|
TYPO3 API
SVNRelease
|
00001 <?php 00002 /*************************************************************** 00003 * Copyright notice 00004 * 00005 * (c) 2009-2011 Ingo Renner <ingo@typo3.org> 00006 * All rights reserved 00007 * 00008 * This script is part of the TYPO3 project. The TYPO3 project is 00009 * free software; you can redistribute it and/or modify 00010 * it under the terms of the GNU General Public License as published by 00011 * the Free Software Foundation; either version 2 of the License, or 00012 * (at your option) any later version. 00013 * 00014 * The GNU General Public License can be found at 00015 * http://www.gnu.org/copyleft/gpl.html. 00016 * 00017 * This script is distributed in the hope that it will be useful, 00018 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00019 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00020 * GNU General Public License for more details. 00021 * 00022 * This copyright notice MUST APPEAR in all copies of the script! 00023 ***************************************************************/ 00024 00025 00026 /** 00027 * Performs several checks about the system's health 00028 * 00029 * @author Ingo Renner <ingo@typo3.org> 00030 * @package TYPO3 00031 * @subpackage reports 00032 * 00033 * $Id: class.tx_reports_reports_status_securitystatus.php 10120 2011-01-18 20:03:36Z ohader $ 00034 */ 00035 class tx_reports_reports_status_SecurityStatus implements tx_reports_StatusProvider { 00036 00037 /** 00038 * Determines the Install Tool's status, mainly concerning its protection. 00039 * 00040 * @return array List of statuses 00041 * @see typo3/sysext/reports/interfaces/tx_reports_StatusProvider::getStatus() 00042 */ 00043 public function getStatus() { 00044 $this->executeAdminCommand(); 00045 00046 $statuses = array( 00047 'adminUserAccount' => $this->getAdminAccountStatus(), 00048 'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(), 00049 'fileDenyPattern' => $this->getFileDenyPatternStatus(), 00050 'htaccessUpload' => $this->getHtaccessUploadStatus(), 00051 'installToolEnabled' => $this->getInstallToolProtectionStatus(), 00052 'installToolPassword' => $this->getInstallToolPasswordStatus(), 00053 ); 00054 00055 return $statuses; 00056 } 00057 00058 /** 00059 * Checks whether a an BE user account named admin with default password exists. 00060 * 00061 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether a default admin account exists 00062 */ 00063 protected function getAdminAccountStatus() { 00064 $value = $GLOBALS['LANG']->getLL('status_ok'); 00065 $message = ''; 00066 $severity = tx_reports_reports_status_Status::OK; 00067 00068 $whereClause = 'username = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('admin', 'be_users') 00069 . ' AND password = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('5f4dcc3b5aa765d61d8327deb882cf99', 'be_users') 00070 . t3lib_BEfunc::deleteClause('be_users'); 00071 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery( 00072 'uid, username, password', 00073 'be_users', 00074 $whereClause 00075 ); 00076 if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) { 00077 $value = $GLOBALS['LANG']->getLL('status_insecure'); 00078 $severity = tx_reports_reports_status_Status::ERROR; 00079 00080 $editUserAccountUrl = 'alt_doc.php?returnUrl=mod.php?M=tools_txreportsM1&edit[be_users][' . $row['uid'] . ']=edit'; 00081 $message = sprintf( 00082 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.backend_admin'), 00083 '<a href="' . $editUserAccountUrl . '">', 00084 '</a>' 00085 ); 00086 } 00087 $GLOBALS['TYPO3_DB']->sql_free_result($res); 00088 00089 return t3lib_div::makeInstance('tx_reports_reports_status_Status', 00090 $GLOBALS['LANG']->getLL('status_adminUserAccount'), $value, $message, $severity 00091 ); 00092 } 00093 00094 /** 00095 * Checks whether the encryption key is empty. 00096 * 00097 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the encryption key is empty or not 00098 */ 00099 protected function getEncryptionKeyStatus() { 00100 $value = $GLOBALS['LANG']->getLL('status_ok'); 00101 $message = ''; 00102 $severity = tx_reports_reports_status_Status::OK; 00103 00104 if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) { 00105 $value = $GLOBALS['LANG']->getLL('status_insecure'); 00106 $severity = tx_reports_reports_status_Status::ERROR; 00107 00108 $url = 'install/index.php?redirect_url=index.php' 00109 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey'); 00110 00111 $message = sprintf( 00112 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_encryption'), 00113 '<a href="' . $url . '">', 00114 '</a>' 00115 ); 00116 } 00117 00118 return t3lib_div::makeInstance('tx_reports_reports_status_Status', 00119 $GLOBALS['LANG']->getLL('status_encryptionKey'), $value, $message, $severity 00120 ); 00121 } 00122 00123 /** 00124 * Checks if fileDenyPattern was changed which is dangerous on Apache 00125 * 00126 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the file deny pattern has changed 00127 */ 00128 protected function getFileDenyPatternStatus() { 00129 $value = $GLOBALS['LANG']->getLL('status_ok'); 00130 $message = ''; 00131 $severity = tx_reports_reports_status_Status::OK; 00132 00133 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT) { 00134 $value = $GLOBALS['LANG']->getLL('status_insecure'); 00135 $severity = tx_reports_reports_status_Status::ERROR; 00136 00137 $url = 'install/index.php?redirect_url=index.php' 00138 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey'); 00139 00140 $message = sprintf( 00141 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern'), 00142 '<br /><pre>' 00143 . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT) 00144 . '</pre><br />' 00145 ); 00146 } 00147 00148 return t3lib_div::makeInstance('tx_reports_reports_status_Status', 00149 $GLOBALS['LANG']->getLL('status_fileDenyPattern'), $value, $message, $severity 00150 ); 00151 } 00152 00153 /** 00154 * Checks if fileDenyPattern allows to upload .htaccess files which is 00155 * dangerous on Apache. 00156 * 00157 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether it's possible to upload .htaccess files 00158 */ 00159 protected function getHtaccessUploadStatus() { 00160 $value = $GLOBALS['LANG']->getLL('status_ok'); 00161 $message = ''; 00162 $severity = tx_reports_reports_status_Status::OK; 00163 00164 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT && t3lib_div::verifyFilenameAgainstDenyPattern('.htaccess')) { 00165 $value = $GLOBALS['LANG']->getLL('status_insecure'); 00166 $severity = tx_reports_reports_status_Status::ERROR; 00167 $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_htaccess'); 00168 } 00169 00170 return t3lib_div::makeInstance('tx_reports_reports_status_Status', 00171 $GLOBALS['LANG']->getLL('status_htaccessUploadProtection'), $value, $message, $severity 00172 ); 00173 } 00174 00175 /** 00176 * Checks whether memcached is configured, if that's the case we asume it's also used. 00177 * 00178 * @return boolean True if memcached is used, false otherwise. 00179 */ 00180 protected function isMemcachedUsed() { 00181 $memcachedUsed = FALSE; 00182 00183 $memcachedServers = $this->getConfiguredMemcachedServers(); 00184 if (count($memcachedServers)) { 00185 $memcachedUsed = TRUE; 00186 } 00187 00188 return $memcachedUsed; 00189 } 00190 00191 00192 /** 00193 * Executes commands like removing the Install Tool enable file. 00194 * 00195 * @return void 00196 */ 00197 protected function executeAdminCommand() { 00198 $command = t3lib_div::_GET('adminCmd'); 00199 00200 switch ($command) { 00201 case 'remove_ENABLE_INSTALL_TOOL': 00202 unlink(PATH_site . 'typo3conf/ENABLE_INSTALL_TOOL'); 00203 break; 00204 } 00205 } 00206 00207 /** 00208 * Checks whether the Install Tool password is set to its default value. 00209 * 00210 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing the security of the install tool password 00211 */ 00212 protected function getInstallToolPasswordStatus() { 00213 $value = $GLOBALS['LANG']->getLL('status_ok'); 00214 $message = ''; 00215 $severity = tx_reports_reports_status_Status::OK; 00216 00217 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] == md5('joh316')) { 00218 $value = $GLOBALS['LANG']->getLL('status_insecure'); 00219 $severity = tx_reports_reports_status_Status::ERROR; 00220 00221 $changeInstallToolPasswordUrl = 'install/index.php?redirect_url=index.php' 00222 . urlencode('?TYPO3_INSTALL[type]=about'); 00223 00224 $message = sprintf( 00225 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_password'), 00226 '<a href="' . $changeInstallToolPasswordUrl . '">', 00227 '</a>' 00228 ); 00229 } 00230 00231 return t3lib_div::makeInstance('tx_reports_reports_status_Status', 00232 $GLOBALS['LANG']->getLL('status_installToolPassword'), $value, $message, $severity 00233 ); 00234 } 00235 00236 00237 00238 /** 00239 * Checks for the existance of the ENABLE_INSTALL_TOOL file. 00240 * 00241 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether ENABLE_INSTALL_TOOL exists 00242 */ 00243 protected function getInstallToolProtectionStatus() { 00244 $enableInstallToolFile = PATH_site . 'typo3conf/ENABLE_INSTALL_TOOL'; 00245 $value = $GLOBALS['LANG']->getLL('status_disabled'); 00246 $message = ''; 00247 $severity = tx_reports_reports_status_Status::OK; 00248 00249 $enableInstallToolFileExists = is_file($enableInstallToolFile); 00250 00251 if ($enableInstallToolFileExists) { 00252 00253 if (trim(file_get_contents($enableInstallToolFile)) === 'KEEP_FILE') { 00254 00255 $severity = tx_reports_reports_status_Status::WARNING; 00256 00257 $disableInstallToolUrl = t3lib_div::getIndpEnv('TYPO3_REQUEST_URL') 00258 . '&adminCmd=remove_ENABLE_INSTALL_TOOL'; 00259 00260 $value = $GLOBALS['LANG']->getLL('status_enabledPermanently'); 00261 00262 $message = sprintf( 00263 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled'), 00264 '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>'); 00265 $message .= ' <a href="' . $disableInstallToolUrl . '">' 00266 . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled_cmd') 00267 . '</a>'; 00268 00269 } else { 00270 00271 $enableInstallToolFileTtl = filemtime($enableInstallToolFile) + 3600 - time(); 00272 00273 if ($enableInstallToolFileTtl <= 0) { 00274 00275 unlink($enableInstallToolFile); 00276 00277 } else { 00278 00279 $severity = tx_reports_reports_status_Status::NOTICE; 00280 00281 $disableInstallToolUrl = t3lib_div::getIndpEnv('TYPO3_REQUEST_URL') 00282 . '&adminCmd=remove_ENABLE_INSTALL_TOOL'; 00283 00284 $value = $GLOBALS['LANG']->getLL('status_enabledTemporarily'); 00285 00286 $message = sprintf( 00287 $GLOBALS['LANG']->getLL('status_installEnabledTemporarily'), 00288 '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>', floor($enableInstallToolFileTtl/60) ); 00289 $message .= ' <a href="' . $disableInstallToolUrl . '">' 00290 . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled_cmd') 00291 . '</a>'; 00292 } 00293 } 00294 } 00295 00296 return t3lib_div::makeInstance('tx_reports_reports_status_Status', 00297 $GLOBALS['LANG']->getLL('status_installTool'), $value, $message, $severity 00298 ); 00299 } 00300 00301 } 00302 00303 00304 if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php'])) { 00305 include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_securitystatus.php']); 00306 } 00307 00308 ?>
1.8.0