Project

General

Profile

Actions

Feature #84566

open

Add FormProtection API to form framework

Added by Erik Krühne about 6 years ago. Updated about 5 years ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Form Framework
Target version:
-
Start date:
2018-03-30
Due date:
% Done:

0%

Estimated time:
PHP Version:
7.0
Tags:
Complexity:
Sprint Focus:

Description

Is there a possibility to combine the FormProtection API within the Form framework?

The reason for this request is that a security scan of a self-developed web page has a CSRF problem found.
Among other things, I use the database finisher, so this issue is security-relevant.

I couldn't find any option in the documentation of Form framework!
If there is already a solution to the problem, then I would be very pleased for the addition in the documentation.

Actions #1

Updated by Erik Krühne about 6 years ago

  • Private changed from Yes to No
Actions #2

Updated by Ralf Zimmermann about 6 years ago

  • Status changed from New to Needs Feedback
  • Assignee set to Erik Krühne

Can you send me details about "The reason for this request is that a security scan of a self-developed web page has a CSRF problem found." on slack (https://typo3.slack.com) to @ralf.zimmermann please?

Actions #3

Updated by Benni Mack about 6 years ago

  • Target version changed from 8.7.13 to 8.7.19
Actions #4

Updated by Susanne Moog almost 6 years ago

  • Target version changed from 8.7.19 to Candidate for patchlevel
Actions #5

Updated by Helmut Hummel over 5 years ago

CSRF is only relevant, if an action (e.g. a form submit) can be done on behalf of somebody without somebody being aware of that.

Given Janne is logged in on a website and Joe is able to social engineer Jane to visit Joe's website
When a request is sent to the website Jane is logged into
It is expected that this request must not trigger an action on Jane's behalf (like transferring money, or submitting a form with data from her login)

This means that a form with a database finisher isn't necessarily an issue.
If this form can be submitted anonymously, then no CSRF protection is needed.
If this form can only be submitted with a valid login AND the form submits data bound to the current login,
then CSRF protection should be in place.

So the form framework currently shouldn't be used for forms where the latter context applies.

Therefore it would be useful to add a feature that adds a CSRF protection token to a hidden field and a check is applied whether the token is correct on form submit.

Actions #6

Updated by Björn Jacob about 5 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Combine FormProtection API with form to Add FormProtection API to form framework
  • Status changed from Needs Feedback to New
  • Assignee deleted (Erik Krühne)
  • Target version deleted (Candidate for patchlevel)
Actions

Also available in: Atom PDF