[TYPO3-core] RFC #13754: Secure Install Tool Login

Bernhard Kraft kraftb at think-open.at
Sat Mar 6 20:52:21 CET 2010 

Xavier Perseguers wrote:

> By reading, there seems to be a test whether this is activated or not.

Yes. If rsaauth and/or saltedpasswords is not installed, the install 
tool login will behave like before.


> However, by reading, it cannot work as you have at least one typo:
> 
> $fomrStart instead of $fo*rm*Start but using $formStart (no typo) a few 
> line after the initialization.

That's in the "alterPasswordForm". This is used for changing the 
password from within the install tool. The line you mentioned is used 
when no rsaauth extension is used. I have to admin I did not test 
changing passwords after disabling rsaauth.

I first wanted to see if this feature is something wanted or if I am 
just wasting my time.



> *typo3/sysext/saltedpasswords/sv1/class.tx_saltedpasswords_sv1.php*:
> 
> $GLOBALS['TYPO3_DB']->exec_UPDATEquery( 'be_users', sprintf('uid = %u', 
> $uid), $updateFields);

This is not my code - I just changed the indent. The original author 
should take care of this. I mean I can correct this - but AFAIR there 
one must not worry about CGL issues commited by someone else in code 
around my changes ... else I would have to fix all CGL issues made by 
someone else!!!



> *typo3/sysext/install/mod/class.tx_install.php*:
> 
> - single line test instead of using {}

AFAIK you should NEVER make single line tests without using curly 
braces. Else you could run into the dangling else problem:

http://en.wikipedia.org/wiki/Dangling_else


> - using "true" and "false" instead of "TRUE" and "FALSE"

I did not read the CGL for long time. 3 years ago this wasn't important :)



> $passwordOk = ($this->hashedPassword === 
> $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword']);

I did not knew this is allowed according to the CGL. I find the other 
more readable.


> - Using == instead of === at many places

Usually I know when I want to do strongly-typed compared.
I know that

if ("bla" == 0) {
	echo "is true!";
}

which one usually does not expect. I usually think about my "==" 
compares and use "===" only when it is required. Are there any 
preferences by the CGL? What of both is faster?


> *typo3/sysext/rsaauth/hooks/class.tx_rsaauth_loginformhook.php*:
> 
> - Signature of getLoginFormTag was changed to remove the type hint of 
> second parameter (I guess it's needed?) but the PHPdoc was not updated
> - Same for getLoginScripts

I will fix the phpdoc.



greets,
Bernhard

More information about the TYPO3-team-core mailing list