Feature #84566
openAdd FormProtection API to form framework
0%
Description
Is there a possibility to combine the FormProtection API within the Form framework?
The reason for this request is that a security scan of a self-developed web page has a CSRF problem found.
Among other things, I use the database finisher, so this issue is security-relevant.
I couldn't find any option in the documentation of Form framework!
If there is already a solution to the problem, then I would be very pleased for the addition in the documentation.
Updated by Ralf Zimmermann over 6 years ago
- Status changed from New to Needs Feedback
- Assignee set to Erik Krühne
Can you send me details about "The reason for this request is that a security scan of a self-developed web page has a CSRF problem found." on slack (https://typo3.slack.com) to @ralf.zimmermann please?
Updated by Benni Mack over 6 years ago
- Target version changed from 8.7.13 to 8.7.19
Updated by Susanne Moog about 6 years ago
- Target version changed from 8.7.19 to Candidate for patchlevel
Updated by Helmut Hummel almost 6 years ago
CSRF is only relevant, if an action (e.g. a form submit) can be done on behalf of somebody without somebody being aware of that.
Given Janne is logged in on a website and Joe is able to social engineer Jane to visit Joe's website
When a request is sent to the website Jane is logged into
It is expected that this request must not trigger an action on Jane's behalf (like transferring money, or submitting a form with data from her login)
This means that a form with a database finisher isn't necessarily an issue.
If this form can be submitted anonymously, then no CSRF protection is needed.
If this form can only be submitted with a valid login AND the form submits data bound to the current login,
then CSRF protection should be in place.
So the form framework currently shouldn't be used for forms where the latter context applies.
Therefore it would be useful to add a feature that adds a CSRF protection token to a hidden field and a check is applied whether the token is correct on form submit.
Updated by Björn Jacob over 5 years ago
- Tracker changed from Bug to Feature
- Subject changed from Combine FormProtection API with form to Add FormProtection API to form framework
- Status changed from Needs Feedback to New
- Assignee deleted (
Erik Krühne) - Target version deleted (
Candidate for patchlevel)