From dfcf38dc2b151f771036075c3a813a43c54ddc3c Mon Sep 17 00:00:00 2001
From: Helmut Hummel <typo3@helhum.io>
Date: Thu, 17 Aug 2017 18:41:39 +0200
Subject: [PATCH] [BUGFIX] Throw exception if encryption key is not set

The encryption key is a vital part to ensure security
of TYPO3. Not having it set (by accident) can lead
to severe security issues.

Therefore enforce it to be set and throw an exception
in case it isn't, instead of just reporting a warning.

Releases: master, 8.7, 7.6
Resolves: #82169
Change-Id: I79c73558d0968ae89a2867d6d5264530f434e1a3
Reviewed-on: https://review.typo3.org/53724
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
---
 typo3/sysext/core/Classes/Core/Bootstrap.php  |  7 +++++-
 .../Private/Language/locallang_core.xlf       |  3 ---
 .../Classes/Report/Status/SecurityStatus.php  | 24 -------------------
 3 files changed, 6 insertions(+), 28 deletions(-)

diff --git a/typo3/sysext/core/Classes/Core/Bootstrap.php b/typo3/sysext/core/Classes/Core/Bootstrap.php
index 1923f23ca5d5..8853b4ec3d8d 100644
--- a/typo3/sysext/core/Classes/Core/Bootstrap.php
+++ b/typo3/sysext/core/Classes/Core/Bootstrap.php
@@ -173,7 +173,12 @@ class Bootstrap
             ->setFinalCachingFrameworkCacheConfiguration()
             ->unsetReservedGlobalVariables()
             ->loadBaseTca();
-
+        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
+            throw new \RuntimeException(
+                'TYPO3 Encryption is empty. $GLOBALS[\'TYPO3_CONF_VARS\'][\'SYS\'][\'encryptionKey\'] needs to be set for TYPO3 to work securely',
+                1502987245
+            );
+        }
         return $this;
     }
 
diff --git a/typo3/sysext/lang/Resources/Private/Language/locallang_core.xlf b/typo3/sysext/lang/Resources/Private/Language/locallang_core.xlf
index 4b98c4759f3e..be72997ddefb 100644
--- a/typo3/sysext/lang/Resources/Private/Language/locallang_core.xlf
+++ b/typo3/sysext/lang/Resources/Private/Language/locallang_core.xlf
@@ -1162,9 +1162,6 @@ Do you want to refresh it now?</source>
 			<trans-unit id="warning.install_trustedhosts">
 				<source>The trusted hosts pattern check is disabled. Please define the allowed hosts in the [SYS][trustedHostsPattern] section of the Install Tool.</source>
 			</trans-unit>
-			<trans-unit id="warning.install_encryption">
-				<source>The encryption key is not set. Set it in the %sBasic Configuration section%s of the Install Tool.</source>
-			</trans-unit>
 			<trans-unit id="warning.install_update">
 				<source>This installation is not configured for the TYPO3 version it is running. If you did so intentionally, this message can be safely ignored. If you are unsure, visit the Update Wizard section of the %sInstall Tool%s to see how TYPO3 would change.</source>
 			</trans-unit>
diff --git a/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php b/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
index 12cd42994bcd..d48b5ab8031e 100644
--- a/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
+++ b/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
@@ -42,7 +42,6 @@ class SecurityStatus implements StatusProviderInterface
         $statuses = [
             'trustedHostsPattern' => $this->getTrustedHostsPatternStatus(),
             'adminUserAccount' => $this->getAdminAccountStatus(),
-            'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
             'fileDenyPattern' => $this->getFileDenyPatternStatus(),
             'htaccessUpload' => $this->getHtaccessUploadStatus(),
             'saltedpasswords' => $this->getSaltedPasswordsStatus(),
@@ -129,29 +128,6 @@ class SecurityStatus implements StatusProviderInterface
         return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_adminUserAccount'), $value, $message, $severity);
     }
 
-    /**
-     * Checks whether the encryption key is empty.
-     *
-     * @return \TYPO3\CMS\Reports\Status An object representing whether the encryption key is empty or not
-     */
-    protected function getEncryptionKeyStatus()
-    {
-        $value = $this->getLanguageService()->getLL('status_ok');
-        $message = '';
-        $severity = ReportStatus::OK;
-        if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
-            $value = $this->getLanguageService()->getLL('status_insecure');
-            $severity = ReportStatus::ERROR;
-            $url = 'install/index.php?redirect_url=index.php' . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
-            $message = sprintf(
-                $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_core.xlf:warning.install_encryption'),
-                '<a href="' . $url . '">',
-                '</a>'
-            );
-        }
-        return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_encryptionKey'), $value, $message, $severity);
-    }
-
     /**
      * Checks if fileDenyPattern was changed which is dangerous on Apache
      *
-- 
GitLab