From 2798e522d73d6e338b124c2b1adf728b067146eb Mon Sep 17 00:00:00 2001
From: Frans Saris <franssaris@gmail.com>
Date: Mon, 21 Aug 2017 15:59:35 +0200
Subject: [PATCH] [BUGFIX] Mark not set Install Tool password as secure

To completely disable the Install Tool you can just leave the
`installToolPassword` value empty in your LocalConfiguration.
Problem here is that not all password hashing methods can handle an
empty value without giving PHP warnings.

This patch changes the password check in reporting to skip the install
password hashing/check when there is no password.

Releases: master, 8.7
Resolves: #82147
Change-Id: I399a505544203fc40435f8e82b3baa5b6abd0da5
Reviewed-on: https://review.typo3.org/53757
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wolfgang Klinger <wolfgang@wazum.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Sebastian Fischer <typo3@evoweb.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
---
 typo3/sysext/install/Classes/Report/SecurityStatusReport.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/typo3/sysext/install/Classes/Report/SecurityStatusReport.php b/typo3/sysext/install/Classes/Report/SecurityStatusReport.php
index d0f60edc5b34..31cb0d6aabb0 100644
--- a/typo3/sysext/install/Classes/Report/SecurityStatusReport.php
+++ b/typo3/sysext/install/Classes/Report/SecurityStatusReport.php
@@ -52,7 +52,7 @@ class SecurityStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
         $validPassword = true;
         $installToolPassword = $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
         $saltFactory = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($installToolPassword);
-        if (is_object($saltFactory)) {
+        if ($installToolPassword !== '' && is_object($saltFactory)) {
             $validPassword = !$saltFactory->checkPassword('joh316', $installToolPassword);
         } elseif ($installToolPassword === md5('joh316')) {
             $validPassword = false;
-- 
GitLab