/**
  * Constructor. Starts PHP session handling in our own private store
  *
  * Side-effect: might set a cookie, so must be called before any other output.
  */
 public function __construct()
 {
     $this->typo3tempPath = PATH_site . 'typo3temp/';
     // Start our PHP session early so that hasSession() works
     $sessionSavePath = $this->getSessionSavePath();
     // Register our "save" session handler
     session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc'));
     session_save_path($sessionSavePath);
     session_name($this->cookieName);
     ini_set('session.cookie_path', GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
     // Always call the garbage collector to clean up stale session files
     ini_set('session.gc_probability', 100);
     ini_set('session.gc_divisor', 100);
     ini_set('session.gc_maxlifetime', $this->expireTimeInMinutes * 2 * 60);
     if (\TYPO3\CMS\Core\Utility\PhpOptionsUtility::isSessionAutoStartEnabled()) {
         $sessionCreationError = 'Error: session.auto-start is enabled.<br />';
         $sessionCreationError .= 'The PHP option session.auto-start is enabled. Disable this option in php.ini or .htaccess:<br />';
         $sessionCreationError .= '<pre>php_value session.auto_start Off</pre>';
         throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587485);
     } elseif (defined('SID')) {
         $sessionCreationError = 'Session already started by session_start().<br />';
         $sessionCreationError .= 'Make sure no installed extension is starting a session in its ext_localconf.php or ext_tables.php.';
         throw new \TYPO3\CMS\Install\Exception($sessionCreationError, 1294587486);
     }
     session_start();
 }
Beispiel #2
0
    /**
     * Checking php.ini configuration and set appropriate messages and flags.
     *
     * @return void
     * @todo Define visibility
     */
    public function checkConfiguration()
    {
        $ext = 'php.ini configuration checked';
        $this->message($ext);
        // *****************
        // Incoming values:
        // *****************
        // Includepath
        $incPaths = \TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(TYPO3_OS == 'WIN' ? ';' : ':', ini_get('include_path'));
        if (!in_array('.', $incPaths)) {
            $this->message($ext, 'Current directory (./) is not in include path!', '
				<p>
					<em>include_path=' . ini_get('include_path') . '</em>
					<br />
					Normally the current path, \'.\', is included in the
					include_path of PHP. Although TYPO3 does not rely on this,
					it is an unusual setting that may introduce problems for
					some extensions.
				</p>
			', 1);
        } else {
            $this->message($ext, 'Current directory in include path', '', -1);
        }
        // *****************
        // File uploads
        // *****************
        if (!ini_get('file_uploads')) {
            $this->message($ext, 'File uploads not allowed', '
				<p>
					<em>file_uploads=' . ini_get('file_uploads') . '</em>
					<br />
					TYPO3 uses the ability to upload files from the browser in
					various cases.
					<br />
					As long as this flag is disabled, you\'ll not be able to
					upload files.
					<br />
					But it doesn\'t end here, because not only are files not
					accepted by the server - ALL content in the forms are
					discarded and therefore nothing at all will be editable
					if you don\'t set this flag!
					<br />
					However if you cannot enable fileupload for some reason
					alternatively you change the default form encoding value
					with \\$TYPO3_CONF_VARS[SYS][form_enctype].
				</p>
			', 3);
        } else {
            $this->message($ext, 'File uploads allowed', '', -1);
        }
        $upload_max_filesize = \TYPO3\CMS\Core\Utility\GeneralUtility::getBytesFromSizeMeasurement(ini_get('upload_max_filesize'));
        $post_max_size = \TYPO3\CMS\Core\Utility\GeneralUtility::getBytesFromSizeMeasurement(ini_get('post_max_size'));
        if ($upload_max_filesize < 1024 * 1024 * 10) {
            $this->message($ext, 'Maximum upload filesize too small?', '
				<p>
					<em>upload_max_filesize=' . ini_get('upload_max_filesize') . '</em>
					<br />
					By default TYPO3 supports uploading, copying and moving
					files of sizes up to 10MB (You can alter the TYPO3 defaults
					by the config option TYPO3_CONF_VARS[BE][maxFileSize]).
					<br />
					Your current value is below this, so at this point, PHP sets
					the limits for uploaded filesizes and not TYPO3.
					<br />
					<strong>Notice:</strong> The limits for filesizes attached
					to database records are set in the tables.php configuration
					files (\\$TCA) for each group/file field. You may override
					these values in the local configuration or by page TSconfig settings.
				</p>
			', 1);
        }
        if ($upload_max_filesize > $post_max_size) {
            $this->message($ext, 'Maximum size for POST requests is smaller than max. upload filesize', '
				<p>
					<em>upload_max_filesize=' . ini_get('upload_max_filesize') . '
					, post_max_size=' . ini_get('post_max_size') . '</em>
					<br />
					You have defined a maximum size for file uploads which
					exceeds the allowed size for POST requests. Therefore the
					file uploads can not be larger than ' . ini_get('post_max_size') . '
				</p>
			', 1);
        }
        // *****************
        // Memory and functions
        // *****************
        $memory_limit_value = \TYPO3\CMS\Core\Utility\GeneralUtility::getBytesFromSizeMeasurement(ini_get('memory_limit'));
        if ($memory_limit_value <= 0) {
            $this->message($ext, 'Unlimited memory limit!', '<p>Your webserver is configured to not limit PHP memory usage at all. This is a risk
				and should be avoided in production setup. In general it\'s best practice to limit this
				in the configuration of your webserver. To be safe, ask the system administrator of the
				webserver to raise the limit to something over ' . TYPO3_REQUIREMENTS_MINIMUM_PHP_MEMORY_LIMIT . '.</p>', 2);
        } elseif ($memory_limit_value < \TYPO3\CMS\Core\Utility\GeneralUtility::getBytesFromSizeMeasurement(TYPO3_REQUIREMENTS_MINIMUM_PHP_MEMORY_LIMIT)) {
            $this->message($ext, 'Memory limit below ' . TYPO3_REQUIREMENTS_MINIMUM_PHP_MEMORY_LIMIT, '
				<p>
					<em>memory_limit=' . ini_get('memory_limit') . '</em>
					<br />
					Your system is configured to enforce a memory limit of PHP
					scripts lower than ' . TYPO3_REQUIREMENTS_MINIMUM_PHP_MEMORY_LIMIT . '.
					The Extension Manager needs to include more PHP-classes than
					will fit into this memory space. There is nothing else to do
					than raise the limit. To be safe, ask the system
					administrator of the webserver to raise the limit to over
					' . TYPO3_REQUIREMENTS_MINIMUM_PHP_MEMORY_LIMIT . '.
				</p>
			', 3);
        } else {
            $this->message($ext, 'Memory limit: ' . ini_get('memory_limit'), '', -1);
        }
        if (ini_get('max_execution_time') < 30) {
            $this->message($ext, 'Maximum execution time below 30 seconds', '
				<p>
					<em>max_execution_time=' . ini_get('max_execution_time') . '</em>
					<br />
					May impose problems if too low.
				</p>
			', 1);
        } else {
            $this->message($ext, 'Maximum execution time: ' . ini_get('max_execution_time') . ' seconds', '', -1);
        }
        if (ini_get('disable_functions')) {
            $this->message($ext, 'Functions disabled!', '
				<p>
					<em>disable_functions=' . ini_get('disable_functions') . '</em>
					<br />
					The above list of functions are disabled. If TYPO3 use any
					of these there might be trouble.
					<br />
					TYPO3 is designed to use the default set of PHP4.3.0+
					functions plus the functions of GDLib.
					<br />
					Possibly these functions are disabled due to security risks
					and most likely the list would include a function like
					<em>exec()</em> which is use by TYPO3 to access ImageMagick.
				</p>
			', 2);
        } else {
            $this->message($ext, 'Functions disabled: none', '', -1);
        }
        // Mail tests
        if (TYPO3_OS == 'WIN') {
            $smtp = ini_get('SMTP');
            $bad_smtp = FALSE;
            if (!\TYPO3\CMS\Core\Utility\GeneralUtility::validIP($smtp)) {
                $smtp_addr = @gethostbyname($smtp);
                $bad_smtp = $smtp_addr == $smtp;
            } else {
                $smtp_addr = $smtp;
            }
            if (!$smtp || $bad_smtp || !\TYPO3\CMS\Core\Utility\MathUtility::canBeInterpretedAsInteger(ini_get('smtp_port'))) {
                $this->message($ext, 'Mail configuration is not set correctly', '
					<p>
						Mail configuration is not set
						<br />
						PHP mail() function requires SMTP and smtp_port to have
						correct values on Windows.
					</p>
				', 2);
            } else {
                if (($smtp_addr == '127.0.0.1' || $smtp_addr == '::1') && ($_SERVER['SERVER_ADDR'] == '127.0.0.1' || $_SERVER['SERVER_ADDR'] == '::1')) {
                    $this->message($ext, 'Mail is configured (potential problem exists!)', '
						<p>
							<em>SMTP=' . $smtp . '</em> - <strong>Note:</strong>
							this server! Are you sure it runs SMTP server?
							<br />
							<em>smtp_port=' . ini_get('smtp_port') . '</em>
						</p>' . $this->check_mail('get_form') . '
					', 1);
                } else {
                    $this->message($ext, 'Mail is configured', '
						<p>
							<em>SMTP=' . $smtp . '</em>
							<br />
							<em>smtp_port=' . ini_get('smtp_port') . '</em>
						</p>' . $this->check_mail('get_form') . '
					', -1);
                }
            }
        } elseif (!ini_get('sendmail_path')) {
            $this->message($ext, 'Sendmail path not defined!', '
				<p>
					This may be critical to TYPO3\'s use of the mail() function.
					Please be sure that the mail() function in your
					php-installation works!
				</p>' . $this->check_mail('get_form') . '
			', 1);
        } else {
            list($prg) = explode(' ', ini_get('sendmail_path'));
            if (!@is_executable($prg)) {
                $this->message($ext, 'Sendmail program not found or not executable?', '
					<p>
						<em>sendmail_path=' . ini_get('sendmail_path') . '</em>
						<br />
						This may be critical to TYPO3\'s use of the mail()
						function. Please be sure that the mail() function in
						your php-installation works!
					</p>' . $this->check_mail('get_form') . '
				', 1);
            } else {
                $this->message($ext, 'Sendmail OK', '
					<p>
						<em>sendmail_path=' . ini_get('sendmail_path') . '</em>
					</p>' . $this->check_mail('get_form') . '
				', -1);
            }
        }
        // *****************
        // Safe mode related
        // *****************
        if (\TYPO3\CMS\Core\Utility\PhpOptionsUtility::isSafeModeEnabled()) {
            $this->message($ext, 'Safe mode turned on', '
				<p>
					<em>safe_mode=' . ini_get('safe_mode') . '</em>
					<br />
					In safe_mode PHP is restricted in several ways. This is a
					good thing because it adds protection to your (and others)
					scripts. But it may also introduce problems. In TYPO3 this
					<em>may be</em> a problem in two areas: File administration
					and execution of external programs, in particular
					ImageMagick.
					<br />
					If you just ignore this warning, you\'ll most likely find,
					that TYPO3 seems to work except from the image-generation.
					The problem in that case is that the external ImageMagick
					programs are not allowed to be executed from the regular
					paths like "/usr/bin/" or "/usr/X11R6/bin/".
					<br />
					If you use safe_mode with TYPO3, you should disable use of
					external programs ([BE][disable_exec_function]=1).
					<br />
					In safe mode you must ensure that all the php-scripts and
					upload folders are owned by the same user.
				</p>
				<p>
					<em>safe_mode_exec_dir=' . ini_get('safe_mode_exec_dir') . '</em>
					<br />
					If the ImageMagick utilities are located in this directory,
					everything is fine. Below on this page, you can see if
					ImageMagick is found here. If not, ask you ISP to put the
					three ImageMagick programs, \'convert\',
					\'combine\'/\'composite\' and \'identify\' there (eg. with
					symlinks if Unix server)
				</p>
				<p>
					<strong>Example of safe_mode settings:</strong>
					<br />
					Set this in the php.ini file:
				</p>
				<p>
					; Safe Mode
					<br />
					safe_mode = On
					<br />
					safe_mode_exec_dir = /usr/bin/
				</p>
				<p>
					...and the ImageMagick \'/usr/bin/convert\' will be
					executable.
					<br />
					The last slash is important (..../) and you can only specify
					one directory.
				</p>
				<p>
					<strong>Notice: </strong>
					<br />
					ImageMagick 6 or GraphicsMagick is recommended and the binaries are
					normally installed in /usr/bin.
					<br />
					Paths to ImageMagick are defined in local configuration and may be
					something else than /usr/bin/, but this is default for
					ImageMagick 6+
				</p>
			', 2);
            if (ini_get('doc_root')) {
                $this->message($ext, 'doc_root set', '
					<p>
						<em>doc_root=' . ini_get('doc_root') . '</em>
						<br />
						PHP cannot execute scripts outside this directory. If
						that is a problem is please correct it.
					</p>
				', 1);
            }
            $this->config_array['safemode'] = 1;
        } else {
            $this->message($ext, 'safe_mode: off', '', -1);
        }
        if (\TYPO3\CMS\Core\Utility\PhpOptionsUtility::isSqlSafeModeEnabled()) {
            $this->message($ext, 'sql.safe_mode is enabled', '
				<p>
					<em>sql.safe_mode=' . ini_get('sql.safe_mode') . '</em>
					<br />
					This means that you can only connect to the database with a
					username corresponding to the user of the webserver process
					or fileowner. Consult your ISP for information about this.
