Bug #36161
open
Include current Domain Model UID in calculated HMAC
Added by Nico de Haen about 12 years ago.
Updated over 8 years ago.
Description
We discussed this already at T3DD12.
The calculated HMAC does not take the current domain model UID in account as one would assume, if there is a HMAC form verification.
- Assignee set to Helmut Hummel
- Target version set to Extbase 6.1
@Helmut: I assigned this to you as I heard you will work on the security for 6.1. Feel free to change this if I am wrong.
- Target version changed from Extbase 6.1 to Extbase 6.2
- Status changed from New to Needs Feedback
Is this still necessary at all?
Well it depends, I consider it an unexpected behavior, if a form is validated by the framework, based on a calculated hash, but the uid can simply be exchanged to any other UID.
In FLOW this is not a problem, since it uses UUIDs, but in extbase it misleads developers to write unsecure code...
- Target version changed from Extbase 6.2 to Extbase 6.3
- Project changed from 534 to TYPO3 Core
- Category changed from Extbase: Security to Extbase
- Status changed from Needs Feedback to New
- Target version changed from Extbase 6.3 to 7.0
- TYPO3 Version set to 6.2
- Is Regression set to No
Some thoughts on this one:
This will be hard to implement as the mapping happens in PersistenObjectTypeConverter.
If we add a hmac check there, the type converter will not be generic any more and cannot be used without the hmac being present.
If we make the hmac check optional, then the developer still needs to take action (configuring the type converter to do an hmac check)
Currently I have no idea how to make this secure by default.
- Target version changed from 7.0 to 7.1 (Cleanup)
- Target version changed from 7.1 (Cleanup) to 7.4 (Backend)
- Target version changed from 7.4 (Backend) to 7.5
- Target version deleted (
7.5)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by