Bug #36244
closed
Status report shows security warning after Scheduler "Convert user passwords to salted hashes (saltedpasswords)"
100%
Description
After excecution of the Scheduler Job "Convert user passwords to salted hashes (saltedpasswords)" the status report still reports not converted passwords.
The reason of the message was, that there was a deleted user. His password was not converted be the job, but the report detects the missing salted password. After deleting the user directly in the database the security warning was gone.
Solution would be to change the report (don't look for deleted users) or to change the job.
Updated by Martin Hartung about 12 years ago
A similiar issue is, that all "_cli_" accounts do not have passwords and will neither satisfy the reports-module.
This should also be taken in account when patching the extension.
Updated by Kay Strobach almost 12 years ago
i also found out, that it's really simple to patch => users with empty password should simply get a password set during the conversion!, so the problem is more a false conversion, than a false display of information.
please see class.tx_saltedpasswords_tasks_bulkupdate.php around line 194
if (strlen($password) > 2 && (t3lib_div::isFirstPartOfStr($password, 'C$') || t3lib_div::isFirstPartOfStr($password, 'M$'))) {
// Cut off M or C and test if we have a salted hash
$isSaltedHash = tx_saltedpasswords_salts_factory::determineSaltingHashingMethod(substr($password, 1));
}
we should add something like this directly after the above code:
if (strlen(trim($password)) === 0) {
$password = $this->generateSecurePassword(); //use randomizer here
$isSaltedHash = false;
}
Updated by Kay Strobach almost 12 years ago
suggested way of generating passwords
https://defuse.ca/generating-random-passwords.htm
alternativly we could generate the password with md5(time()) AND disable the user afterwards ;) as this would be insecure.
Updated by Gerrit Code Review over 10 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421
Updated by Gerrit Code Review over 10 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421
Updated by Gerrit Code Review over 10 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421
Updated by Gerrit Code Review over 10 years ago
Patch set 1 for branch TYPO3_6-1 has been pushed to the review server.
It is available at https://review.typo3.org/23432
Updated by Gerrit Code Review over 10 years ago
Patch set 1 for branch TYPO3_6-0 has been pushed to the review server.
It is available at https://review.typo3.org/23433
Updated by Gerrit Code Review over 10 years ago
Patch set 1 for branch TYPO3_4-7 has been pushed to the review server.
It is available at https://review.typo3.org/23434
Updated by Gerrit Code Review over 10 years ago
Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at https://review.typo3.org/23435
Updated by Nicole Cordes over 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset ef0e02a62079997b8690d5aad5c04a477aab5e58.
Updated by Kay Strobach over 10 years ago
how can it be applied without a review? - anyway thanks
Updated by