Bug #29976

CSRF token is always the same

Added by Bastian Waidelich about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
-
Category:
Security
Start date:
2011-09-18
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

This is probably a Windows issue (Windows 7, 64bit):
The blog example generates links like "posts/new?__csrfToken=00000000000000000000000000000000" for protected actions.

#1

Updated by Christian Müller about 10 years ago

That is a shortcoming of /Packages/Framework/TYPO3.FLOW3/Resources/PHP/iSecurity/Security_Randomizer.php, it also mentions in a comment that it probably won't work on Win 64-bit.

#2

Updated by Christian Müller about 10 years ago

Maybe we should add a fallback to generate "not so strongly randomized data" to have it running on Win 64-bit but log the fact that it is not so secure? WDYT?

#3

Updated by Bastian Waidelich about 10 years ago

Christian Mueller wrote:

Maybe we should add a fallback to generate "not so strongly randomized data" to have
it running on Win 64-bit but log the fact that it is not so secure? WDYT?

+1
The Randomizer already comes with a fallback to mt_rand - but the problem is, that (in my case) it doesn't reach that fallback as it considers "00000000000000000000000000000000" as valid result.

#4

Updated by Christian Müller about 10 years ago

Yep I see,

I guess it goes wrong around line 219 for you, maybe you check that out. It fills an array with zeros then uses the .NET crypto stuff, but finally it returns the array filled with zeros. For me this code looks plain wrong, I think this $variant thingy is filled with the random bytes and so its content needs to be returned there.

#5

Updated by Mr. Hudson about 10 years ago

  • Status changed from New to Under Review

Patch set 1 of change I93c432e45071a3c5628e98b3fbefa7407c715c15 has been pushed to the review server.
It is available at http://review.typo3.org/5727

#6

Updated by Bastian Waidelich about 10 years ago

FYI: We have added two bug reports to the "Improved Security" project at SourceSorge

#7

Updated by Mr. Hudson about 10 years ago

Patch set 2 of change I93c432e45071a3c5628e98b3fbefa7407c715c15 has been pushed to the review server.
It is available at http://review.typo3.org/5727

#8

Updated by Christian Müller about 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF