Epic #55066

Epic #55070: Workpackages

WP: Security enhancements

Added by Ingo Schmitt almost 6 years ago. Updated over 2 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
(Total: 51.50 h)
Sprint Focus:


TYPO3 has a pretty good track record in being a secure web application. That is the case not only because security related issues are handled in a profound and transparend way but also because the TYPO3 team constantly strives to imlement protection for newly discovered attack vectors that might be relevant for some (enterprise level) users.
For TYPO3 CMS 6.2 the team strives to improve some and add some security mechanisms of the TYPO3 Backend. In particular enhance the already present Cross-Site Reqest Forgery (CSRF) protection and add protection against common Click-Jacking Attacks


Bug #54201: Implement Clickjacking ProtectionClosed

Bug #46434: XSS in content element wizardClosed

Story #55509: Add CSRF Protection to mod.phpClosedHelmut Hummel

Task #56359: Fix module access regressionsClosed

Task #56453: Improve usability with multiple tabs openClosed

Task #55515: Add CSRF Protection for tce_file.phpClosedAlexander Schnitzler

Story #55516: Reduce the number of backend script entry pointsClosedAnja Leichsenring

Task #55668: cms/layout entry scripts cleanupClosedNicole Cordes

Task #55669: form sysext entry script cleanupClosedAnja Leichsenring

Task #55670: func entry script cleanupClosedAnja Leichsenring

Task #55671: impexp entry script cleanupClosedAnja Leichsenring

Task #55672: info entry script cleanupClosedAnja Leichsenring

Task #55796: Adjust indexed seach submodules of web_info to mod dispatcherClosedAnja Leichsenring

Task #55797: Use mod dispatch on indexed search submodules for web_infoClosedAnja Leichsenring

Task #55673: openid entry script cleanupRejectedAnja Leichsenring

Task #55674: rtehtmlarea entry scripts cleanupClosedNicole Cordes

Task #55675: version entry script cleanupClosedNicole Cordes

Task #55676: t3editor wizard inclusion cleanupClosedAnja Leichsenring

Task #55809: Compat layer for submodules using index.phpClosedAnja Leichsenring

Task #56631: Remove Compat layer for info and function submodulesClosed

Task #56246: BackenUtility::getModuleUrl should respect old modules (not mod.php style)Rejected

Task #56247: Remove all conf.php files and use the BackendUtility::addModule API to add the configurationRejected

Task #56268: Add new way to register a TCA wizardClosed

Task #56364: Redirect after switch-to-user brokenClosedHelmut Hummel

Task #56272: Use the new way of registering wizards for edit wizardClosed

Task #56632: Make show_rechis.php mod.php dispatchedClosedNicole Cordes

Task #56721: ElementBrowser::getThisScript is not publicClosed

Story #56052: Implement CSRF Protection for ajax.phpClosed

Task #56345: Add API to CSRF protect Ajax calls in BackendClosed

Task #56356: Protect core Ajax calls against CSRFClosed

Task #56404: Make sure M parameter is first in URLClosed

Task #57096: Cleanup Ajax URL JS settingsClosed

Task #57196: Protect Ajax calls of core extensionsClosed

Bug #56403: Fix GET parameter order in unit testsClosed

Story #56431: Use new wizard registration and remove wizard entry pointsClosedAlexander Schnitzler

Task #56432: Adjust typo3/wizard_add.phpClosedAlexander Schnitzler

Task #56433: Adjust typo3/wizard_edit.phpClosedAlexander Schnitzler

Task #56434: Adjust typo3/wizard_list.phpClosedAlexander Schnitzler

Task #56435: Adjust typo3/wizard_table.phpClosedAlexander Schnitzler

Task #56436: Adjust typo3/wizard_colorpicker.phpClosedAlexander Schnitzler

Task #56437: Adjust typo3/wizard_rte.phpClosedAlexander Schnitzler

Task #56438: Adjust typo3/wizard_forms.phpClosedAlexander Schnitzler

Task #56454: Remove old wizard scriptsClosed

Task #56470: Make typo3/browse_links.php and rtehtmlarea/mod3/browse_links mod.php dispatchedClosed

Task #56471: Make wizard_backend_layout.php mod.php dispatchedClosed

Task #56622: Regression: The requested URL /typo3/' T3_THIS_LOCATION ' was not found on this server.Closed

Task #56611: new reference error with non-admin userClosed

Task #56625: Remove old backend_layout wizardClosed

Bug #56633: Add Formprotection Class for FE usage (API for ext developers)ClosedHelmut Hummel

Bug #56743: Make file_edit.php dispatchedClosed

Bug #61477: Create upgrade wizard for "old" shortcut links of file_edit.phpClosedWouter Wolters

Task #61215: Make file_newfolder.php dispatchedClosedWouter Wolters

Task #61216: Make file_rename.php dispatchedClosedWouter Wolters

Task #61217: Make file_upload.php dispatchedClosedWouter Wolters

Task #64691: Make move_el.php dispatchedClosed

Task #64692: Make tce_file.php dispatchedClosed

Bug #64695: Make tce_db.php dispatchedClosed

Task #64774: Make login_frameset.php dispatchedClosed


#1 Updated by Ingo Schmitt almost 6 years ago

  • Tracker changed from Bug to Epic
  • Subject changed from Security enhancements to WP: Security enhancements
  • Estimated time set to 160.00 h
  • Parent task set to #55070

#2 Updated by Mathias Schreiber about 4 years ago

  • Target version deleted (6.2.0)

#3 Updated by Riccardo De Contardi over 2 years ago

  • Status changed from New to Closed
  • Assignee deleted (Helmut Hummel)

I close this one as all subtasks are solved.

If you think that there is still something to do, please reopen it. Thank you.

Also available in: Atom PDF