Bug #24671

Protect C(R)UD actions against CSRF

Added by Helmut Hummel about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2011-01-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Problem:
We have a form protection framework, but currently it is only used to protect the user setup.

Solution:
Implement it for all actions where data is created, updated or deleted.

Notes:
The protection (check) has been implemented in the following places:
  • alt_doc.php (which is the main editing frame if you open a record)
  • tce_db.php (script the renders nothing, but accepts parameters and hands them over to TCEmain
  • extDirect router (This affects all Ext modules doing CRUD actions)

Please test as much as you can, including the following:

clipboard
clear cache menu
page module (save/ delete/ move records)
move wizard
all context menus (not new pagetree)
alt_doc.php (save/ delete/ move records)
taskcenter search (sql query)
lowlevel search
new pagetree
recycler
workspace module

Please report if something does not work any more after applying this patch especially if you get a flash message stating "Validating the security token of this form has failed. Please reload the form and submit it again."

Some things are not optimal (like updating the token for the clear cache menu, or the ExtDirect only using one single token until the page is reloaded), but still it is better (more secure) than before.

Also things are missing:
  • IRRE needs to be checked and secured
  • file operations need to be secured

I will work on the missing things tomorrow and submit another RFC

(issue imported from #M17153)


Related issues

Related to TYPO3 Core - Feature #24099: Use the form protection API to implement the CSRF protection (1)ClosedErnesto Baschny2010-11-17

Actions
Related to TYPO3 Core - Bug #24689: In the user settings module, saving form data is not possible if simulate user option is used.ClosedErnesto Baschny2011-01-20

Actions
Related to TYPO3 Core - Bug #24699: Livesearch deosn't work anymore because of CSRFClosedHelmut Hummel2011-01-21

Actions
Related to TYPO3 Core - Bug #24702: CSRF protection in Template moduleClosedHelmut Hummel2011-01-21

Actions
Related to TYPO3 Core - Bug #24713: The unit test for t3lib_formprotection_BackendFormProtection is brokenClosedErnesto Baschny2011-01-21

Actions
Related to TYPO3 Core - Bug #24715: The ExtDirect token needs to be regenerated after relogin by popup windowClosedHelmut Hummel2011-01-22

Actions
Related to TYPO3 Core - Bug #24697: CSRF protection in frontend for ExtDirect is missingClosed2011-01-21

Actions
Related to TYPO3 Core - Bug #24755: Re: issue #24715 - problem still exists in 4.5.0rc1Closed2011-01-23

Actions
Related to TYPO3 Core - Bug #24779: CSRF protection not implemented in wizardsClosed2011-01-24

Actions
Related to TYPO3 Core - Bug #24786: Formprotection persistToken method is called too often, causing unnecessary DB-loadClosedErnesto Baschny2011-01-25

Actions
Related to TYPO3 Core - Bug #24790: Form protection tokens get lost because of a race condition when persisting tokensClosedErnesto Baschny2011-01-25

Actions
Related to TYPO3 Core - Bug #24800: CSRF token invalid error when using the clickmenu in record list to delete a record.ClosedSteffen Kamper2011-01-25

Actions
Related to TYPO3 Core - Bug #24805: Login/ Logout was not possible after introducing the locking in #24790ClosedErnesto Baschny2011-01-25

Actions
Related to TYPO3 Core - Bug #24808: Unnecessary message about security tokenClosedHelmut Hummel2011-01-25

Actions
Related to TYPO3 Core - Bug #24799: Unable to set new Install Tool PasswordClosedSteffen Kamper2011-01-25

Actions
Related to TYPO3 Core - Bug #24873: Open forms cannot be saved after "Relogin" (Security Token errors)ClosedSteffen Kamper2011-01-28

Actions
Related to TYPO3 Core - Bug #24922: Problem with CSRF Protection: Changing access permissions on a sys folder to include a user groupClosed2011-02-01

Actions
Related to TYPO3 Core - Bug #24962: After introducing the locking in #24790 no CSRF token will ever be deletedClosedHelmut Hummel2011-02-04

Actions
Related to TYPO3 Core - Bug #24963: Can't copy/cut + paste records due to security token-blockingClosed2011-02-04

Actions
Related to TYPO3 Core - Bug #24969: "Invalid Security Token" in List ModuleClosed2011-02-06

Actions
Related to TYPO3 Core - Bug #25251: Edit of Usergroup not possible after upgrade from 4.3.9 to 4.5Closed2011-03-03

Actions
Related to TYPO3 Core - Bug #25164: Copy & Paste: "Validating the security token of this form has failed. Please reload the form and submit it again."Closed2011-02-24

Actions
Related to TYPO3 Core - Bug #25359: Essential form protection tokens are dropped when beeing logged in for a "long" timeClosedHelmut Hummel2011-03-20

Actions
#1

Updated by Ernesto Baschny about 10 years ago

Committed to trunk (rev. 10161).

#2

Updated by Susanne Moog about 10 years ago

  • Target version deleted (4.5.0)

Also available in: Atom PDF