Skip to content

Commit

Permalink
[SECURITY] Avoid creation of backend users without password
Browse files Browse the repository at this point in the history
When using FormEngine it is possible to create a Backend User
without setting a password (or username), which could lead to
issues when using third-party authentication providers.

A hook within DataHandler ensures to set a random username
and/or password if the data is handed into DataHandler without
proper data. Besides that new backend users are disabled per
default and have to be enable manually.

Resolves: #80269
Releases: master, 9.5, 8.7
Security-Commit: c019928c25cf8d94e68f9ae7f7edf7251cb4f535
Security-Bulletin: TYPO3-CORE-SA-2019-002
Change-Id: I35c18271f3650c0d9303e736fd7f26a9ad813e4a
Reviewed-on: https://review.typo3.org/59528
Reviewed-by: Oliver Hader <[email protected]>
Tested-by: Oliver Hader <[email protected]>
  • Loading branch information
bmack authored and ohader committed Jan 22, 2019
1 parent 9453d8a commit 1e0c7a6
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 4 deletions.
67 changes: 67 additions & 0 deletions Classes/Hooks/BackendUserPasswordCheck.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
<?php
declare(strict_types = 1);

namespace TYPO3\CMS\Core\Hooks;

/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

use TYPO3\CMS\Core\Crypto\Random;
use TYPO3\CMS\Core\DataHandling\DataHandler;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Core\Utility\MathUtility;

/**
* DataHandler hook to ensure that a be_user always has a username + password set if newly-created.
*
* @internal This class is a hook implementation and is not part of the TYPO3 Core API.
*/
class BackendUserPasswordCheck
{
/**
* @var Random
*/
protected $random;

public function __construct()
{
$this->random = GeneralUtility::makeInstance(Random::class);
}

/**
* @param array $incomingFieldArray
* @param string $table
* @param string $id
* @param DataHandler $dataHandler
*/
public function processDatamap_preProcessFieldArray(&$incomingFieldArray, $table, $id, DataHandler $dataHandler)
{
// Not within be_users
if ($table !== 'be_users') {
return;
}
// Existing record, nothing to change
if (MathUtility::canBeInterpretedAsInteger($id)) {
return;
}
if ($dataHandler->isImporting) {
return;
}
if (!isset($incomingFieldArray['password']) || (string)$incomingFieldArray['password'] === '') {
$incomingFieldArray['password'] = GeneralUtility::hmac($id, $this->random->generateRandomBytes(20));
}
if (!isset($incomingFieldArray['username']) || (string)$incomingFieldArray['username'] === '') {
$incomingFieldArray['username'] = 'autogenerated-' . GeneralUtility::shortMD5($id);
}
}
}
9 changes: 5 additions & 4 deletions Configuration/TCA/be_users.php
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@
'invertStateDisplay' => true
],
],
'default' => 1,
]
],
'disableIPlock' => [
Expand Down Expand Up @@ -381,26 +382,26 @@
'types' => [
'0' => ['showitem' => '
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:general,
admin, username, password, avatar, usergroup, realName, email, lang, lastlogin,
disable, admin, username, password, avatar, usergroup, realName, email, lang, lastlogin,
--div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_users.tabs.rights,
userMods, allowed_languages,
--div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_users.tabs.mounts_and_workspaces,
workspace_perms, db_mountpoints, options, file_mountpoints, file_permissions, category_perms,
--div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_users.tabs.options,
lockToDomain, disableIPlock, TSconfig,
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:access,
disable,--palette--;;timeRestriction,
--palette--;;timeRestriction,
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:notes,
description,
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:extended,
'],
'1' => ['showitem' => '
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:general,
admin, username, password, avatar, usergroup, realName, email, lang, lastlogin,
disable, admin, username, password, avatar, usergroup, realName, email, lang, lastlogin,
--div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_users.tabs.options,
disableIPlock, TSconfig, db_mountpoints, options, file_mountpoints,
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:access,
disable,--palette--;;timeRestriction,
--palette--;;timeRestriction,
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:notes,
description,
--div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:extended,
Expand Down
1 change: 1 addition & 0 deletions ext_localconf.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class;
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Hooks\BackendUserGroupIntegrityCheck::class;
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Hooks\BackendUserPasswordCheck::class;
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/alt_doc.php']['makeEditForm_accessCheck'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class . '->isAllowedToShowEditForm';
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tceforms_inline.php']['checkAccess'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class . '->isAllowedToShowEditForm';
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['checkModifyAccessList'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class;
Expand Down

0 comments on commit 1e0c7a6

Please sign in to comment.