Story #55509

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Add CSRF Protection to mod.php

Added by Helmut Hummel over 5 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2014-02-26
Due date:
% Done:

100%

TYPO3 Version:
6.2
PHP Version:
Tags:
Sprint Focus:

Description

The mod.php dispatcher should check for a correct CSRF token.

  • It should be possible to disable CSRF protection in conf.php or Extbase addModule API t not break third party modules (needs to be ckecked if needed) take #55516 into account ( especially backwards compat for wizards)
  • BackendUtility::getModuleUrl() must add a token (based on module name)
  • Module menu must use BackendUtility::getModuleUrl()
  • All occurrences of hardcoded mod.php URLs must be changed to use BackendUtility::getModuleUrl() (at least one place in JS)

Subtasks

Task #56359: Fix module access regressionsClosed

Task #56453: Improve usability with multiple tabs openClosed


Related issues

Related to Vidi (List Component) - Bug #56392: vidi ModuleMenuView breaks typo3 git master Resolved 2014-02-27
Related to Vidi (List Component) - Bug #56871: File picker popup: Invalid form/module token detected. Access Denied! Resolved 2014-03-13
Related to Vidi (List Component) - Bug #56872: User Tools > FE Group: Validating the security token failed Resolved 2014-03-13
Related to TYPO3 Core - Bug #58138: CSRF with registerModule and navFrameScript Closed 2014-04-23
Related to TYPO3 Core - Bug #62569: Function menu broken for old modules Closed 2014-10-30

Associated revisions

Revision 6e9e5455 (diff)
Added by Helmut Hummel over 5 years ago

[!!!][SECURITY] Add CSRF protection to mod.php

Add a token check in mod.php and token generation
to BackendUtility::getModuleUrl()

Adapt code to use BackendUtility::getModuleUrl()
in every place where links are hardcoded.

Releases: 6.2
Resolves: #55509
Change-Id: I952c40fc1004a0a8d77c929927d37e1d93dcfef4
Reviewed-on: https://review.typo3.org/27636
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Revision 5bb52af5 (diff)
Added by Wouter Wolters over 5 years ago

[BUGFIX] Cleanup EXT:cshmanual

  • Removed require_once which is deprecated.
  • Introduced a use-statement for GeneralUtility
  • Removed TYPO3_MOD_PATH
  • Links generated by make_seeAlso() were double htmlspecialchars
    encoded after security patch https://review.typo3.org/27636

Resolves: #56826
Related: #55509
Releases: 6.2
Change-Id: I8effc7c6bf9828dde4f1c69754b207864b3122ba
Reviewed-on: https://review.typo3.org/28303
Reviewed-by: Stefan Neufeind
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

History

#1 Updated by Ingo Schmitt over 5 years ago

  • Assignee set to Helmut Hummel

#2 Updated by Gerrit Code Review over 5 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#3 Updated by Gerrit Code Review over 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#4 Updated by Helmut Hummel over 5 years ago

  • % Done changed from 0 to 30

#5 Updated by Gerrit Code Review over 5 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#6 Updated by Gerrit Code Review over 5 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#7 Updated by Gerrit Code Review over 5 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#8 Updated by Helmut Hummel over 5 years ago

  • % Done changed from 30 to 90

#9 Updated by Gerrit Code Review over 5 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#10 Updated by Gerrit Code Review over 5 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#11 Updated by Helmut Hummel over 5 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 90 to 100

#12 Updated by Falk Aaron over 5 years ago

How to use \TYPO3\CMS\Extbase\Utility\ExtensionUtility::registerModule with navFrameScript parameter?

It does not work, as the modules are loaded before the BE_USER, so BackendUtility::getModuleUrl does only retrieve a "dummyToken".

May you help me out?

#13 Updated by Riccardo De Contardi almost 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF