Bug #27798

CSRF protection not working for forms in a plugin

Added by Karsten Dambekalns about 10 years ago. Updated about 8 years ago.

Status:
Accepted
Priority:
Must have
Assignee:
-
Category:
Security
Start date:
2011-07-01
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
No
Complexity:
hard

Description

The CsrfProtectionAspect looks for package, subpackage, ... in the $arguments array, but for the request shown in the attached screenshot the information is one level below...


Files

plugin_-_csrf_-_arguments.png (468 KB) plugin_-_csrf_-_arguments.png Karsten Dambekalns, 2011-07-01 16:33

Related issues

Has duplicate TYPO3.Flow - Bug #35720: Access denied Exception for widget links to actions with a policyNew2012-04-05

Actions
Has duplicate TYPO3.Fluid - Bug #47078: widget.uri/linkViewHelpers fail with CSRF protectionClosed2013-04-09

Actions
#1

Updated by Karsten Dambekalns almost 10 years ago

  • Target version deleted (1230)
#3

Updated by Bastian Waidelich over 9 years ago

  • Has patch set to No

They also do not work in widget (e.g. pagination does not work in protected actions!)

#4

Updated by Karsten Dambekalns about 9 years ago

  • Assignee deleted (Andreas Förthner)
  • Target version set to 1.1
#5

Updated by Bastian Waidelich about 9 years ago

  • Complexity set to hard

This is probably quite hard to solve because we needed to check all actions of a request and its sub requests. In Phoenix this could be as nested as:

FrontendNodeController::showAction() -> Plugin::fooAction() -> Widget::barAction()

As an intermediate work around one can add the @FLOW3\SkipCsrfProtection annotation to the affected actions as the CSRF token is there to prevent someone from sending a link that submits/changes data on the server with elevated permission level. So usually that is only relevant for "writing" actions (and those shouldn't contain pagination).

If this doesn't make it into 1.1 I'll take care of adding above hint to the exception message.

#6

Updated by Karsten Dambekalns about 9 years ago

  • Status changed from New to Needs Feedback
  • Assignee set to Bastian Waidelich
  • Target version changed from 1.1 to 2.0 beta 1

Hi Bastian.

Bastian Waidelich wrote:

If this doesn't make it into 1.1 I'll take care of adding above hint to the exception message.

Could you do this now?

#7

Updated by Bastian Waidelich about 9 years ago

  • Status changed from Needs Feedback to Accepted

Karsten Dambekalns wrote:

Could you do this now?

I'll try. The challenge: We don't throw an exception yet. Instead this is the only(?) place where we die with "Access denied!" - But this should be improved anyways IMO.

#8

Updated by Bastian Waidelich about 9 years ago

  • Assignee deleted (Bastian Waidelich)

Bastian Waidelich wrote:

Karsten Dambekalns wrote:

Could you do this now?

I'll try.

See https://review.typo3.org/#/c/12774 for a first work-around (not the final solution)

#9

Updated by David Sporer almost 9 years ago

Sorry stupid question...
I've deleted it.

#10

Updated by Karsten Dambekalns almost 9 years ago

  • Target version changed from 2.0 beta 1 to 2.0
#11

Updated by Karsten Dambekalns about 8 years ago

  • Target version changed from 2.0 to 2.0.1

Also available in: Atom PDF