From 13ad20d2386e54c391b9f82ec5e3e3525064b040 Mon Sep 17 00:00:00 2001
From: Georg Ringer <georg.ringer@gmail.com>
Date: Thu, 19 Nov 2015 21:18:34 +0100
Subject: [PATCH] [SECURITY][TASK] Blind more options in the configuration
 module

The database credentials should not be shown in the configuration module.

Change-Id: I6037f343d9e6932e1293e463fe513e793e948762
Resolves: #71706
Resolves: #68905
Releases: master, 6.2
Reviewed-on: https://review.typo3.org/44807
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Martin Kutschker <martin.kutschker@ymail.com>
Tested-by: Martin Kutschker <martin.kutschker@ymail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
---
 .../Classes/View/ConfigurationView.php        | 31 ++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/lowlevel/Classes/View/ConfigurationView.php b/typo3/sysext/lowlevel/Classes/View/ConfigurationView.php
index 64c6bc8a8d12..b158a2334bd4 100644
--- a/typo3/sysext/lowlevel/Classes/View/ConfigurationView.php
+++ b/typo3/sysext/lowlevel/Classes/View/ConfigurationView.php
@@ -49,6 +49,27 @@ class ConfigurationView extends BaseScriptClass
      */
     protected $moduleTemplate;
 
+    /**
+     * Blind configurations which should not be visible
+     *
+     * @var array
+     */
+    protected $blindedConfigurationOptions = [
+        'TYPO3_CONF_VARS' => [
+            'DB' => [
+                'database' => '******',
+                'host' => '******',
+                'password' => '******',
+                'port' => '******',
+                'socket' => '******',
+                'username' => '******'
+            ],
+            'SYS' => [
+                'encryptionKey' => '******'
+            ]
+        ]
+    ];
+
     /**
      * Constructor
      */
@@ -175,7 +196,7 @@ class ConfigurationView extends BaseScriptClass
         // Update node:
         $update = 0;
         $node = GeneralUtility::_GET('node');
-        // If any plus-signs were clicked, it's registred.
+        // If any plus-signs were clicked, it's registered.
         if (is_array($node)) {
             $this->MOD_SETTINGS['node_' . $this->MOD_SETTINGS['function']] = $arrayBrowser->depthKeys($node, $this->MOD_SETTINGS['node_' . $this->MOD_SETTINGS['function']]);
             $update = 1;
@@ -193,9 +214,11 @@ class ConfigurationView extends BaseScriptClass
         if (GeneralUtility::_POST('search') && trim($search_field)) {
             $arrayBrowser->depthKeys = $arrayBrowser->getSearchKeys($theVar, '', $search_field, array());
         }
-        // mask the encryption key to not show it as plaintext in the configuration module
-        if ($theVar == $GLOBALS['TYPO3_CONF_VARS']) {
-            $theVar['SYS']['encryptionKey'] = '***** (length: ' . strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) . ' characters)';
+
+        // mask sensitive information
+        $varName = trim($arrayBrowser->varName, '$');
+        if (isset($this->blindedConfigurationOptions[$varName])) {
+            ArrayUtility::mergeRecursiveWithOverrule($theVar, $this->blindedConfigurationOptions[$varName]);
         }
         $tree = $arrayBrowser->tree($theVar, '', '');
         $this->view->assign('tree', $tree);
-- 
GitLab