Bug #36161: Include current Domain Model UID in calculated HMAC - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Actions

Copy link

Bug #36161

closed

Include current Domain Model UID in calculated HMAC

Added by Nico de Haen over 12 years ago. Updated 5 months ago.

Status:

Rejected

Priority:

Should have

Assignee:

Helmut Hummel

Category:

Extbase

Target version:

Start date:

2012-04-16

Due date:

% Done:

Estimated time:

TYPO3 Version:

6.2

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

We discussed this already at T3DD12.
The calculated HMAC does not take the current domain model UID in account as one would assume, if there is a HMAC form verification.

History
Notes
Property changes

Actions

Copy link

Updated by Alexander Schnitzler almost 12 years ago

Assignee set to Helmut Hummel
Target version set to Extbase 6.1

@Helmut: I assigned this to you as I heard you will work on the security for 6.1. Feel free to change this if I am wrong.

Actions

Copy link

Updated by Alexander Schnitzler over 11 years ago

Target version changed from Extbase 6.1 to Extbase 6.2

Actions

Copy link

Updated by Alexander Schnitzler over 11 years ago

Status changed from New to Needs Feedback

Is this still necessary at all?

Actions

Copy link

Updated by Nico de Haen over 11 years ago

Well it depends, I consider it an unexpected behavior, if a form is validated by the framework, based on a calculated hash, but the uid can simply be exchanged to any other UID.
In FLOW this is not a problem, since it uses UUIDs, but in extbase it misleads developers to write unsecure code...

Actions

Copy link

Updated by Anja Leichsenring over 11 years ago

Target version changed from Extbase 6.2 to Extbase 6.3

Actions

Copy link

Updated by Alexander Opitz about 10 years ago

Project changed from 534 to TYPO3 Core
Category changed from Extbase: Security to Extbase
Status changed from Needs Feedback to New
Target version changed from Extbase 6.3 to 7.0
TYPO3 Version set to 6.2
Is Regression set to No

Actions

Copy link

Updated by Helmut Hummel about 10 years ago

Some thoughts on this one:

This will be hard to implement as the mapping happens in PersistenObjectTypeConverter.

If we add a hmac check there, the type converter will not be generic any more and cannot be used without the hmac being present.
If we make the hmac check optional, then the developer still needs to take action (configuring the type converter to do an hmac check)

Currently I have no idea how to make this secure by default.

Actions

Copy link