Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[!!!][TASK] Merge salted passwords auth service into default service
The patch merges the default 'authUserBE' and 'authUserFE' authentication service of extension saltedpasswords on priority 70 into the default authentication service of the core on priority 50. The now unused SaltedPasswordService is deprecated with this class. Last inactive ways for authentication against stored plain text passwords are removed. While this is in almost all cases not a problem for existing instances when upgrading, an edge case when this may lead to a security relevant breaking change is described in a changelog file. The new 'authUser' of the default core authentication method is rewritten and carefully crafted to be much easier to understand, much more defensive, better documented and tested. Change-Id: Ie21e891b6f8b5ceed694b412f933ad6435240ff9 Resolves: #85761 Releases: master Reviewed-on: https://review.typo3.org/57759 Reviewed-by: Markus Klein <markus.klein@typo3.org> Tested-by: TYPO3com <no-reply@typo3.com> Tested-by: Markus Klein <markus.klein@typo3.org> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
- Loading branch information
Showing
10 changed files
with
453 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
...re/Documentation/Changelog/master/Breaking-85761-AuthenticationChainChanges.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
.. include:: ../../Includes.txt | ||
|
||
=============================================== | ||
Breaking: #85761 - Authentication chain changes | ||
=============================================== | ||
|
||
See :issue:`85761` | ||
|
||
Description | ||
=========== | ||
|
||
Most casual TYPO3 instances can ignore this. | ||
|
||
An instance must consider this security relevant documentation if all of the below criteria are met: | ||
|
||
* Additional authentication services are active in an instance, for example an LDAP extension, | ||
an openId extension, some single sign on extension, or similar. The reports module with top | ||
module selection "Installed services" shows those extensions. If an instance is only dealing | ||
with core related authentication services like "saltedpasswords", "rsaauth" and "core", it is | ||
not affected. | ||
* One of these not native core services is registered with a priority lower than 70 and higher than 50, see | ||
the configuration module in the backend and verify if some non-core extension registers with | ||
such a priority. Most additional authentication services however register with a priority higher than 70. | ||
* The additional authentication service is registered for type 'authUserBE' or 'authUserFE'. | ||
|
||
In the unlikely case such a service type with a priority between 70 and 50 has been registered, | ||
security relevant changes may be needed to be applied when upgrading to core v9. | ||
|
||
The core service to compare a password against a salted password hash in the database has been | ||
moved from priority 70 to priority 50. The salted passwords service on priority 70 did not continue | ||
to lower prioritized authentication services if the password in the database has been recognized by | ||
salted passwords as a valid hash, but the password did not match. The default core service denied | ||
calling services further lower in the chain if the password has been recognized as hash which the | ||
salted passwords hash service could handle, but the password did not validate. | ||
|
||
With reducing the priority of the salted password hash check from priority 70 to 50 the following | ||
edge case applies: If a service is registered between 70 and 50, this service is now called before | ||
the salted passwords hash check. It thus may be called more often than before and may need to change | ||
its return value. It can no longer rely on the salted passwords service to deny a successful | ||
authentication if the submitted password is stored in the database as hashed password, but the | ||
database hash does not match the submitted password a user has sent to login. | ||
|
||
|
||
Impact | ||
====== | ||
|
||
If an instance provides additional authentication services, and if one of that services does | ||
not return correct authentication values, this may open a authentication bypass security issue | ||
when upgrading to v9. | ||
|
||
|
||
Affected Installations | ||
====================== | ||
|
||
See description. | ||
|
||
|
||
Migration | ||
========= | ||
|
||
If an instance is affected, consider the following migration thoughts: | ||
|
||
* Ensure the authentication service between priority 70 and 50 on type 'authUserBE' and 'authUserFE' | ||
does not rely on the result auf the salted passwords evaluation. | ||
* Consider this authentication services is called more often than before since the previous service | ||
that denied login on priority 70 is now located at priority 50. | ||
* Check the return values of the authentication services. | ||
* Read the source code of :php:`TYPO3\CMS\Core\Authentication->authUser()` for more details on possible | ||
return values. Consider the priority driven call chain. | ||
|
||
.. index:: PHP-API, NotScanned, ext:saltedpasswords |
35 changes: 35 additions & 0 deletions
35
...entation/Changelog/master/Deprecation-85761-DeprecatedSaltedPasswordService.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
.. include:: ../../Includes.txt | ||
|
||
====================================================== | ||
Deprecation: #85761 - Deprecated SaltedPasswordService | ||
====================================================== | ||
|
||
See :issue:`85761` | ||
|
||
Description | ||
=========== | ||
|
||
Class :php:`TYPO3\CMS\Saltedpasswords\SaltedPasswordService` has been deprecated and | ||
should not be used any longer. | ||
|
||
|
||
Impact | ||
====== | ||
|
||
Instantiating :php:`SaltedPasswordService` will log a deprecation message. | ||
|
||
|
||
Affected Installations | ||
====================== | ||
|
||
This class is usually not called by extensions, it is unlikely instances are affected by this. | ||
|
||
|
||
Migration | ||
========= | ||
|
||
The service has been migrated into the the basic core authentication service chain for | ||
frontend and backend. Usually no migration is needed. | ||
|
||
|
||
.. index:: PHP-API, FullyScanned, ext:saltedpasswords |
Oops, something went wrong.