Bug #28257

Avoid Credentials to be stored in the request

Added by Bastian Waidelich about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2011-07-16
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

When you authenticate using the PersistedUsernamePasswordProvider username & password are copied to the GET Arguments of the following request when used in SubRequests (plugins / widgets) because POST arguments are merged in the RequestBuilder. To avoid this, we should use "internal request arguments" for authentication (see #25802).

Concrete: The strings 'TYPO3.FLOW3.Security.Authentication.Token.UsernamePassword.username' and 'TYPO3.FLOW3.Security.Authentication.Token.UsernamePassword.password' in \TYPO3\FLOW3\Security\Authentication\Token\UsernamePassword::updateCredentials() should be replaced.
It could even be just __username & __password IMO.

Note: documentation and referring comments needs to be adjusted. To avoid headache, the token could still check for the old post vars and throw an exception (in dev context) / create a log entry (in other contexts)

#1

Updated by Mr. Hudson about 10 years ago

  • Status changed from New to Under Review

Patch set 1 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375

#2

Updated by Mr. Hudson about 10 years ago

Patch set 2 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375

#3

Updated by Karsten Dambekalns about 10 years ago

Well, about the simple rename - we support multiple tokens and all that fuzz. So, wouldn't we need to be able to separate login data for different tokens / providers? Andreas, what do you think?

#4

Updated by Bastian Waidelich about 10 years ago

Karsten Dambekalns wrote:

Well, about the simple rename - we support multiple tokens and all that fuzz. [...]

Not sure.. but we could replace
<input type="text" name="TYPO3[FLOW3][Security][Authentication][Token][UsernamePassword][username]" ... />
with
<input type="text" name="__authentication[TYPO3.FLOW3][Security][Authentication][Token][UsernamePassword][username]" ... />

to make sure..

#5

Updated by Karsten Dambekalns about 10 years ago

  • Status changed from Under Review to Accepted
  • Assignee set to Karsten Dambekalns

I'll adjust the change.

#6

Updated by Mr. Hudson about 10 years ago

  • Status changed from Accepted to Under Review

Patch set 3 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375

#7

Updated by Mr. Hudson about 10 years ago

Patch set 4 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375

#8

Updated by Mr. Hudson about 10 years ago

Patch set 5 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375

#9

Updated by Bastian Waidelich about 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF