Bug #33034
closedScheduler task "bulk update" does not start if BE uses SSL
0%
Description
The sys extension "saltedpassword" offers a scheduler task that converts old passwords (e.g. MD5) to salted passwords (e.g. salted MD5) of FE and BE users.
This scheduler task "bulk update" does not start for BE users if BE is configured to use SSL (https) due to an explicit if() condition in file typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php
How to reproduce
Tested with TYPO3 Introduction package version 4.5.10. Setup Introduction Package, install "saltedpasswords" extension (depends on "rsaauth"). Set "loginSecurityLevel" for FE and BE appropriately (e.g. "rsa", but not "normal").
In the DB, password of BE users are still represented as their MD5 hashes:mysql -u -p <database> -e "SELECT uid, username, password FROM be_users"
In "typo3conf/localconf.php" set $TYPO3_CONF_VARS['BE']['lockSSL'] = 2
Go to "Scheduler" and execute task "Convert user passwords to salted hashes (saltedpasswords)" manually (note: in this instance, it does not matter if you execute this task manually or via a cronjob).
Passwords of all BE users are still MD5 hashes (not salted MD5, as expected):mysql -u -p <database> -e "SELECT uid, username, password FROM be_users"
Further discussions
Based on a thread in the German TYPO3 mailinglist:
http://lists.typo3.org/pipermail/typo3-german/2011-December/082494.html
Followed up in January 2012:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082590.html
Problem analysis:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082638.html
Confirmation of solution:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082643.html
Problem description
In file typo3/sysext/saltedpasswords/classes/tasks/class.tx_saltedpasswords_tasks_bulkupdate.php
method "execute()" requires isUsageEnabled==TRUE:
if (tx_saltedpasswords_div::isUsageEnabled($mode)) { ... }
In file typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php
this method shows the following code fragment:
$securityLevel = $GLOBALS['TYPO3_CONF_VARS'][$mode]['loginSecurityLevel']; if ($mode == 'BE' && $extConf['enabled']) { return (($securityLevel == 'normal' && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] > 0) || $securityLevel == 'rsa'); }
Which means, if lockSSL is enabled and loginSecurityLevel is set to "rsa" (which would be the standard and recommended setup), method isUsageEnabled() returns FALSE. This leads to the result that the scheduler task for bulk updating the BE passwords will never run. However, a SSL-protected BE in combination with saltedpasswords should be a valid scenario.