Bug #25859

CSRF protection does not work for methods that contain upper case characters

Added by Bastian Waidelich over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Must have
Category:
Security
Target version:
-
Start date:
2011-04-08
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

I'm trying to protect all methods of certain controllers with following policy rule:

resources:
  methods:
    F3_BccVoting_RestrictedControllers: 'class(F3\BccVoting\Controller\(Circular|Elector|Electorate)Controller)'

For some reason the FLOW3-CSRF-TOKEN is not attached to links pointing to F3\BccVoting\Controller\Elector::deleteAll(). When clicking the link, the "You are not allowed to perform this action." exception though.

The problem is probably, that the policy service does not detect the method in the CsrfProtectionAspect because it is lowercased somewhere.

#1

Updated by Andreas Förthner over 10 years ago

solution: all methods and classes should be stored and checked in lowercase in the security context...

#2

Updated by Mr. Hudson over 10 years ago

Patch set 1 of change Ibae8ad81a7839c983b64bad86a8631c0176c59b1 has been pushed to the review server.
It is available at http://review.typo3.org/1543

#3

Updated by Mr. Hudson over 10 years ago

Patch set 2 of change Ibae8ad81a7839c983b64bad86a8631c0176c59b1 has been pushed to the review server.
It is available at http://review.typo3.org/1543

#4

Updated by Mr. Hudson over 10 years ago

Patch set 3 of change Ibae8ad81a7839c983b64bad86a8631c0176c59b1 has been pushed to the review server.
It is available at http://review.typo3.org/1543

#5

Updated by Bastian Waidelich over 10 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF