[TYPO3-core] RFC #13754: Secure Install Tool Login
Bernhard Kraft
kraftb at think-open.at
Sat Mar 6 21:57:06 CET 2010
Xavier Perseguers wrote:
Hello Xavier!
I took care about all issues mentioned by you. Attached is a new
version. I also tested it without rsaauth and saltedpasswords now and
after a small modification of the "alterPassword" form everything works
like before.
I have to add, that right now the install tool password gets transmitted
PLAINTEXT! So this comprises all security measures taken with BE
challenge / response login, etc ... just to note this "feature" is not
just a usability feature but a security improvement.
> $fomrStart instead of $fo*rm*Start but using $formStart (no typo) a few
> line after the initialization.
fixed.
> Furthermore, there's quite lots of problem with current CGL and a few
> "no-common" stuff.
As I already mentioned I did not read the updated CGL for a long time.
> $GLOBALS['TYPO3_DB']->exec_UPDATEquery( 'be_users', sprintf('uid = %u',
> $uid), $updateFields);
>
> - using sprintf instead of simple concatenate (not wrong but
> personally
> never seen in Core)
I fixed this altough those lines were already there like this before.
I guess the sprintf was used to fill in uid as an unsigned int. I
achieved this by using abs(intval())
> - single line test instead of using {}
where?
> - using "true" and "false" instead of "TRUE" and "FALSE"
fixed.
> - useless use of ternary if operator:
fixed.
> - Signature of getLoginFormTag was changed to remove the type hint of
> second parameter (I guess it's needed?) but the PHPdoc was not updated
> - Same for getLoginScripts
fixed and also added missing phpDoc for getLoginFormTag
greets,
Bernhard
More information about the TYPO3-team-core
mailing list