[SECURITY] Do not disclose encryptionKey via InstallTool
The encryptionKey is a secret that must never be sent within any request, therefore it is now dropped from the editing interface in "Configure Installation-Wide Options". The log file writer has been adapted to be aware of the fact that the encryption key might not be set when TYPO3 has not yet been installed (which is the case when `vendor/bin/typo3 setup` is executed). Resolves: #103046 Releases: main, 13.0, 12.4, 11.5 Change-Id: I260a8a2e9af29908543dfe48ac3658d8c45cc440 Security-Bulletin: TYPO3-CORE-SA-2024-004 Security-References: CVE-2024-25119 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82960 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Configuration/ConfigurationManager.php 1 addition, 0 deletions...ysext/core/Classes/Configuration/ConfigurationManager.php
- typo3/sysext/core/Classes/Log/Writer/FileWriter.php 11 additions, 1 deletiontypo3/sysext/core/Classes/Log/Writer/FileWriter.php
- typo3/sysext/core/Configuration/DefaultConfiguration.php 0 additions, 1 deletiontypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 0 additions, 3 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
Please register or sign in to comment