Project

General

Profile

Actions

Bug #102438

closed

CSP-Errors after update to 12.4.8

Added by Michael Binder about 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2023-11-21
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
CSP
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

After updating from 12.4.7 to 12.4.8, I am getting CSP error messages, which means that my integrated JavaScripts are no longer running correctly.
I have noticed this behaviour in Fluid with '<f:asset.script useNonce="true"', with the TypoScript integration includeJS(Footer) and via reloaded content from a GoogleMaps integration. All three work correctly after downgrading to version 12.4.7.

If I use Fluid with '<f:asset.script nonce="{f:security.nonce()}"', the integration works without CSP error messages. Of course, this does not work with the GoogleMaps plugin.

Is there anything else I need to set in the CSP config with the new version?


Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #102460: Incorrect CSP nonce on additional steps and the confirmation message of the formClosed2023-11-22

Actions
Related to TYPO3 Core - Task #101751: Use ConsumableNonce instead of blunt Nonce in CSP contextClosedOliver Hader2023-08-25

Actions
Related to TYPO3 Core - Task #102620: Add strict parameter to base64url decodeClosed2023-12-06

Actions
Actions #1

Updated by Gerrit Code Review about 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81841

Actions #2

Updated by Michael Binder about 1 year ago

I think the problem is that the call $this->setNonce(new ConsumableNonce($value)); in the function updateState in typo3/cms-core/Classes/Page/PageRenderer.php is no longer set directly as a value with the ConsumableString as before, but is first encoded with base64urlEncode.

I have written a patch that only uses base64urlEncode if there is no nonce. Otherwise, the nonce may no longer fit.
With the patch all my error cases are fixed.

Actions #3

Updated by Oliver Hader about 1 year ago

Can you please provide the CSP error message shown in the browser console?

Actions #4

Updated by Benjamin Robinson about 1 year ago

  • Related to Bug #102460: Incorrect CSP nonce on additional steps and the confirmation message of the form added
Actions #5

Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81841

Actions #6

Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/81893

Actions #7

Updated by Oliver Hader about 1 year ago

  • Related to Task #101751: Use ConsumableNonce instead of blunt Nonce in CSP context added
Actions #8

Updated by Oliver Hader about 1 year ago

  • Is Regression set to Yes
Actions #9

Updated by Oliver Hader about 1 year ago · Edited

Almost merged. I'm confirming it was a regression of #101751

Actions #10

Updated by Michael Binder about 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #11

Updated by Emil Angelov 12 months ago

As I've discovered and fixed the issue separately, I just wanted to mention that you may want to consider a fix that truly prevents double base64 encoding by checking whether the provided value is a valid base64 string. Here is a complete example:

if ($nonce === null || strlen($nonce) < self::MIN_BYTES) {
    $this->b64 = StringUtility::base64urlEncode(random_bytes(self::MIN_BYTES));
    // Prevents double base64 encoding
} elseif (base64_decode(strtr($nonce, ['-' => '+', '_' => '/']), true)) {
    $this->b64 = $nonce;
} else {
    $this->b64 = StringUtility::base64urlEncode($nonce);
}

For consistency reasons, you would probably want to extend TYPO3\CMS\Core\Utility\StringUtility::base64urlDecode with a second boolean parameter called $strict and then pass it to the built-in PHP base64_decode.

Actions #12

Updated by Oliver Hader 12 months ago

I've created a new issue for the strict base64urlDecodehttps://forge.typo3.org/issues/102620

Actions #13

Updated by Oliver Hader 12 months ago

  • Related to Task #102620: Add strict parameter to base64url decode added
Actions #14

Updated by Benni Mack 5 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF