Bug #23521

Flash Uploader does not work if cookieHttpOnly is enabled

Added by Oliver Hader about 9 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
Should have
Category:
-
Target version:
-
Start date:
2010-09-09
Due date:
% Done:

0%

TYPO3 Version:
4.5
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The Flash Uploader does not work if the TYPO3_CONF_VARS setting "cookieHttpOnly" is enabled. After uploading a file, the uploader just shows a "303" error.

"303" is a HTTP status code and tells that there was a redirect since the backend user could not be authorized to have access to the TYPO3 backend.

(issue imported from #M15673)

0015673.patch View (5.6 KB) Administrator Admin, 2010-09-09 13:17

0015673_v2_44.patch View (4.07 KB) Administrator Admin, 2010-09-09 14:39

0015673_v2_trunk.patch View (4.05 KB) Administrator Admin, 2010-09-09 14:39

0015673_v2_43.patch View (4.4 KB) Administrator Admin, 2010-09-09 14:49

23521_v3_45.diff View (1.45 KB) Helmut Hummel, 2012-01-15 12:38


Related issues

Related to TYPO3 Core - Bug #22185: Flash Uploader not working in FF, SF and Iron when Tortoise SVN is installed Closed 2010-02-25
Related to TYPO3 Core - Feature #24647: Enable cookieHttpOnly by default Closed 2011-01-18
Duplicated by TYPO3 Core - Bug #23419: Flash uploader doesn't work with cookieHttpOnly Closed 2010-08-22
Duplicated by TYPO3 Core - Bug #24654: Do not enable FlashUploader wenn cookieHttpOnly is set Closed 2011-01-19

History

#1 Updated by Oliver Hader about 9 years ago

Find a first version for TYPO3 4.5 attached...
Still some work needs to be done to define the general concept of the new veriHash (also the name is not optimal yet)...

#2 Updated by Oliver Hader about 9 years ago

Attached new patches that work without changes to the database.
However, I'm not sure whether DBAL can handle "MD5" correctly back in TYPO3_4-3...

#3 Updated by Oliver Hader about 9 years ago

MD5 cannot be handled by DBAL, so we have to store the hash used for looking up records in the database as well (which means, that we cannot have a fix for already released TYPO3 versions). Furthermore it must be ensured that no new cookie will be set (since it transfers the session id in a not wanted scenario).

#4 Updated by Peter Russ about 9 years ago

Patch v2_43 not working neither in IE nor FF. In both browser not upload, HTTP error 303 and logout from BE.

#5 Updated by Janos almost 9 years ago

Tested patch 0015673_v2_44.patch
Worked on:
FF 3.6.12
Chrome 7.0.....

For IE 8 i have the old, non js / flash, Upload system!? But I am not shure if this depends on the non, or miss-configured ie.

#6 Updated by Helmut Hummel over 8 years ago

With this patch it is possible to get a valid session by knowing the idHash value. Thus the idHash is the new session id transmitted by GET.

Would be better to create one time tokens instead (like in the new CSRF protection in 4.5)

#7 Updated by Helmut Hummel over 7 years ago

Even better just send the session id as a post value

#8 Updated by Helmut Hummel over 7 years ago

Hm, actually my suggestion is equal to Olly's but just straight forward uses the session id, not a hash of it. But I think that's still OK.

#9 Updated by Steffen Müller over 7 years ago

@Helmut: Any news from Amir about your solution? He promised to give feedback.

#10 Updated by Gerrit Code Review over 7 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11124

#11 Updated by Gerrit Code Review over 7 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11124

#12 Updated by Helmut Hummel over 7 years ago

Steffen Müller wrote:

@Helmut: Any news from Amir about your solution? He promised to give feedback.

Unfortunately not. However I figured out, why this might not be a good idea to do so :(

The idea of setting http_only to the cookie is to disallow JavaScript access to the cookie, which basically holds the session id.

If we now output it in the HTML, then the id is accessible again through JavaScript which will cancel the http_only protection of the cookie.

I have now no idea any more how to solve this.

#13 Updated by Florian Seirer about 7 years ago

Just an idea (and it may sound silly), and I know this would be more work than just "fixing a bug":

Does the uploader have to rely on Flash? Or is there another, better, HTML5-kind-of way of uploading files to TYPO3?

#14 Updated by Steffen Gebert about 7 years ago

Not silly at all. We have a HTML5 version already in TCEforms. There were also prototypes of plupload available.

#15 Updated by Lorenz Ulrich over 6 years ago

Since the patch was abandoned, I suggest to close this issue as not fixable.

#16 Updated by Steffen Gebert over 6 years ago

  • Status changed from Under Review to Rejected
  • Assignee changed from Oliver Hader to Steffen Gebert

Also available in: Atom PDF