					Also see <a href="http://www.wrox.com/Consumer/Store/Books/2963/29632002.htm">
					http://www.wrox.com/Consumer/Store/Books/2963/29632002.htm</a>
					<br />
					The owner of the current file is:
					<strong>' . get_current_user() . '</strong>
				</p>
			', 1);
            $this->config_array['sql.safe_mode_user'] = get_current_user();
        } else {
            $this->message($ext, 'sql.safe_mode: off', '', -1);
        }
        if (ini_get('open_basedir')) {
            $this->message($ext, 'open_basedir set', '
				<p>
					<em>open_basedir=' . ini_get('open_basedir') . '</em>
					<br />
					This restricts TYPO3 to open and include files only in this
					path. Please make sure that this does not prevent TYPO3 from
					running.
					<br />
					<strong>Notice (UNIX):</strong> Before checking a path
					according to open_basedir, PHP resolves all symbolic links.
				</p>
			', 1);
        } else {
            $this->message($ext, 'open_basedir: off', '', -1);
        }
        // Check availability of PHP session support
        if (extension_loaded('session')) {
            $this->message($ext, 'PHP sessions available', '
				<p>
					<em>PHP Sessions available</em>
					<br />
					PHP is compiled with session support and session support is
					available.
				</p>
			', -1);
        } else {
            $this->message($ext, 'PHP Sessions not available', '
				<p>
					PHP is not compiled with session support, or session support
					is disabled in php.ini.
					<br />
					TYPO3 needs session support.
				</p>
			', 3);
        }
        // Suhosin/Hardened PHP:
        $suhosinDescription = '
			<p>
				Suhosin limits the number of elements that can be submitted in
				forms to the server. This will affect for example the
				"All configuration" section in the Install Tool or Inline
				Relational Record Editing (IRRE) with many child records.
			</p>';
        if (extension_loaded('suhosin')) {
            $suhosinSuggestion = '
				<p>
					At least a value of 400 is suggested.
				</p>
			';
            $suhosinRequestMaxVars = ini_get('suhosin.request.max_vars');
            $suhosinPostMaxVars = ini_get('suhosin.post.max_vars');
            $suhosinRequestMaxVarsType = $suhosinRequestMaxVars < 400 ? 2 : -1;
            $suhosinPostMaxVarsType = $suhosinPostMaxVars < 400 ? 2 : -1;
            $suhosinType = $suhosinRequestMaxVars < 400 || $suhosinPostMaxVars < 400 ? 2 : -1;
            $this->message($ext, 'Suhosin/Hardened PHP is loaded', $suhosinDescription, $suhosinType);
            $this->message($ext, 'suhosin.request.max_vars: ' . $suhosinRequestMaxVars, $suhosinSuggestion, $suhosinRequestMaxVarsType);
            $this->message($ext, 'suhosin.post.max_vars: ' . $suhosinPostMaxVars, $suhosinSuggestion, $suhosinPostMaxVarsType);
        } else {
            $this->message($ext, 'Suhosin/Hardened PHP is not loaded', $suhosinDescription, 0);
        }
        // Check for stripped PHPdoc comments that are required to evaluate annotations:
        $method = new \ReflectionMethod('TYPO3\\CMS\\Install\\Installer', 'check_mail');
        if (strlen($method->getDocComment()) === 0) {
            $description = '
				<p>
					The system extension Extbase evaluates annotations in PHPdoc
					comments and thus requires eAccelerator not to strip away
					these parts. However, this is currently the only part in the
					TYPO3 Core (beside deprecation log and unit tests). If
					Extbase is not used, recompiling eAccelerator is not
					required at all.
					<br/>
					<br/>
					If you do not want comments to be stripped by eAccelerator,
					please recompile with the following configuration setting
					(<a href="http://eaccelerator.net/ticket/229" target="_blank">
					more details</a>):
					<br />
					<em>--with-eaccelerator-doc-comment-inclusion</em>
				</p>
			';
            $this->message($ext, 'PHPdoc comments are stripped', $description, 2);
        }
    }
 /**
  * Checks if PHP magic_quotes_gpc is enabled.
  *
  * @return \TYPO3\CMS\Reports\Status A tx_reports_reports_status_Status object representing whether the magic_quote_gpc is enabled or not
  */
 protected function getPhpMagicQuotesGpcStatus()
 {
     $value = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_common.xml:disabled');
     $message = '';
     $severity = \TYPO3\CMS\Reports\Status::OK;
     if (\TYPO3\CMS\Core\Utility\PhpOptionsUtility::isMagicQuotesGpcEnabled()) {
         $value = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_common.xml:enabled');
         $severity = \TYPO3\CMS\Reports\Status::WARNING;
         $message = $GLOBALS['LANG']->getLL('status_configuration_PhpMagicQuotesGpcEnabled');
     }
     return \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Reports\\Status', $GLOBALS['LANG']->getLL('status_PhpMagicQuotesGpc'), $value, $message, $severity);
 }