[SECURITY] Do not disclose encryptionKey via InstallTool

The encryptionKey is a secret that must never be sent within any
request, therefore it is now dropped from the editing interface in
"Configure Installation-Wide Options".

The log file writer has been adapted to be aware of the fact that the
encryption key might not be set when TYPO3 has not yet been installed
(which is the case when `vendor/bin/typo3 setup` is executed).

Resolves: #103046
Releases: main, 13.0, 12.4, 11.5
Change-Id: I260a8a2e9af29908543dfe48ac3658d8c45cc440
Security-Bulletin: TYPO3-CORE-SA-2024-004
Security-References: CVE-2024-25119
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82954
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

typo3/sysext/core/Classes/Configuration/ConfigurationManager.php

@@ -69,6 +69,7 @@ class ConfigurationManager
         'EXTCONF',
         'DB',
         'SYS/caching/cacheConfigurations',
+        'SYS/encryptionKey',
         'SYS/session',
         'EXTENSIONS',
     ];

typo3/sysext/core/Classes/Log/Writer/FileWriter.php

@@ -66,7 +66,10 @@ public function __construct(array $options = [])
     {
         // the parent constructor reads $options and sets them
         parent::__construct($options);
-        if (empty($options['logFile'])) {
+        if (empty($options['logFile']) &&
+            // omit logging if TYPO3 has not been configured (avoid creating a guessable filename)
+            ($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] ?? '') !== ''
+        ) {
             $this->setLogFile($this->getDefaultLogFileName());
         }
     }
@@ -76,6 +79,9 @@ public function __construct(array $options = [])
      */
     public function __destruct()
     {
+        if ($this->logFile === '') {
+            return;
+        }
         self::$logFileHandlesCount[$this->logFile]--;
         if (self::$logFileHandlesCount[$this->logFile] <= 0) {
             $this->closeLogFile();
@@ -130,6 +136,10 @@ public function getLogFile(): string
      */
     public function writeLog(LogRecord $record)
     {
+        if ($this->logFile === '') {
+            return $this;
+        }
+
         $data = '';
         $context = $record->getData();
         $message = $record->getMessage();

typo3/sysext/core/Configuration/DefaultConfiguration.php

@@ -89,7 +89,6 @@
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',
-        'encryptionKey' => '',
         'cookieDomain' => '',
         'trustedHostsPattern' => 'SERVER_NAME',
         'devIPmask' => '127.0.0.1,::1',

typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml

@@ -64,9 +64,6 @@ SYS:
         sitename:
             type: text
             description: 'Name of the base-site.'
-        encryptionKey:
-            type: text
-            description: 'This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuilt with the new key.'
         cookieDomain:
             type: text
             description: 'Restricts the domain name for FE and BE session cookies. When setting the value to ".domain.com" (replace domain.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. <code>/\.(example1|example2)\.com$/</code> or <code>/\.(example1\.com)|(example2\.net)$/</code>. Separate domains for FE and BE can be set using <a href="#FE-cookieDomain">$TYPO3_CONF_VARS[''FE''][''cookieDomain'']</a> and <a href="#BE-cookieDomain">$TYPO3_CONF_VARS[''BE''][''cookieDomain'']</a> respectively.'