[TASK] Introduce sudo mode for install tool accessed via backend

The session expiration time for the install tool is reduced from 60 to 15 minutes. When accessing the install tool via backend user interface, current logged in backend users have to confirm their user password again in order to get access to the install tool. This process is known as "sudo mode". Standalone install tool is not affected by sudo mode confirmation. This change enforces mitigation as mentioned in TYPO3-CORE-SA-2020-006, see https://typo3.org/security/advisory/typo3-core-sa-2020-006. Resolves: #92836 Releases: master, 10.4, 9.5 Change-Id: Ib4f0e92346610879347a48587ffd575429b98650 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66633 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Nov 16, 2020 · 9f82910 · 9f82910
1 parent 128aa65
commit 9f82910
Show file tree

Hide file tree

Showing 10 changed files with 455 additions and 20 deletions.
diff --git a/...log/9.5.x/Important-92836-IntroduceSudoModeForInstallToolAccessedViaBackend.rst b/...log/9.5.x/Important-92836-IntroduceSudoModeForInstallToolAccessedViaBackend.rst
@@ -0,0 +1,62 @@
+.. include:: ../../Includes.txt
+
+=============================================================================
+Important: #92836 - Introduce sudo mode for Install Tool accessed via backend
+=============================================================================
+
+See :issue:`92836`
+
+Description
+===========
+
+When accessing the Install Tool via backend user interface, currently logged in
+backend users have to confirm their user password again in order to get access
+to the Install Tool. As an alternative, it is also possible to use the install
+tool password (reasons described below in "side effects" section). This is done
+in order to mitigate unintended modifications that might occur as result
+of e.g. possible cross-site scripting vulnerabilities in the system.
+
+Standalone Install Tool is not affected by sudo mode confirmation.
+This change enforces mitigation as mentioned in TYPO3-CORE-SA-2020-006_.
+
+
+Potential side effects
+======================
+
+Albeit default local authentication mechanisms are working well, there are
+side effects for 3rd party extensions that make use of these `auth` service
+chains as well - such as multi-factor authentication or single sign-on handling.
+
+As an alternative, it is possible to confirm actions using the Install Tool
+password, instead of confirming with users' password (which might be handled
+with separate remote services).
+
+Services that extend authentication with custom additional factors (2FA/MFA)
+are advised to intercept only valid login requests instead of all `authUser`
+invocations.
+
+.. code-block: php
+
+   class MyAuthenticationService
+   extends \TYPO3\CMS\Core\Authentication\AbstractAuthenticationService
+   {
+       public function authUser(array $user)
+       {
+           // only handle actual login requests
+           if (empty($this->login['status'])
+               || $this->login['status'] !== 'login') {
+               // skip this service, hand over to next in chain
+               return 100;
+           }
+           ...
+           // usual processing for valid login requests
+           ...
+       }
+   }
+
+Please see this pull-request_ for a 2FA/MFA extension as an example.
+
+
+.. _TYPO3-CORE-SA-2020-006: https://typo3.org/security/advisory/typo3-core-sa-2020-006
+.. _pull-request: https://github.com/derhansen/sf_yubikey/pull/45/files
+.. index:: Backend, ext:install
diff --git a/typo3/sysext/core/Tests/Acceptance/Install/AbstractIntroductionPackage.php b/typo3/sysext/core/Tests/Acceptance/Install/AbstractIntroductionPackage.php
@@ -45,6 +45,20 @@ protected function manipulateSiteConfigurationOnlyForTesting(InstallTester $I):
         $I->amOnPage('/typo3');
         $I->click('Maintenance');
         $I->switchToContentFrame();
+
+        try {
+            // fill in sudo mode password
+            $I->see('Confirm with user password');
+            $I->fillField('confirmationPassword', 'password');
+            $I->click('Confirm');
+            $I->wait(10);
+            // wait for Maintenance headline being available
+            $I->waitForText('Maintenance');
+            $I->canSee('Maintenance', 'h1');
+        } catch (\Exception $e) {
+            // nothing...
+        }
+
         $I->click('Flush cache');
     }
 

diff --git a/typo3/sysext/core/Tests/Acceptance/Install/Mysql/BlankPageCest.php b/typo3/sysext/core/Tests/Acceptance/Install/Mysql/BlankPageCest.php
@@ -40,14 +40,14 @@ public function installTypo3OnMysql(InstallTester $I, Scenario $scenario)
         $I->click('No problems detected, continue with installation');
 
         // DatabaseConnection step
-        $I->waitForText('Select database');
+        $I->waitForText('Select database', 30);
         $I->fillField('#t3-install-step-mysqliManualConfiguration-username', $scenario->current('typo3InstallMysqlDatabaseUsername'));
         $I->fillField('#t3-install-step-mysqliManualConfiguration-password', $scenario->current('typo3InstallMysqlDatabasePassword'));
         $I->fillField('#t3-install-step-mysqliManualConfiguration-host', $scenario->current('typo3InstallMysqlDatabaseHost'));
         $I->click('Continue');
 
         // DatabaseSelect step
-        $I->waitForText('Select a database');
+        $I->waitForText('Select a database', 30);
         $I->click('#t3-install-form-db-select-type-new');
         $I->fillField('#t3-install-step-database-new', $scenario->current('typo3InstallMysqlDatabaseName'));
         $I->click('Continue');
@@ -59,7 +59,7 @@ public function installTypo3OnMysql(InstallTester $I, Scenario $scenario)
         $I->click('Continue');
 
         // DefaultConfiguration step - Create empty page
-        $I->waitForText('Installation Complete');
+        $I->waitForText('Installation Complete', 30);
         $I->click('#create-site');
         $I->click('Open the TYPO3 Backend');
 

diff --git a/typo3/sysext/core/Tests/Acceptance/Install/Mysql/IntroductionPackageCest.php b/typo3/sysext/core/Tests/Acceptance/Install/Mysql/IntroductionPackageCest.php
@@ -41,14 +41,14 @@ public function installTypo3OnMysql(InstallTester $I, Scenario $scenario)
         $I->click('No problems detected, continue with installation');
 
         // DatabaseConnection step
-        $I->waitForText('Select database');
+        $I->waitForText('Select database', 30);
         $I->fillField('#t3-install-step-mysqliManualConfiguration-username', $scenario->current('typo3InstallMysqlDatabaseUsername'));
         $I->fillField('#t3-install-step-mysqliManualConfiguration-password', $scenario->current('typo3InstallMysqlDatabasePassword'));
         $I->fillField('#t3-install-step-mysqliManualConfiguration-host', $scenario->current('typo3InstallMysqlDatabaseHost'));
         $I->click('Continue');
 
         // DatabaseSelect step
-        $I->waitForText('Select a database');
+        $I->waitForText('Select a database', 30);
         $I->click('#t3-install-form-db-select-type-new');
         $I->fillField('#t3-install-step-database-new', $scenario->current('typo3InstallMysqlDatabaseName'));
         $I->click('Continue');
@@ -60,7 +60,7 @@ public function installTypo3OnMysql(InstallTester $I, Scenario $scenario)
         $I->click('Continue');
 
         // DefaultConfiguration step - Create empty page
-        $I->waitForText('Installation Complete');
+        $I->waitForText('Installation Complete', 30);
         $I->click('#load-distributions');
         $I->click('Open the TYPO3 Backend');