Story #55509

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Add CSRF Protection to mod.php

Added by Helmut Hummel about 7 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2014-02-26
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
6.2
PHP Version:
Tags:
Sprint Focus:

Description

The mod.php dispatcher should check for a correct CSRF token.

  • It should be possible to disable CSRF protection in conf.php or Extbase addModule API t not break third party modules (needs to be ckecked if needed) take #55516 into account ( especially backwards compat for wizards)
  • BackendUtility::getModuleUrl() must add a token (based on module name)
  • Module menu must use BackendUtility::getModuleUrl()
  • All occurrences of hardcoded mod.php URLs must be changed to use BackendUtility::getModuleUrl() (at least one place in JS)

Subtasks

Task #56359: Fix module access regressionsClosed2014-02-26

Actions
Task #56453: Improve usability with multiple tabs openClosed2014-02-28

Actions

Related issues

Related to TYPO3 Core - Bug #58138: CSRF with registerModule and navFrameScriptClosedHelmut Hummel2014-04-23

Actions
Related to TYPO3 Core - Bug #62569: Function menu broken for old modulesClosed2014-10-30

Actions
#1

Updated by Ingo Schmitt about 7 years ago

  • Assignee set to Helmut Hummel
#2

Updated by Gerrit Code Review about 7 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#3

Updated by Gerrit Code Review about 7 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#4

Updated by Helmut Hummel about 7 years ago

  • % Done changed from 0 to 30
#5

Updated by Gerrit Code Review about 7 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#6

Updated by Gerrit Code Review about 7 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#7

Updated by Gerrit Code Review about 7 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#8

Updated by Helmut Hummel about 7 years ago

  • % Done changed from 30 to 90
#9

Updated by Gerrit Code Review about 7 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#10

Updated by Gerrit Code Review about 7 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#11

Updated by Helmut Hummel about 7 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 90 to 100
#12

Updated by Falk Aaron almost 7 years ago

How to use \TYPO3\CMS\Extbase\Utility\ExtensionUtility::registerModule with navFrameScript parameter?

It does not work, as the modules are loaded before the BE_USER, so BackendUtility::getModuleUrl does only retrieve a "dummyToken".

May you help me out?

#13

Updated by Riccardo De Contardi over 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF