[SECURITY] Do not disclose encryptionKey via InstallTool

The encryptionKey is a secret that must never be sent within any request, therefore it is now dropped from the editing interface in "Configure Installation-Wide Options". Resolves: #103046 Releases: main, 13.0, 12.4, 11.5 Change-Id: I260a8a2e9af29908543dfe48ac3658d8c45cc440 Security-Bulletin: TYPO3-CORE-SA-2024-004 Security-References: CVE-2024-25119 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82942 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Feb 13, 2024 · fa12667 · fa12667
1 parent c7a135c
commit fa12667
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 5 deletions.
diff --git a/typo3/sysext/core/Classes/Configuration/ConfigurationManager.php b/typo3/sysext/core/Classes/Configuration/ConfigurationManager.php
@@ -78,6 +78,7 @@ class ConfigurationManager
  'EXTCONF',
  'DB',
  'SYS/caching/cacheConfigurations',
+ 'SYS/encryptionKey',
  'SYS/session',
  'EXTENSIONS',
  ];

diff --git a/typo3/sysext/core/Classes/Log/Writer/FileWriter.php b/typo3/sysext/core/Classes/Log/Writer/FileWriter.php
@@ -68,7 +68,10 @@ public function __construct(array $options = [])
  {
  // the parent constructor reads $options and sets them
  parent::__construct($options);
- if (empty($options['logFile'])) {
+ if (empty($options['logFile']) &&
+ // omit logging if TYPO3 has not been configured (avoid creating a guessable filename)
+ ($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] ?? '') !== ''
+ ) {
  $this->setLogFile($this->getDefaultLogFileName());
  }
  }
@@ -78,6 +81,9 @@ public function __construct(array $options = [])
  */
  public function __destruct()
  {
+ if ($this->logFile === '') {
+ return;
+ }
  self::$logFileHandlesCount[$this->logFile]--;
  if (self::$logFileHandlesCount[$this->logFile] <= 0) {
  $this->closeLogFile();
@@ -132,6 +138,10 @@ public function getLogFile(): string
  */
  public function writeLog(LogRecord $record)
  {
+ if ($this->logFile === '') {
+ return $this;
+ }
+
  $data = '';
  $context = $record->getData();
  $message = $record->getMessage();

diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -83,7 +83,6 @@
  ],
  'createGroup' => '',
  'sitename' => 'TYPO3',
- 'encryptionKey' => '',
  'cookieDomain' => '',
  'trustedHostsPattern' => 'SERVER_NAME',
  'devIPmask' => '127.0.0.1,::1',

diff --git a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
@@ -80,9 +80,6 @@ SYS:
  sitename:
  type: text
  description: 'Name of the base-site.'
- encryptionKey:
- type: text
- description: 'This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuilt with the new key.'
  cookieDomain:
  type: text
  description: 'Restricts the domain name for FE and BE session cookies. When setting the value to ".domain.com" (replace domain.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. <code>/\.(example1|example2)\.com$/</code> or <code>/\.(example1\.com)|(example2\.net)$/</code>. Separate domains for FE and BE can be set using <a href="#FE-cookieDomain">$TYPO3_CONF_VARS[''FE''][''cookieDomain'']</a> and <a href="#BE-cookieDomain">$TYPO3_CONF_VARS[''BE''][''cookieDomain'']</a> respectively.'

diff --git a/typo3/sysext/core/Tests/UnitDeprecated/Cache/Backend/PdoBackendTest.php b/typo3/sysext/core/Tests/UnitDeprecated/Cache/Backend/PdoBackendTest.php
@@ -36,6 +36,18 @@ class PdoBackendTest extends UnitTestCase
  */
  protected $resetSingletonInstances = true;
 
+ protected function setUp(): void
+ {
+ parent::setUp();
+ $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'secret-encryption-key-test';
+ }
+
+ protected function tearDown(): void
+ {
+ unset($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']);
+ parent::tearDown();
+ }
+
  /**
  * @test
  */

diff --git a/typo3/sysext/frontend/Tests/UnitDeprecated/ContentObject/ContentObjectRendererTest.php b/typo3/sysext/frontend/Tests/UnitDeprecated/ContentObject/ContentObjectRendererTest.php
@@ -121,6 +121,8 @@ protected function setUp(): void
  {
  parent::setUp();
 
+ $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'secret-encryption-key-test';
+
  $site = $this->createSiteWithLanguage([
  'base' => '/',
  'languageId' => 2,
@@ -172,6 +174,12 @@ protected function setUp(): void
  $this->subject->start([], 'tt_content');
  }
 
+ protected function tearDown(): void
+ {
+ unset($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']);
+ parent::tearDown();
+ }
+
  /**
  * @return array
  */