Task #57096
closedEpic #55070: Workpackages
Epic #55066: WP: Security enhancements
Story #56052: Implement CSRF Protection for ajax.php
Cleanup Ajax URL JS settings
100%
Updated by Gerrit Code Review over 10 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602
Updated by Gerrit Code Review over 10 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602
Updated by Gerrit Code Review over 10 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602
Updated by Gerrit Code Review over 10 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602
Updated by Gerrit Code Review over 10 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28658
Updated by Stefan Neufeind over 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset d59dac0d01e4ce1ebece13bdf200bd3b8e5713d4.
Updated by Francois Suter about 9 years ago
I am updating my extension "flush_language_cache" to work with TYPO3 7.4. It adds an item in the clear cache menu to flush only the "l10n" cache. I previously used a manually crafted URL, but that failed due to missing CSRF token.
So I switched to use BackendUtility::getAjaxUrl
, which works fine, but the method is marked as internal and its comment explicitly mentions that it should not be used by extensions. It recommends using TYPO3.settings.ajaxUrls['ajaxId']
but that works only on the JS side. My code is on the PHP side. Is there another way of getting that AJAX URL? Or should this method not have been marked as internal?
For reference, here's the code of my class: https://gist.github.com/fsuter/410353bb5c02ae80a439
I raised the topic on Slack too.
Updated by Helmut Hummel about 9 years ago
Francois Suter wrote:
I am updating my extension "flush_language_cache" to work with TYPO3 7.4. It adds an item in the clear cache menu to flush only the "l10n" cache. I previously used a manually crafted URL, but that failed due to missing CSRF token.
So I switched to use
BackendUtility::getAjaxUrl
, which works fine, but the method is marked as internal and its comment explicitly mentions that it should not be used by extensions. It recommends usingTYPO3.settings.ajaxUrls['ajaxId']
but that works only on the JS side. My code is on the PHP side. Is there another way of getting that AJAX URL? Or should this method not have been marked as internal?For reference, here's the code of my class: https://gist.github.com/fsuter/410353bb5c02ae80a439
That code is perfectly fine. We could even think of making that API call public. I only made it internal because I could not imagine a use case where I would need to generate/ get an Ajax URL when not in JavaScript context.
This hook makes a good example that it makes sense in some (rare) cases.
Updated by Francois Suter about 9 years ago
Thanks for your answer. I'll make myself a note and push a patch for this when I have a few minutes.