From e3522f6d3cd0f7851e66aeaa4ef6f3cb7835f7f7 Mon Sep 17 00:00:00 2001 From: Carsten Rose Date: Sun, 21 Aug 2022 17:33:00 +0200 Subject: [PATCH 1/7] Cleanup securityAttackDelay, securityShowMessage: change description, check functionality --- Documentation/Installation.rst | 6 +++--- Documentation/Security.rst | 2 +- extension/Classes/Core/Store/Config.php | 28 ++++++++++--------------- extension/ext_conf_template.txt | 6 +++--- 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/Documentation/Installation.rst b/Documentation/Installation.rst index a9c11fb3..f22923c5 100644 --- a/Documentation/Installation.rst +++ b/Documentation/Installation.rst @@ -586,10 +586,10 @@ Extension Manager: QFQ Configuration +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+ | securityVarsHoneypot | email,username,password | If empty: no check. All named variables will rendered as INPUT elements. | +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+ -| securityAttackDelay | 5 | If an attack is detected, sleep 'x' seconds and exit PHP process. '-1' | -| | | Reports the attack and returns normally - use this with care. | +| securityAttackDelay | 5 | If an attack is detected: a) clear SIP Store b) wait number of seconds, c) | +| | | quit PHP process. -1: Switch off attack detection. | +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+ -| securityShowMessage | true | If an attack is detected, show a message. | +| securityShowMessage | on/off | on: If an attack is detected, show a message. | +-----------------------------------+-------------------------------------------------------+----------------------------------------------------------------------------+ | securityGetMaxLength | 50 | GET vars longer than 'x' chars triggers an `attack-recognized`. | | | | :ref:`ExceptionMaxLength`. | diff --git a/Documentation/Security.rst b/Documentation/Security.rst index 0d724eb7..81865d11 100644 --- a/Documentation/Security.rst +++ b/Documentation/Security.rst @@ -108,7 +108,7 @@ Violation On any violation, QFQ will sleep `securityAttackDelaySeconds` (:ref:`configuration`) and than exit the running PHP process. A detected attack leads to a complete white (=empty) page. -If `securityShowMessage`: true (:ref:`configuration`), at least a message is displayed after the delay. +If `securityShowMessage`: on (:ref:`configuration`), at least a message is displayed after the delay. Client Parameter via SIP ------------------------ diff --git a/extension/Classes/Core/Store/Config.php b/extension/Classes/Core/Store/Config.php index eb5b6c08..e3ce28dc 100644 --- a/extension/Classes/Core/Store/Config.php +++ b/extension/Classes/Core/Store/Config.php @@ -117,8 +117,8 @@ class Config { } // Check for valid encryption method and show error in page if not valid - if(!EncryptDecrypt::checkForValidEncryptMethod($config[SYSTEM_ENCRYPTION_METHOD])){ - Thrower::userFormException("Defined default for encryption method is not valid: '".$config[SYSTEM_ENCRYPTION_METHOD]."' . Please define a valid method."); + if (!EncryptDecrypt::checkForValidEncryptMethod($config[SYSTEM_ENCRYPTION_METHOD])) { + Thrower::userFormException("Defined default for encryption method is not valid: '" . $config[SYSTEM_ENCRYPTION_METHOD] . "' . Please define a valid method."); } // End author @@ -379,18 +379,7 @@ class Config { $penalty = (empty($config[SYSTEM_SECURITY_ATTACK_DELAY]) || !is_numeric($config[SYSTEM_SECURITY_ATTACK_DELAY])) ? SYSTEM_SECURITY_ATTACK_DELAY_DEFAULT : $config[SYSTEM_SECURITY_ATTACK_DELAY]; - - // In case of an attack: log out the current user. - // $penalty of -1 means: no destroy, no sleep, no exit - if ($penalty != -1) { - Session::destroy(); - - if (!defined('PHPUNIT_QFQ')) { - sleep($penalty); - } - } - - if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 'true' || $config[SYSTEM_SECURITY_SHOW_MESSAGE] == 1) { + if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 1) { echo "Attack detected - stop process

" . $reason . '

'; // $answer[API_STATUS] = API_ANSWER_STATUS_ERROR; @@ -406,9 +395,14 @@ class Config { throw new \UserFormException('Attack detected', 1); } - // $penalty of -1 means: no destroy, no sleep, no exit - if ($penalty != -1) { - return; + if ($penalty == -1) { + return; // no destroy, no sleep, no exit + } else { + Session::destroy(); + + if (!defined('PHPUNIT_QFQ')) { + sleep($penalty); + } } exit; diff --git a/extension/ext_conf_template.txt b/extension/ext_conf_template.txt index a2ba335e..adb9b478 100644 --- a/extension/ext_conf_template.txt +++ b/extension/ext_conf_template.txt @@ -140,11 +140,11 @@ escapeTypeDefault = m # cat=security/security; type=string; label=List of honeypot input elements:Default is 'email,username,password'. If empty: no check. All named strings will rendered as hidden INPUT elements. If a form submit contains values for those inputs, the POST is treated as an attack. securityVarsHoneypot = email,username,password -# cat=security/security; type=string; label=Attack delay in seconds:Default is '5'. After a detected attack, the number of seconds to wait before the PHP process dies (and therefore the browser request deliver nothing). '-1' report attacks but skip wait and process as normal. +# cat=security/security; type=string; label=Attack delay in seconds:Default is '5'. After a detected attack, a) clear SIP Store b) wait number of seconds, c) quit PHP process (and therefore the browser request deliver nothing). '-1': Switch off attack detection. securityAttackDelay = 5 -# cat=security/security; type=string; label=Show an attack detected message:Default is 'true'. Show (return to browser) a message, that an attack has been detected. Should be 'false' for production sites. -securityShowMessage = true +# cat=security/security; type=boolean; label=Show an attack detected message:Default is 'off'. Show (return to browser) a message, that an attack has been detected. Should be 'off' for production sites. +securityShowMessage = 0 # cat=security/security; type=string; label='GET'-Parameter max length:Default is '50'. GET vars longer than 'x' character triggers an `attack-detected`. securityGetMaxLength = 50 -- GitLab From 241bf23a72f59348e4995cb57f17a507bbb36da7 Mon Sep 17 00:00:00 2001 From: Carsten Rose Date: Sun, 21 Aug 2022 17:57:22 +0200 Subject: [PATCH 2/7] SYSTEM_SECURITY_GET_MAX_LENGTH: take care that minimum is 32. --- extension/Classes/Core/Database/DatabaseUpdate.php | 1 - extension/Classes/Core/Store/Config.php | 8 ++++++++ extension/ext_conf_template.txt | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/extension/Classes/Core/Database/DatabaseUpdate.php b/extension/Classes/Core/Database/DatabaseUpdate.php index 922fb708..100885c7 100644 --- a/extension/Classes/Core/Database/DatabaseUpdate.php +++ b/extension/Classes/Core/Database/DatabaseUpdate.php @@ -214,7 +214,6 @@ class DatabaseUpdate { if ($new == $old || $old === false) { return; - } if (version_compare($old, '20.2.0') == -1) { diff --git a/extension/Classes/Core/Store/Config.php b/extension/Classes/Core/Store/Config.php index e3ce28dc..5db9eb46 100644 --- a/extension/Classes/Core/Store/Config.php +++ b/extension/Classes/Core/Store/Config.php @@ -107,6 +107,14 @@ class Config { T3Handler::updateT3QfqConfig(SYSTEM_BASE_URL, $config[SYSTEM_BASE_URL]); // Legacy behaviour. } + // Check minimum security length + if (($config[SYSTEM_SECURITY_GET_MAX_LENGTH] ?? '') < 32) { + // On some places we use MD5 hashes with 32chars. Therefore this should be the minimum. + $config[SYSTEM_SECURITY_GET_MAX_LENGTH] = 32; + + T3Handler::updateT3QfqConfig(SYSTEM_SECURITY_GET_MAX_LENGTH, $config[SYSTEM_SECURITY_GET_MAX_LENGTH]); + } + // Author: Enis Nuredini // Set default for encryption method if empty in typo3 configuration if (($config[SYSTEM_ENCRYPTION_METHOD] ?? '') === '') { diff --git a/extension/ext_conf_template.txt b/extension/ext_conf_template.txt index adb9b478..cd38498e 100644 --- a/extension/ext_conf_template.txt +++ b/extension/ext_conf_template.txt @@ -146,7 +146,7 @@ securityAttackDelay = 5 # cat=security/security; type=boolean; label=Show an attack detected message:Default is 'off'. Show (return to browser) a message, that an attack has been detected. Should be 'off' for production sites. securityShowMessage = 0 -# cat=security/security; type=string; label='GET'-Parameter max length:Default is '50'. GET vars longer than 'x' character triggers an `attack-detected`. +# cat=security/security; type=string; label='GET'-Parameter max length:Default is '50'. GET vars longer than 'x' character triggers an `attack-detected`. Minimum: 32. securityGetMaxLength = 50 # cat=security/security; type=string; label=REST - Failed auth delay in seconds:Default is '3'. -- GitLab From 4be855f5c5dedb79b5e047ab8653292e9e99e371 Mon Sep 17 00:00:00 2001 From: Carsten Rose Date: Sun, 21 Aug 2022 18:07:58 +0200 Subject: [PATCH 3/7] fix unit test --- extension/Classes/Core/Store/Config.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extension/Classes/Core/Store/Config.php b/extension/Classes/Core/Store/Config.php index 5db9eb46..cfcf78be 100644 --- a/extension/Classes/Core/Store/Config.php +++ b/extension/Classes/Core/Store/Config.php @@ -109,8 +109,8 @@ class Config { // Check minimum security length if (($config[SYSTEM_SECURITY_GET_MAX_LENGTH] ?? '') < 32) { - // On some places we use MD5 hashes with 32chars. Therefore this should be the minimum. - $config[SYSTEM_SECURITY_GET_MAX_LENGTH] = 32; + // On some places we use MD5 hashes with 32chars. Therefore this should be the minimum. If too low, set default. + $config[SYSTEM_SECURITY_GET_MAX_LENGTH] = 50; T3Handler::updateT3QfqConfig(SYSTEM_SECURITY_GET_MAX_LENGTH, $config[SYSTEM_SECURITY_GET_MAX_LENGTH]); } -- GitLab From 8b80e6eae512f31009c5c5fdc713e38e0b5b3832 Mon Sep 17 00:00:00 2001 From: bbaer Date: Mon, 22 Aug 2022 14:50:54 +0200 Subject: [PATCH 4/7] renamed query to _ta_query --- javascript/src/TypeAhead.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/src/TypeAhead.js b/javascript/src/TypeAhead.js index a01db3ba..9a5a794a 100644 --- a/javascript/src/TypeAhead.js +++ b/javascript/src/TypeAhead.js @@ -316,7 +316,7 @@ var QfqNS = QfqNS || {}; }; n.TypeAhead.makeUrl = function (endpoint, element) { - return endpoint + "?query=%QUERY" + "&sip=" + n.TypeAhead.getSip(element); + return endpoint + "?_ta_query=%QUERY" + "&sip=" + n.TypeAhead.getSip(element); }; n.TypeAhead.makePrefetchUrl = function (endpoint, prefetchKey, element) { return endpoint + "?prefetch=" + encodeURIComponent(prefetchKey) + "&sip=" + n.TypeAhead.getSip(element); -- GitLab From b53135158403a8a74103a7416da76b84c293ee15 Mon Sep 17 00:00:00 2001 From: bbaer Date: Mon, 22 Aug 2022 15:34:38 +0200 Subject: [PATCH 5/7] renamed prefetch to _ta_prefetch --- javascript/src/TypeAhead.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/src/TypeAhead.js b/javascript/src/TypeAhead.js index 9a5a794a..800225ba 100644 --- a/javascript/src/TypeAhead.js +++ b/javascript/src/TypeAhead.js @@ -319,7 +319,7 @@ var QfqNS = QfqNS || {}; return endpoint + "?_ta_query=%QUERY" + "&sip=" + n.TypeAhead.getSip(element); }; n.TypeAhead.makePrefetchUrl = function (endpoint, prefetchKey, element) { - return endpoint + "?prefetch=" + encodeURIComponent(prefetchKey) + "&sip=" + n.TypeAhead.getSip(element); + return endpoint + "?_ta_prefetch=" + encodeURIComponent(prefetchKey) + "&sip=" + n.TypeAhead.getSip(element); }; n.TypeAhead.getLimit = function ($element) { -- GitLab From a8e434ccd5dc3e9549c8f06ab7c7f96d3cc30aa9 Mon Sep 17 00:00:00 2001 From: Carsten Rose Date: Mon, 22 Aug 2022 21:05:35 +0200 Subject: [PATCH 6/7] Refs #4018: Implement renamed keywords _ta_query, _ta_prefetch. Fix broken detection of typeahead mode. --- extension/Classes/Core/Constants.php | 4 ++-- extension/Classes/Core/Store/Config.php | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/extension/Classes/Core/Constants.php b/extension/Classes/Core/Constants.php index 599a778a..03b6bc0e 100644 --- a/extension/Classes/Core/Constants.php +++ b/extension/Classes/Core/Constants.php @@ -784,8 +784,8 @@ const VAR_TAG_ID = 'tagId'; const VAR_TAG_VALUE = 'tagValue'; // PHP class Typeahead -const TYPEAHEAD_API_QUERY = 'query'; // Name of parameter in API call of typeahead.php?query=...&s=... - See also FE_TYPE_AHEAD_SQL -const TYPEAHEAD_API_PREFETCH = 'prefetch'; // Name of parameter in API call of typeahead.php?prefetch=...&s=... - See also FE_TYPE_AHEAD_SQL +const TYPEAHEAD_API_QUERY = '_ta_query'; // Name of parameter in API call of typeahead.php?query=...&s=... - See also FE_TYPE_AHEAD_SQL +const TYPEAHEAD_API_PREFETCH = '_ta_prefetch'; // Name of parameter in API call of typeahead.php?prefetch=...&s=... - See also FE_TYPE_AHEAD_SQL const TYPEAHEAD_API_SIP = 'sip'; // Name of parameter in API call of typeahead.php?query=...&s=... const TYPEAHEAD_DEFAULT_LIMIT = 20; const TYPEAHEAD_SQL_KEY_NAME = 'id'; diff --git a/extension/Classes/Core/Store/Config.php b/extension/Classes/Core/Store/Config.php index cfcf78be..f1ea11db 100644 --- a/extension/Classes/Core/Store/Config.php +++ b/extension/Classes/Core/Store/Config.php @@ -342,10 +342,8 @@ class Config { } else { $maxLength = $config[SYSTEM_SECURITY_GET_MAX_LENGTH]; // might change again. - // If there is a global variable 'typeAhead', we're likely in API/typeahead.php mode - - // this indicates it's wished to raise the maxLength limit. - if (isset($GLOBALS["typeAhead"]) && $key === TYPEAHEAD_API_QUERY) { - // In case $key=='query' and we're called via API/typeahead.php: extend the default maxlength; + // Typeahead parameter do have special extended limitation. + if ($key == TYPEAHEAD_API_QUERY || $key = TYPEAHEAD_API_PREFETCH) { if ($maxLength < TYPEAHEAD_API_MAX_LENGTH) { $maxLength = TYPEAHEAD_API_MAX_LENGTH; } -- GitLab From aa51808305ce79150e26de169f97f7b9f5ea3eb5 Mon Sep 17 00:00:00 2001 From: Carsten Rose Date: Mon, 22 Aug 2022 21:19:46 +0200 Subject: [PATCH 7/7] Refs #4018: Fix broken compare --- extension/Classes/Core/Store/Config.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extension/Classes/Core/Store/Config.php b/extension/Classes/Core/Store/Config.php index f1ea11db..3ad87298 100644 --- a/extension/Classes/Core/Store/Config.php +++ b/extension/Classes/Core/Store/Config.php @@ -343,7 +343,7 @@ class Config { $maxLength = $config[SYSTEM_SECURITY_GET_MAX_LENGTH]; // might change again. // Typeahead parameter do have special extended limitation. - if ($key == TYPEAHEAD_API_QUERY || $key = TYPEAHEAD_API_PREFETCH) { + if ($key == TYPEAHEAD_API_QUERY || $key == TYPEAHEAD_API_PREFETCH) { if ($maxLength < TYPEAHEAD_API_MAX_LENGTH) { $maxLength = TYPEAHEAD_API_MAX_LENGTH; } -- GitLab