Project

General

Profile

Actions

Task #57096

closed

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Story #56052: Implement CSRF Protection for ajax.php

Cleanup Ajax URL JS settings

Added by Helmut Hummel over 10 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-03-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Sprint Focus:

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #69537: BackendUtility::getAjaxUrl() should not be internalClosedFrancois Suter2015-09-04

Actions
Actions #1

Updated by Gerrit Code Review over 10 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602

Actions #2

Updated by Gerrit Code Review over 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602

Actions #3

Updated by Gerrit Code Review over 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602

Actions #4

Updated by Gerrit Code Review over 10 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28602

Actions #5

Updated by Gerrit Code Review over 10 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28658

Actions #6

Updated by Stefan Neufeind over 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #7

Updated by Francois Suter about 9 years ago

I am updating my extension "flush_language_cache" to work with TYPO3 7.4. It adds an item in the clear cache menu to flush only the "l10n" cache. I previously used a manually crafted URL, but that failed due to missing CSRF token.

So I switched to use BackendUtility::getAjaxUrl, which works fine, but the method is marked as internal and its comment explicitly mentions that it should not be used by extensions. It recommends using TYPO3.settings.ajaxUrls['ajaxId'] but that works only on the JS side. My code is on the PHP side. Is there another way of getting that AJAX URL? Or should this method not have been marked as internal?

For reference, here's the code of my class: https://gist.github.com/fsuter/410353bb5c02ae80a439

I raised the topic on Slack too.

Actions #8

Updated by Helmut Hummel about 9 years ago

Francois Suter wrote:

I am updating my extension "flush_language_cache" to work with TYPO3 7.4. It adds an item in the clear cache menu to flush only the "l10n" cache. I previously used a manually crafted URL, but that failed due to missing CSRF token.

So I switched to use BackendUtility::getAjaxUrl, which works fine, but the method is marked as internal and its comment explicitly mentions that it should not be used by extensions. It recommends using TYPO3.settings.ajaxUrls['ajaxId'] but that works only on the JS side. My code is on the PHP side. Is there another way of getting that AJAX URL? Or should this method not have been marked as internal?

For reference, here's the code of my class: https://gist.github.com/fsuter/410353bb5c02ae80a439

That code is perfectly fine. We could even think of making that API call public. I only made it internal because I could not imagine a use case where I would need to generate/ get an Ajax URL when not in JavaScript context.

This hook makes a good example that it makes sense in some (rare) cases.

Actions #9

Updated by Francois Suter about 9 years ago

Thanks for your answer. I'll make myself a note and push a patch for this when I have a few minutes.

Actions #10

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF