Bug #81936

Installtool Empty Password Error

Added by Renzo Bauen almost 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
-
Start date:
2017-07-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Installtool throws an error if no password is providet.

PHP Warning: hash_equals(): Expected known_string to be a string, null given in /Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/saltedpasswords/Classes/Salt/Pbkdf2Salt.php line 111

It works fine with a correct or a wrong password, but not with a emty one.


Related issues

Related to TYPO3 Core - Bug #82147: Security status report gives error when install tool password is emptyClosed2017-08-21

Actions
#1

Updated by Wouter Wolters almost 5 years ago

  • Status changed from New to Needs Feedback

For both action in the Install Tool to set a password (Install Tool password and new admin account) there is a check in place to check for a minimal length of the given password of 8 characters.

Can you debug this in ImportantActions of give us a full stack trace?

#2

Updated by Renzo Bauen almost 5 years ago

Here you go:

TYPO3\CMS\Core\Error\Exception thrown in file
/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/core/Classes/Error/ErrorHandler.php in line 112.

9 TYPO3\CMS\Core\Error\ErrorHandler::handleError(2, "hash_equals(): Expected known_string to be a string, null given", "/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/saltedpasswords/Classes/Salt/Pbkdf2Salt.php", 111, array)

8 hash_equals(NULL, "$pbkdf2-sha256$25000$wtHEvZ3Ya.xHTLZaH48JNA$2NBpl2b6P7d/HC4zieDJBZ2MWhyyMyzl5xsgErjUxJ8")

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/saltedpasswords/Classes/Salt/Pbkdf2Salt.php:

00109: public function checkPassword($plainPW, $saltedHashPW)
00110: {

00111: return $this->isValidSalt($saltedHashPW) && \hash_equals($this->getHashedPassword($plainPW, $saltedHashPW), $saltedHashPW);

00112: }
00113:

7 TYPO3\CMS\Saltedpasswords\Salt\Pbkdf2Salt::checkPassword("", "$pbkdf2-sha256$25000$wtHEvZ3Ya.xHTLZaH48JNA$2NBpl2b6P7d/HC4zieDJBZ2MWhyyMyzl5xsgErjUxJ8")

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/install/Classes/Controller/AbstractController.php:

00218: $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($installToolPassword);
00219: if (is_object($saltFactory)) {

00220: $validPassword = $saltFactory->checkPassword($password, $installToolPassword);

00221: } elseif (md5($password) === $installToolPassword) {
00222: // Update install tool password

6 TYPO3\CMS\Install\Controller\AbstractController::loginIfRequested()

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/install/Classes/Controller/StepController.php:

00054: $this->checkSessionToken();
00055: $this->checkSessionLifetime();

00056: $this->loginIfRequested();

00057: $this->outputLoginFormIfNotAuthorized();
00058: $this->executeSpecificStep();

5 TYPO3\CMS\Install\Controller\StepController::execute()

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/install/Classes/Http/RequestHandler.php:

00061: $controllerClassName = \TYPO3\CMS\Install\Controller\StepController::class;
00062: }

00063: GeneralUtility::makeInstance($controllerClassName)->execute();

00064: }
00065:

4 TYPO3\CMS\Install\Http\RequestHandler::handleRequest(TYPO3\CMS\Core\Http\ServerRequest)

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/core/Classes/Core/Bootstrap.php:

00308:
00309: // Execute the command which returns a Response object or NULL

00310: $this->response = $requestHandler->handleRequest($request);

00311: return $this;
00312: }

3 TYPO3\CMS\Core\Core\Bootstrap::handleRequest(TYPO3\CMS\Core\Http\ServerRequest)

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/install/Classes/Http/Application.php:

00073: public function run(callable $execute = null)
00074: {

00075: $this->bootstrap->handleRequest(\TYPO3\CMS\Core\Http\ServerRequestFactory::fromGlobals());

00076:
00077: if ($execute !== null) {

2 TYPO3\CMS\Install\Http\Application::run()

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/install/Start/Install.php:

00101: call_user_func(function () {
00102: $classLoader = require DIR . '/../../../../vendor/autoload.php';

00103: (new \TYPO3\CMS\Install\Http\Application($classLoader))->run();

00104: });

1 {closure}()

/Users/ba/WebSites/typo3_src-8.7.3/typo3/sysext/install/Start/Install.php:

00102: $classLoader = require DIR . '/../../../../vendor/autoload.php';
00103: (new \TYPO3\CMS\Install\Http\Application($classLoader))->run();

00104: });

#3

Updated by Renzo Bauen almost 5 years ago

I have some different installations, one on a LINUX-Box, this works fine (same TYPO3 Version, same PHP, etc.) The one who is buggy, is on a MacBook-Pro with mariadb.
The buggy Version was installed as 8.7.2 and then updated to 8.7.3 (core update in installtool).
But as I'm investigating, i found some problems with the apache installation.
Therefore please hold on. The source of the problem might be somewhere else... maybe in the apache config.
I will check this and give a replay here.

#4

Updated by Renzo Bauen almost 5 years ago

I could repeat the error:

1. Fresh Install of TYPO3 8.7.3 (PHP 7)
2. Go to Installtool, set Configuration Presets -> Debug settings to Debug
3. Log out and login leaving the password blank to the installtool
4. bam the error is thrown.

If you set the Configuration Presets -> Debug settings back to Live, the error is gone!

Best Regards
Renzo

#5

Updated by Oliver Hader almost 5 years ago

  • Status changed from Needs Feedback to Accepted
  • Priority changed from Must have to Should have

Confirmed in TYPO3_8-7 and master. Entering empty password results in #1476107295: PHP Warning: hash_equals(): Expected known_string to be a string, null given in master/typo3/sysext/saltedpasswords/Classes/Salt/Pbkdf2Salt.php line 111 using debug configuration preset. The live preset is catching the error throwable.

#6

Updated by Gerrit Code Review almost 5 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53613

#7

Updated by Gerrit Code Review almost 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53613

#8

Updated by Gerrit Code Review almost 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53613

#9

Updated by Gerrit Code Review almost 5 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/53628

#10

Updated by Markus Hölzle almost 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#11

Updated by Frans Saris almost 5 years ago

  • Related to Bug #82147: Security status report gives error when install tool password is empty added
#12

Updated by Benni Mack over 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF