TYPO3.Flow

TYPO3 Flow Base Distribution Doctrine 2 Symfony.Component.DomCrawler Symfony.Component.Yaml TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Party TYPO3.Welcome Packages Applications

Bug #36997

Use ActionRequest to validate authentication tokens

Added by Bastian Waidelich about 1 year ago. Updated about 1 year ago.

Status:

Resolved

Start date:

2012-05-09

Priority:

Should have

Due date:

Assignee:

Bastian Waidelich

% Done:

100%

Category:

Security

Target version:

TYPO3 Flow Base Distribution - 1.1 beta 1

PHP Version:

Complexity:

Has patch:

FLOW3 version affected:

Git master

Votes:

Description

Currently the security context passes the HTTP Request to TokenInterface::updateCredentials() in updateTokens().

This has the disadvantage that authentication tokens can only access raw GET / POST parameters from the HTTP request. Arguments that are only available through routing are not accessible.

Take for example a token based authentication mechanism:

Routes.yaml:

1 -
2   uriPattern: 'aproveToken/{__authentication.Some.Package.Authentication.AuthenticationKey.code}'
3   defaults:
4     '@package':    'Some.Package'
5     '@controller': 'Some'
6     '@action':     'aproveToken'

in the authentication token there is no way to access the "__authentication.Some.Package.Authentication.AuthenticationKey.code" argument.

Associated revisions

Revision 2aa6a024
Added by Bastian Waidelich about 1 year ago

[BUGFIX] Use ActionRequest to validate authentication tokens

Currently the security context passes the HTTP Request to
TokenInterface::updateCredentials() in updateTokens().
This has the disadvantage that authentication tokens can
only access raw GET / POST parameters from the HTTP request.
Arguments that are only available through routing are not accessible.

This change adjusts Security/Context, TokenInterface and the provided
implementations accordingly.

Change-Id: I8937d044a7837d8db0fdca342fd7b94d2eadd0ad
Fixes: #36997
Releases: 1.1

Revision bbdafabc
Added by Karsten Dambekalns about 1 year ago

[BUGFIX] Use ActionRequest to validate PasswordToken

The (new) PasswordToken was not included in the fix for #36997.

Change-Id: I6c9792669c52200dacf58ca08f9a94f7d35edbcd
Related: #36997
Releases: 1.1

History

#1
Updated by Gerrit Code Review about 1 year ago

Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#2
Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#3
Updated by Gerrit Code Review about 1 year ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#4
Updated by Bastian Waidelich about 1 year ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset 2aa6a02414916d7f7725b0aa83a3b6fb63dc9568.

Also available in: Atom PDF

Issues

Custom queries

Bug #36997

Use ActionRequest to validate authentication tokens

Associated revisions

History

#1
Updated by Gerrit Code Review about 1 year ago

#2
Updated by Gerrit Code Review about 1 year ago

#3
Updated by Gerrit Code Review about 1 year ago

#4
Updated by Bastian Waidelich about 1 year ago

TYPO3.Flow

Issues

Custom queries

Bug #36997

Use ActionRequest to validate authentication tokens

Associated revisions

History

#1 Updated by Gerrit Code Review about 1 year ago

#2 Updated by Gerrit Code Review about 1 year ago

#3 Updated by Gerrit Code Review about 1 year ago

#4 Updated by Bastian Waidelich about 1 year ago

#1
Updated by Gerrit Code Review about 1 year ago

#2
Updated by Gerrit Code Review about 1 year ago

#3
Updated by Gerrit Code Review about 1 year ago

#4
Updated by Bastian Waidelich about 1 year ago