Project

General

Profile

Actions
Copy link

Bug #24790

closed

Form protection tokens get lost because of a race condition when persisting tokens

Added by Helmut Hummel about 13 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Ernesto Baschny
Category:
-
Target version:
4.5.0
Start date:
2011-01-25
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Problem:

If two (or more) scripts are executed (almost) at the same time, both scripts retrieve the same token array from the session. Both scripts will create new tokens independently. The script that is executed last will overwrite the tokens generated by the first script.

Solution:
Before writing all tokens back to the session we need to retrieve the current tokens from the session again and lock this for one process only.

How to test:
  • Apply the test patch
  • Reload the backend
  • Go to file list module and wait until both frames loaded
  • hover over the help icon in navigation frame

(issue imported from #M17289)

Files

17289.diff (4.5 KB) 17289.diff Administrator Admin, 2011-01-25 10:39

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #24671: Protect C(R)UD actions against CSRFClosedErnesto Baschny2011-01-20

Actions
Related to TYPO3 Core - Bug #24799: Unable to set new Install Tool PasswordClosedSteffen Kamper2011-01-25

Actions
Related to TYPO3 Core - Bug #24962: After introducing the locking in #24790 no CSRF token will ever be deletedClosedHelmut Hummel2011-02-04

Actions
Actions
Copy link
 #1

Updated by Ernesto Baschny about 13 years ago

Committed to trunk, rev. 10297.

Actions
Copy link
 #2

Updated by Oliver Hader about 13 years ago

Committed follow-up to trunk, rev. 10302 by Steffen Kamper
(Fixed bug with endless loop at login/logout)

-> will be part of TYPO3 4.5-RC3

Actions
Copy link

Also available in: Atom PDF