Feature #84566

Add FormProtection API to form framework

Added by Erik Krühne over 1 year ago. Updated 6 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Form Framework
Target version:
-
Start date:
2018-03-30
Due date:
% Done:

0%

PHP Version:
7.0
Tags:
Complexity:
Sprint Focus:

Description

Is there a possibility to combine the FormProtection API within the Form framework?

The reason for this request is that a security scan of a self-developed web page has a CSRF problem found.
Among other things, I use the database finisher, so this issue is security-relevant.

I couldn't find any option in the documentation of Form framework!
If there is already a solution to the problem, then I would be very pleased for the addition in the documentation.

History

#1 Updated by Erik Krühne over 1 year ago

  • Private changed from Yes to No

#2 Updated by Ralf Zimmermann over 1 year ago

  • Status changed from New to Needs Feedback
  • Assignee set to Erik Krühne

Can you send me details about "The reason for this request is that a security scan of a self-developed web page has a CSRF problem found." on slack (https://typo3.slack.com) to @ralf.zimmermann please?

#3 Updated by Benni Mack over 1 year ago

  • Target version changed from 8.7.13 to 8.7.19

#4 Updated by Susanne Moog about 1 year ago

  • Target version changed from 8.7.19 to Candidate for patchlevel

#5 Updated by Helmut Hummel 10 months ago

CSRF is only relevant, if an action (e.g. a form submit) can be done on behalf of somebody without somebody being aware of that.

Given Janne is logged in on a website and Joe is able to social engineer Jane to visit Joe's website
When a request is sent to the website Jane is logged into
It is expected that this request must not trigger an action on Jane's behalf (like transferring money, or submitting a form with data from her login)

This means that a form with a database finisher isn't necessarily an issue.
If this form can be submitted anonymously, then no CSRF protection is needed.
If this form can only be submitted with a valid login AND the form submits data bound to the current login,
then CSRF protection should be in place.

So the form framework currently shouldn't be used for forms where the latter context applies.

Therefore it would be useful to add a feature that adds a CSRF protection token to a hidden field and a check is applied whether the token is correct on form submit.

#6 Updated by Bjoern Jacob 6 months ago

  • Tracker changed from Bug to Feature
  • Subject changed from Combine FormProtection API with form to Add FormProtection API to form framework
  • Status changed from Needs Feedback to New
  • Assignee deleted (Erik Krühne)
  • Target version deleted (Candidate for patchlevel)

Also available in: Atom PDF