Project

General

Profile

Actions

Story #55509

closed

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Add CSRF Protection to mod.php

Added by Helmut Hummel about 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2014-02-26
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
6.2
PHP Version:
Tags:
Sprint Focus:

Description

The mod.php dispatcher should check for a correct CSRF token.

  • It should be possible to disable CSRF protection in conf.php or Extbase addModule API t not break third party modules (needs to be ckecked if needed) take #55516 into account ( especially backwards compat for wizards)
  • BackendUtility::getModuleUrl() must add a token (based on module name)
  • Module menu must use BackendUtility::getModuleUrl()
  • All occurrences of hardcoded mod.php URLs must be changed to use BackendUtility::getModuleUrl() (at least one place in JS)

Subtasks 2 (0 open2 closed)

Task #56359: Fix module access regressionsClosed2014-02-26

Actions
Task #56453: Improve usability with multiple tabs openClosed2014-02-28

Actions

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #58138: CSRF with registerModule and navFrameScriptClosedHelmut Hummel2014-04-23

Actions
Related to TYPO3 Core - Bug #62569: Function menu broken for old modulesClosed2014-10-30

Actions
Actions #1

Updated by Ingo Schmitt about 10 years ago

  • Assignee set to Helmut Hummel
Actions #2

Updated by Gerrit Code Review about 10 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

Actions #3

Updated by Gerrit Code Review about 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

Actions #4

Updated by Helmut Hummel about 10 years ago

  • % Done changed from 0 to 30
Actions #5

Updated by Gerrit Code Review about 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

Actions #6

Updated by Gerrit Code Review about 10 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

Actions #7

Updated by Gerrit Code Review about 10 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

Actions #8

Updated by Helmut Hummel about 10 years ago

  • % Done changed from 30 to 90
Actions #9

Updated by Gerrit Code Review about 10 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

Actions #10

Updated by Gerrit Code Review about 10 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

Actions #11

Updated by Helmut Hummel about 10 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 90 to 100
Actions #12

Updated by Falk Aaron almost 10 years ago

How to use \TYPO3\CMS\Extbase\Utility\ExtensionUtility::registerModule with navFrameScript parameter?

It does not work, as the modules are loaded before the BE_USER, so BackendUtility::getModuleUrl does only retrieve a "dummyToken".

May you help me out?

Actions #13

Updated by Riccardo De Contardi over 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF