, \\, ', ", and Control-Z.
a) Variables used in SQL Statements might cause trouble by using: NUL (ASCII 0), \\n, \\r, \\, ', ", or Control-Z.
b) Converting content like 'password' hashing.
To protect the web application the following `escape` types are available:
The following `escape` and `hashing` types are available:
* 'm' - `real_escape_string() <http://php.net/manual/en/mysqli.real-escape-string.php>`_ (m = mysql)
* 'l' - LDAP search filter values will be escaped: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER).
* 'L' - LDAP DN values will be escaped. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN).
* 's' - single ticks will be escaped. str_replace() of ' against \\'.
* 'd' - double ticks will be escaped: str_replace() of " against \\".
* 'C' - colon ':' will be escaped: str_replace() of : against \\:.
* 'l' - LDAP search filter values: `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_FILTER).
* 'L' - LDAP DN values. `ldap-escape() <http://php.net/manual/en/function.ldap-escape.php>`_ (LDAP_ESCAPE_DN).
* 's' - Single ticks ' will be escaped against \\'.
* 'd' - double ticks " will be escaped against \\".
* 'C' - colon ':' will be escaped against \\:.
* 'c' - config - the escape type configured in `configuration`_.
* 'p' - password hashing: depends on the hashing type in the current Typo3 installation, including any salting.
* '' - the escape type configured in `configuration`_.
* '-' - no escaping.
* The `escape` type is defined by the fourth parameter of the variable. E.g.: `{{name:FE:alnumx:m}}` (m = mysql).
* It's possible to combine different `escape` types, they will be processed in the order given. E.g. `{{name:FE:alnumx:Ls}}` (L, s).
* Escaping is typically necessary for SQL or LDAP queries.
* Escaping is typically necessary for all user supplied content, especially if they are processed via SQL or LDAP queries.
* Be careful when escaping nested variables. Best is to escape **only** the most outer variable.
* In configuration_ a global `escapeTypeDefault` can be defined. The configured escape type applies to all substituted
variables, who *do not* contain a *specific* escape type.
* Additionally a `defaultEscapeType` can be defined per `Form` (separate field in the *Form editor*). This overwrites the
global definition of `configuration`. By default, every `Form.defaultEscapeType` = 'c' (=config), which means the setting
in `configuration`_.
* To suppress a default escape type, define the `escape type` = '-' on the specific variable. E.g.: `{{name:FE:alnumx:-}}`.
* To suppress an escape type, define the `escape type` = '-' on the specific variable. E.g.: `{{name:FE:alnumx:-}}`.
.. _`variable-default`:
......
extension/Source/bootstrap.php
View file @ e3cce23e
......@@ -7,6 +7,7 @@
*/
// use autoloader of composer. Directories for autoload specified in composer.json -> autoload
// run 'composer dump-autoload' after making changes to composer.json -> autoload !
require_once(__DIR__ . '/../vendor/autoload.php');
require_once(__DIR__ . '/core/Constants.php');
\ No newline at end of file
extension/Source/core/Constants.php
View file @ e3cce23e
......@@ -712,6 +712,7 @@ const TOKEN_ESCAPE_COLON = 'C';
const TOKEN_ESCAPE_LDAP_FILTER = 'l';
const TOKEN_ESCAPE_LDAP_DN = 'L';
const TOKEN_ESCAPE_MYSQL = 'm';
const TOKEN_ESCAPE_PASSWORD_T3FE = 'p';
const TOKEN_ESCAPE_NONE = '-';
// Workaround for PHP < 5.6.0
......
