[TYPO3-dev] Services architecture

[Christian Lerrahn]

On Thu, 24 Mar 2011 10:29:53 +0200
Dmitry Dulepov <dmitry.dulepov at gmail.com> wrote:

> Hi!
> 
> Christian Lerrahn (Cerebrum) wrote:
> > Now, I was rather puzzled (and to be honest a bit shocked) when I
> > found out that rsaauth calls the basic authentication services
> > again instead of just exiting to pass the decrypted password down
> > the chain.
> 
> You never know who is watching for the decrypted password. The safer
> way was to call the basic auth from the rsaauth. In that case clear
> text password only visible to those to whom it is necessary.

Yes. To a degree I can understand that. But then again, if you cannot
trust the services and the core, you have a problem, anyway, right.
After all, if I can inject a service to read the password after it has
been decrypted by rsaauth, I can alos inject a service which comes in
before rsaauth and just calls rsaauth for decryption.

I don't really see an increased security risk if not caused by an
additional buggy service. However, if I add a buggy service to my
TYPO3 install, I have compromised security even if rsaauth is careful.
So, I can't see how the risk becomes any more significant as a result of
passing the decrypted password on to the remaining service chain.

> > This gets even worse when saltedpasswords duplicates rsaauth code to
> > decrypt the password before it checks it against the stored password
> > hash.
> 
> I never reviewed the code of that extension, so I cannot comment. Is
> it really a duplicate or it is a call to rsaauth?
> 

It is a call to rsaauth but it checks first if the password is rsaauth
encrypted or not. Calling it a duplicate probably went a bit too far ut
even a call results in the fragility I outlined in my original post.

Cheers,
Christian