Closed angeloprevitali closed 5 years ago
Same here. Obviously femanager is a little „behind“... these are the available options in its UserUtility.php class:
/**
* Hash a password from $user->getPassword()
*
* @param User $user
* @param string $method "md5", "sha1" or "none"
* @return void
*/
public static function hashPassword(User &$user, $method)
{
switch ($method) {
case 'none':
break;
case 'md5':
$user->setPassword(md5($user->getPassword()));
break;
case 'sha1':
$user->setPassword(sha1($user->getPassword()));
break;
default:
if (ExtensionManagementUtility::isLoaded('saltedpasswords')) {
if (SaltedPasswordsUtility::isUsageEnabled('FE')) {
$objInstanceSaltedPw = SaltFactory::getSaltingInstance();
$user->setPassword($objInstanceSaltedPw->getHashedPassword($user->getPassword()));
}
}
}
}
The current TYPO3 version uses none of them, Salted Passwords is not installed either, so there you go … pw is stored as plaintext when e.g. editing your profile/changing your current pw. Holy crap!
Possible Workaround: Employ your own controllers to stand in for femanager’s NewController
and EditController
. (e.g. via ext_typoscript_setup.txt
)
In your custom controllers replace
UserUtility::convertPassword($user, $this->settings['edit']['misc']['passwordSave']);
with this:
$hasher = $this->passwordHashFactory->getDefaultHashInstance('FE');
$password = $hasher->getHashedPassword($user->getPassword());
$user->setPassword($password);
Don't forget to inject passwordHashFactory
in your controllers and to declare use
statements for classes used by the original controllers.
Et voilà – users get/keep their passwords hashed according to your TYPO3 settings when signing on/changing their password.
Same problem with Argon2i activated as hashing algorithm. I think this is quite a serious issue, not only because of poor security with passwords being stored in plain text but also because it just makes the whole extension useless: You just cannot login via the default login form as this properly hashes the password and compares it to the plain text one in the database.
Possible Workaround: Employ your own controllers to stand in for femanager’s
NewController
andEditController
. (e.g. viaext_typoscript_setup.txt
)
Can anyone give me a hint how to tell my T3 installation to use a customised controller instead of an extension’s default one? A short web search for ext_typoscript_setup.txt
returns that this is something deprecated for years and that “static templates or usage of the Extension Management API of class TYPO3\CMS\Core\Utility\ExtensionManagementUtility are preferred.”
Indeed, @clivebeckett , it is serious! A frontend user changes their password, and that's it … no login possible anymore.
And maybe the ext_typoscript_setup.txt way of doing it is deprecated (I'm not a TYPO3 master), but for me it worked. If someone can give a more up-to-date piece of code – go ahead..! ;)
Any news on this issue or plans when a fix will be provided? Would be great because this makes femanager almost unusuable for TYPO3 9.5 at the moment.
this issue is solved in version 5.1.0 - thanks for your patience.
If you add a registration form in the FE with EXT:femanager to create a new profile for a feuser the created password will be set as plain text in the database.
If set upped a new feuser in the backend of a TYPO3 9.5.5 the Hash works perfect.
If you modify a exiting profile which has been set upped in the backend of the TYPO3 and editred in the frontend the password gets resetted as plain text again.
TYPO3 version: 9.5.5 EXT:femanager version 5.0.0 OS: Linux PHP: 7.2 Configuration Presets in Install-Tool: Is NOT Argon2i - but others actived (see printscreen)