extension/Source/core/Evaluate.php
View file @ e3cce23e
......@@ -12,6 +12,7 @@ use qfq;
require_once(__DIR__ . '/../core/store/Store.php');
require_once(__DIR__ . '/../core/database/Database.php');
require_once(__DIR__ . '/../core/typo3/Password.php');
require_once(__DIR__ . '/helper/Support.php');
require_once(__DIR__ . '/helper/OnString.php');
require_once(__DIR__ . '/helper/KeyValueStringParser.php');
......@@ -390,6 +391,9 @@ class Evaluate {
break;
case TOKEN_ESCAPE_NONE: // do nothing
break;
case TOKEN_ESCAPE_PASSWORD_T3FE:
$value = Password::getHash($value);
break;
default:
throw new UserFormException("Unknown escape qualifier: $escape", UNKNOWN_TYPE);
break;
......
extension/Source/core/typo3/Password.php 0 → 100644
View file @ e3cce23e
<?php
/**
* Created by PhpStorm.
* User: crose
* Date: 2/1/19
* Time: 10:31 PM
*/
namespace qfq;
use TYPO3\CMS\Saltedpasswords\Salt\SaltFactory;
use TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility;
use qfq;
/**
* Class FePassword
* @package qfq
*/
class Password {
/**
* Based on https://docs.typo3.org/typo3cms/extensions/saltedpasswords/8.7/DevelopersGuide/Index.html
* Convert a cleartext password to a hash. Respects if 'salted passwords' are enabled.
*
* @param string $newPassword
* @return string
*/
public static function getHash($newPassword) {
$saltedPassword = md5($newPassword); // Use md5 as fallback
self::t3AutoloadIfNotRunning();
if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('FE')) {
$objSalt = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL);
if (is_object($objSalt)) {
$saltedPassword = $objSalt->getHashedPassword($newPassword);
}
}
return $saltedPassword;
}
/**
* Based on https://docs.typo3.org/typo3cms/extensions/saltedpasswords/8.7/DevelopersGuide/Index.html
* Check if the salted password corresponds to the password.
*
* @param string $saltedPassword
* @param string $password
* @return bool
*/
public static function checkPassword($saltedPassword, $password) {
self::t3AutoloadIfNotRunning();
$success = FALSE;
if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('FE')) {
$objSalt2 = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($saltedPassword);
if (is_object($objSalt2)) {
$success = $objSalt2->checkPassword($password, $saltedPassword);
}
}
return $success;
}
/**
* Load Typo3 autoloader if Typo3 is not instantiated
*/
public static function t3AutoloadIfNotRunning() {
if (!class_exists('\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility')) {
//TODO: Get absolute 'path' via QFQ config
require __DIR__ . '/../../../../../../typo3_src/vendor/autoload.php';
// run typo3 bootstrap if not yet happened. Necessary if run in unittest.
if (!defined('TYPO3_MODE')) {
\TYPO3\CMS\Core\Core\Bootstrap::getInstance()
->setRequestType(TYPO3_REQUESTTYPE_AJAX)
->baseSetup(0);
// Alternate error fix if you don't want to run Typo3 bootstrap:
// error_reporting(E_ALL & ~(E_STRICT | E_NOTICE | E_DEPRECATED));
define('TYPO3_MODE', 'FE');
}
}
}
}
\ No newline at end of file
extension/Tests/unit/core/typo3/PasswordTest.php 0 → 100644
View file @ e3cce23e
<?php
/**
* Created by PhpStorm.
* User: crose
* Date: 11/02/18
* Time: 9:16 PM
*/
namespace qfq;
use PHPUnit\Framework\TestCase;
/**
* Class PasswordTest
* @package qfq
*/
class PasswordTest extends TestCase {
public function testPasswordHashAndCheck() {
//TODO: Uncomment when CI/CD with docker is set up
// $pw='crazysecurepassword23465-.';
// $pwSalted=Password::getHash($pw);
// $this->assertTrue(Password::checkPassword($pwSalted, $pw));
$this->assertTrue(True);
}
}
\ No newline at end of file
extension/composer.json
View file @ e3cce23e
......@@ -16,7 +16,8 @@
"Source/core/form/",
"Source/core/helper/",
"Source/core/report/",
"Source/core/store/"]
"Source/core/store/",
"Source/core/typo3/"]
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment