Project

General

Profile

Actions
Copy link

Bug #33034

closed

Scheduler task "bulk update" does not start if BE uses SSL

Added by Michael Schams almost 13 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2012-01-08
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

The sys extension "saltedpassword" offers a scheduler task that converts old passwords (e.g. MD5) to salted passwords (e.g. salted MD5) of FE and BE users.

This scheduler task "bulk update" does not start for BE users if BE is configured to use SSL (https) due to an explicit if() condition in file typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php

How to reproduce
Tested with TYPO3 Introduction package version 4.5.10. Setup Introduction Package, install "saltedpasswords" extension (depends on "rsaauth"). Set "loginSecurityLevel" for FE and BE appropriately (e.g. "rsa", but not "normal").

In the DB, password of BE users are still represented as their MD5 hashes:
mysql -u -p <database> -e "SELECT uid, username, password FROM be_users"

In "typo3conf/localconf.php" set $TYPO3_CONF_VARS['BE']['lockSSL'] = 2
Go to "Scheduler" and execute task "Convert user passwords to salted hashes (saltedpasswords)" manually (note: in this instance, it does not matter if you execute this task manually or via a cronjob).

Passwords of all BE users are still MD5 hashes (not salted MD5, as expected):
mysql -u -p <database> -e "SELECT uid, username, password FROM be_users"

Further discussions
Based on a thread in the German TYPO3 mailinglist:
http://lists.typo3.org/pipermail/typo3-german/2011-December/082494.html
Followed up in January 2012:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082590.html
Problem analysis:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082638.html
Confirmation of solution:
http://lists.typo3.org/pipermail/typo3-german/2012-January/082643.html

Problem description
In file typo3/sysext/saltedpasswords/classes/tasks/class.tx_saltedpasswords_tasks_bulkupdate.php
method "execute()" requires isUsageEnabled==TRUE:

if (tx_saltedpasswords_div::isUsageEnabled($mode)) { ... }

In file typo3/sysext/saltedpasswords/classes/class.tx_saltedpasswords_div.php
this method shows the following code fragment:

$securityLevel = $GLOBALS['TYPO3_CONF_VARS'][$mode]['loginSecurityLevel'];
if ($mode == 'BE' && $extConf['enabled']) {
  return (($securityLevel == 'normal' && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] > 0) || $securityLevel == 'rsa');
}

Which means, if lockSSL is enabled and loginSecurityLevel is set to "rsa" (which would be the standard and recommended setup), method isUsageEnabled() returns FALSE. This leads to the result that the scheduler task for bulk updating the BE passwords will never run. However, a SSL-protected BE in combination with saltedpasswords should be a valid scenario.

Actions
Copy link

Also available in: Atom PDF