Project

General

Profile

Actions
Copy link

Bug #103569

open
« Previous | Next »

Time-of-check vs. time-of-use bug in TYPO3\CMS\Core\FormProtection\FormProtectionFactory

Added by Christian Spoo about 1 month ago. Updated 28 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Caching
Target version:
next-patchlevel
Start date:
2024-04-08
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
no-brainer
Is Regression:
Sprint Focus:

Description

FormProtectionFactory tries to cache form protection instances by storing them in a cache pool. However, after creating a new form projection object in FormProtectionFactory::createForType() it immediately makes a second trip to the cache to fetch the newly stored object. This makes this method vulnerable to a race condition. Instead, it should return the created object itself without an additional cache fetch (which is unnecessary here, btw).

        $classNameAndConstructorArguments = $this->getClassNameAndConstructorArguments($type, $GLOBALS['TYPO3_REQUEST'] ?? null);
        $this->runtimeCache->set($identifier, $this->createInstance(...$classNameAndConstructorArguments));
        return $this->runtimeCache->get($identifier);

should rather be

        $classNameAndConstructorArguments = $this->getClassNameAndConstructorArguments($type, $GLOBALS['TYPO3_REQUEST'] ?? null);
        $formProtection = $this->createInstance(...$classNameAndConstructorArguments);
        $this->runtimeCache->set($identifier, $formProtection);
        return $formProtection;

You can verify correct behaviour by switching the cache backend to the NullBackend that will immediately forget the stored object.

Actions
Copy link

Also available in: Atom PDF