[TASK] Remove IP address from details field of sys_log entry

Avoid persisting the IP address of a login action twice and just use the one of the IP field. Additionally the anoymize scheduler task can now remove all unwanted IP addresses from the logs. Be aware that the anonymization of the sys_log entries only works for new entries that were generated after this patch. Older entries have to be deleted or the details field needs to be cleared manually. Resolves: #85316 Releases: master, 8.7, 7.6 Change-Id: I9c5c65d52462a82047324390bc3e6b970a8f8840 Reviewed-on: https://review.typo3.org/57313 Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org> Tested-by: Andreas Wolf <andreas.wolf@typo3.org> Tested-by: TYPO3com <no-reply@typo3.com> Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de> Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
TYPO3 · Jun 23, 2018 · dfbd987 · dfbd987
1 parent 1b869d7
commit dfbd987
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 11 deletions.
diff --git a/typo3/sysext/belog/Classes/Domain/Model/LogEntry.php b/typo3/sysext/belog/Classes/Domain/Model/LogEntry.php
@@ -313,6 +313,9 @@ public function setDetails($details)
      */
     public function getDetails()
     {
+        if ($this->type === 255) {
+            return str_replace('###IP###', $this->ip, $this->details);
+        }
         return $this->details;
     }
 

diff --git a/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
@@ -744,7 +744,7 @@ public function checkAuthentication()
 
             // User logged in - write that to the log!
             if ($this->writeStdLog && $activeLogin) {
-                $this->writelog(255, 1, 0, 1, 'User %s logged in from %s (%s)', [$tempuser[$this->username_column], GeneralUtility::getIndpEnv('REMOTE_ADDR'), GeneralUtility::getIndpEnv('REMOTE_HOST')], '', '', '');
+                $this->writelog(255, 1, 0, 1, 'User %s logged in from ###IP### (%s)', [$tempuser[$this->username_column], GeneralUtility::getIndpEnv('REMOTE_HOST')], '', '', '');
             }
             if ($activeLogin) {
                 $this->logger->info('User ' . $tempuser[$this->username_column] . ' logged in from ' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . ' (' . GeneralUtility::getIndpEnv('REMOTE_HOST') . ')');

diff --git a/typo3/sysext/core/Classes/Authentication/AuthenticationService.php b/typo3/sysext/core/Classes/Authentication/AuthenticationService.php
@@ -54,8 +54,8 @@ public function getUser()
         }
         if ((string)$this->login['uident_text'] === '') {
             // Failed Login attempt (no password given)
-            $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', [
-                $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']
+            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP### (%s) for username \'%s\' with an empty password!', [
+                $this->authInfo['REMOTE_HOST'], $this->login['uname']
             ]);
             $this->logger->warning(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
             return false;
@@ -64,7 +64,7 @@ public function getUser()
         $user = $this->fetchUserRecord($this->login['uname']);
         if (!is_array($user)) {
             // Failed login attempt (no username found)
-            $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
+            $this->writelog(255, 3, 3, 2, 'Login-attempt from ###IP### (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_HOST'], $this->login['uname']]);
             $this->logger->info('Login-attempt from username \'' . $this->login['uname'] . '\' not found!', [
                 'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR'],
                 'REMOTE_HOST' => $this->authInfo['REMOTE_HOST'],
@@ -102,7 +102,7 @@ public function authUser(array $user)
             if (!$OK) {
                 // Failed login attempt (wrong password) - write that to the log!
                 if ($this->writeAttemptLog) {
-                    $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
+                    $this->writelog(255, 3, 3, 1, 'Login-attempt from ###IP### (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_HOST'], $this->login['uname']]);
                     $this->logger->info('Login-attempt username \'' . $this->login['uname'] . '\', password not accepted!', [
                         'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR'],
                         'REMOTE_HOST' => $this->authInfo['REMOTE_HOST'],
@@ -114,7 +114,7 @@ public function authUser(array $user)
             if ($OK && $user['lockToDomain'] && $user['lockToDomain'] !== $this->authInfo['HTTP_HOST']) {
                 // Lock domain didn't match, so error:
                 if ($this->writeAttemptLog) {
-                    $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
+                    $this->writelog(255, 3, 3, 1, 'Login-attempt from ###IP### (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
                     $this->logger->info('Login-attempt from username \'' . $user[$this->db_user['username_column']] . '\', locked domain did not match!', [
                         'HTTP_HOST' => $this->authInfo['HTTP_HOST'],
                         'REMOTE_ADDR' => $this->authInfo['REMOTE_ADDR'],

diff --git a/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php b/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
@@ -164,7 +164,7 @@ public function authUser(array $user)
             $validPasswd = $this->compareUident($user, $this->login);
             if (!$validPasswd) {
                 // Failed login attempt (wrong password)
-                $errorMessage = 'Login-attempt from %s (%s), username \'%s\', password not accepted!';
+                $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', password not accepted!';
                 // No delegation to further services
                 if ((int)$this->extConf['onlyAuthService'] || $this->authenticationFailed) {
                     $this->writeLogMessage(TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'', $this->login['uname']);
@@ -173,17 +173,15 @@ public function authUser(array $user)
                     $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']);
                 }
                 $this->writelog(255, 3, 3, 1, $errorMessage, [
-                    $this->authInfo['REMOTE_ADDR'],
                     $this->authInfo['REMOTE_HOST'],
                     $this->login['uname']
                 ]);
                 $this->logger->info(sprintf($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
             } elseif ($validPasswd && $user['lockToDomain'] && strcasecmp($user['lockToDomain'], $this->authInfo['HTTP_HOST'])) {
                 // Lock domain didn't match, so error:
-                $errorMessage = 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';
+                $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';
                 $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']);
                 $this->writelog(255, 3, 3, 1, $errorMessage, [
-                    $this->authInfo['REMOTE_ADDR'],
                     $this->authInfo['REMOTE_HOST'],
                     $user[$this->db_user['username_column']],
                     $user['lockToDomain'],

diff --git a/typo3/sysext/scheduler/Classes/Task/IpAnonymizationAdditionalFieldProvider.php b/typo3/sysext/scheduler/Classes/Task/IpAnonymizationAdditionalFieldProvider.php
@@ -205,7 +205,7 @@ public function validateNumberOfDaysAdditionalField(array &$submittedData, \TYPO
     public function saveAdditionalFields(array $submittedData, \TYPO3\CMS\Scheduler\Task\AbstractTask $task)
     {
         $task->table = $submittedData['scheduler_ipAnonymization_table'];
-        $task->mask = $submittedData['scheduler_ipAnonymization_mask'];
+        $task->mask = (int)$submittedData['scheduler_ipAnonymization_mask'];
         $task->numberOfDays = (int)$submittedData['scheduler_ipAnonymization_numberOfDays'];
     }