Bug #23521
closed
Flash Uploader does not work if cookieHttpOnly is enabled
0%
Description
The Flash Uploader does not work if the TYPO3_CONF_VARS setting "cookieHttpOnly" is enabled. After uploading a file, the uploader just shows a "303" error.
"303" is a HTTP status code and tells that there was a redirect since the backend user could not be authorized to have access to the TYPO3 backend.
(issue imported from #M15673)
Files
Updated by Oliver Hader over 13 years ago
Find a first version for TYPO3 4.5 attached...
Still some work needs to be done to define the general concept of the new veriHash (also the name is not optimal yet)...
Updated by Oliver Hader over 13 years ago
Attached new patches that work without changes to the database.
However, I'm not sure whether DBAL can handle "MD5" correctly back in TYPO3_4-3...
Updated by Oliver Hader over 13 years ago
MD5 cannot be handled by DBAL, so we have to store the hash used for looking up records in the database as well (which means, that we cannot have a fix for already released TYPO3 versions). Furthermore it must be ensured that no new cookie will be set (since it transfers the session id in a not wanted scenario).
Updated by Peter Russ over 13 years ago
Patch v2_43 not working neither in IE nor FF. In both browser not upload, HTTP error 303 and logout from BE.
Updated by Janos over 13 years ago
Tested patch 0015673_v2_44.patch
Worked on:
FF 3.6.12
Chrome 7.0.....
For IE 8 i have the old, non js / flash, Upload system!? But I am not shure if this depends on the non, or miss-configured ie.
Updated by Helmut Hummel over 13 years ago
With this patch it is possible to get a valid session by knowing the idHash value. Thus the idHash is the new session id transmitted by GET.
Would be better to create one time tokens instead (like in the new CSRF protection in 4.5)
Updated by Helmut Hummel over 12 years ago
- File 23521_v3_45.diff 23521_v3_45.diff added
- Target version deleted (
0)
Even better just send the session id as a post value
Updated by Helmut Hummel over 12 years ago
Hm, actually my suggestion is equal to Olly's but just straight forward uses the session id, not a hash of it. But I think that's still OK.
Updated by Steffen Müller about 12 years ago
@Helmut: Any news from Amir about your solution? He promised to give feedback.
Updated by Gerrit Code Review almost 12 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11124
Updated by Gerrit Code Review almost 12 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11124
Updated by Helmut Hummel almost 12 years ago
Steffen Müller wrote:
@Helmut: Any news from Amir about your solution? He promised to give feedback.
Unfortunately not. However I figured out, why this might not be a good idea to do so :(
The idea of setting http_only to the cookie is to disallow JavaScript access to the cookie, which basically holds the session id.
If we now output it in the HTML, then the id is accessible again through JavaScript which will cancel the http_only protection of the cookie.
I have now no idea any more how to solve this.
Updated by Florian Seirer over 11 years ago
Just an idea (and it may sound silly), and I know this would be more work than just "fixing a bug":
Does the uploader have to rely on Flash? Or is there another, better, HTML5-kind-of way of uploading files to TYPO3?
Updated by Steffen Gebert over 11 years ago
Not silly at all. We have a HTML5 version already in TCEforms. There were also prototypes of plupload available.
Updated by Lorenz Ulrich about 11 years ago
Since the patch was abandoned, I suggest to close this issue as not fixable.
Updated by Steffen Gebert about 11 years ago
- Status changed from Under Review to Rejected
- Assignee changed from Oliver Hader to Steffen Gebert