Bug #33034
closed
Scheduler task "bulk update" does not start if BE uses SSL
0%
Description
The sys extension "saltedpassword" offers a scheduler task that converts old passwords (e.g. MD5) to salted passwords (e.g. salted MD5) of FE and BE users.
This scheduler task "bulk update" does not start for BE users if BE is configured to use SSL (https) due to an explicit if() condition in file typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php
How to reproduce
Tested with TYPO3 Introduction package version 4.5.10. Setup Introduction Package, install "saltedpasswords" extension (depends on "rsaauth"). Set "loginSecurityLevel" for FE and BE appropriately (e.g. "rsa", but not "normal").
In the DB, password of BE users are still represented as their MD5 hashes:mysql -u -p <database> -e "SELECT uid, username, password FROM be_users"
In "typo3conf/localconf.php" set $TYPO3_CONF_VARS['BE']['lockSSL'] = 2
Go to "Scheduler" and execute task "Convert user passwords to salted hashes (saltedpasswords)" manually (note: in this instance, it does not matter if you execute this task manually or via a cronjob).
Passwords of all BE users are still MD5 hashes (not salted MD5, as expected):mysql -u -p <database> -e "SELECT uid, username, password FROM be_users"
Further discussions
Based on a thread in the German TYPO3 mailinglist:
http://lists.typo3.org/pipermail/typo3-german/2011-December/082494.html
Followed up in January 2012:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082590.html
Problem analysis:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082638.html
Confirmation of solution:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082643.html
Problem description
In file typo3/sysext/saltedpasswords/classes/tasks/class.tx_saltedpasswords_tasks_bulkupdate.php
method "execute()" requires isUsageEnabled==TRUE:
if (tx_saltedpasswords_div::isUsageEnabled($mode)) { ... }
In file typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php
this method shows the following code fragment:
$securityLevel = $GLOBALS['TYPO3_CONF_VARS'][$mode]['loginSecurityLevel'];
if ($mode == 'BE' && $extConf['enabled']) {
return (($securityLevel == 'normal' && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] > 0) || $securityLevel == 'rsa');
}
Which means, if lockSSL is enabled and loginSecurityLevel is set to "rsa" (which would be the standard and recommended setup), method isUsageEnabled() returns FALSE. This leads to the result that the scheduler task for bulk updating the BE passwords will never run. However, a SSL-protected BE in combination with saltedpasswords should be a valid scenario.
Updated by Michael Schams over 12 years ago
Hmmmmmm... I would like to clarify one thing (and maybe correct myself): the current condition means, if SSL is enabled, you have to have $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] = 'normal'. Every other value for loginSecurityLevel would prevent the scheduler to run.
$securityLevel == 'normal' && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] > 0
The question is, are any other setups legitimate and/or possible (e.g. loginSecurityLevel = 'rsa')? If yes, then the condition might be wrong. If no, it would make sense to prevent such a misconfiguration or at least add a log entry reporting an issue with the password conversion.
Updated by Steffen Gebert over 12 years ago
- Project changed from 568 to TYPO3 Core
- Category deleted (
355)
Updated by Steffen Gebert over 12 years ago
- Category set to Authentication
- TYPO3 Version set to 4.6
Updated by Wouter Wolters over 9 years ago
- Status changed from New to Needs Feedback
- Is Regression set to No
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (6.2.9)?
Updated by Michael Schams over 9 years ago
I think we can close this ticket. I just re-tested the issue in a fresh, clean TYPO3 CMS 6.2.9 instance and I can't reproduce the problem.
Also, the classes have been re-worked since then and the source fragments I quoted originally have changed significantly.
For our reference:
Method isUsageEnabled() is in TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility now.
Updated by Wouter Wolters over 9 years ago
- Status changed from Needs Feedback to Closed