[SECURITY][TASK] Blind more options in the configuration module

The database credentials should not be shown in the configuration module. Change-Id: I6037f343d9e6932e1293e463fe513e793e948762 Resolves: #71706 Resolves: #68905 Releases: master, 6.2 Reviewed-on: https://review.typo3.org/44807 Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Tested-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Martin Kutschker <martin.kutschker@ymail.com> Tested-by: Martin Kutschker <martin.kutschker@ymail.com> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Georg Ringer <georg.ringer@gmail.com>

[SECURITY][TASK] Blind more options in the configuration module
The database credentials should not be shown in the configuration module. Change-Id: I6037f343d9e6932e1293e463fe513e793e948762 Resolves: #71706 Resolves: #68905 Releases: master, 6.2 Reviewed-on: https://review.typo3.org/44807 Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Tested-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Martin Kutschker <martin.kutschker@ymail.com> Tested-by: Martin Kutschker <martin.kutschker@ymail.com> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Georg Ringer <georg.ringer@gmail.com>
13ad20d2 · Georg Ringer · 2aefab83 · 13ad20d2
Commit 13ad20d2 authored 9 years ago by Georg Ringer
--- a/typo3/sysext/lowlevel/Classes/View/ConfigurationView.php
+++ b/typo3/sysext/lowlevel/Classes/View/ConfigurationView.php
@@ -49,6 +49,27 @@ class ConfigurationView extends BaseScriptClass
     */
    protected $moduleTemplate;
+    /**
+     * Blind configurations which should not be visible
+     *
+     * @var array
+     */
+    protected $blindedConfigurationOptions = [
+        'TYPO3_CONF_VARS' => [
+            'DB' => [
+                'database' => '******',
+                'host' => '******',
+                'password' => '******',
+                'port' => '******',
+                'socket' => '******',
+                'username' => '******'
+            ],
+            'SYS' => [
+                'encryptionKey' => '******'
+            ]
+        ]
+    ];
    /**
     * Constructor
     */
@@ -175,7 +196,7 @@ class ConfigurationView extends BaseScriptClass
        // Update node:
        $update = 0;
        $node = GeneralUtility::_GET('node');
-        // If any plus-signs were clicked, it's registred.
+        // If any plus-signs were clicked, it's registered.
        if (is_array($node)) {
            $this->MOD_SETTINGS['node_' . $this->MOD_SETTINGS['function']] = $arrayBrowser->depthKeys($node, $this->MOD_SETTINGS['node_' . $this->MOD_SETTINGS['function']]);
            $update = 1;
@@ -193,9 +214,11 @@ class ConfigurationView extends BaseScriptClass
        if (GeneralUtility::_POST('search') && trim($search_field)) {
            $arrayBrowser->depthKeys = $arrayBrowser->getSearchKeys($theVar, '', $search_field, array());
        }
-        // mask the encryption key to not show it as plaintext in the configuration module
-        if ($theVar == $GLOBALS['TYPO3_CONF_VARS']) {
+        // mask sensitive information
-            $theVar['SYS']['encryptionKey'] = '***** (length: ' . strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) . ' characters)';
+        $varName = trim($arrayBrowser->varName, '$');
+        if (isset($this->blindedConfigurationOptions[$varName])) {
+            ArrayUtility::mergeRecursiveWithOverrule($theVar, $this->blindedConfigurationOptions[$varName]);
        }
        $tree = $arrayBrowser->tree($theVar, '', '');
        $this->view->assign('tree', $tree);