Task #91354

Integrate server response security checks

Added by Oliver Hader 2 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2020-05-10
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Sprint Focus:

Related issues

Precedes TYPO3 Core - Bug #91493: Add documentary and improve warnings for "Server Response on static files" check New 2020-05-11 2020-05-11
Precedes TYPO3 Core - Bug #91605: Amend .htaccess - fix wrong mime types New
Precedes TYPO3 Core - Bug #91767: ServerResponseCheck doesn't use TYPO3 HTTP config for GuzzleHttp Client New

Associated revisions

Revision c04ce955 (diff)
Added by Oliver Hader 2 months ago

[TASK] Integrate server response security checks

In order to evaluate potential server misconfigurations and to reduce
the potential of security implications in general, a new HTTP response
check is integrated to "Environment Status" and the "Security" section
in the reports module.

It is evaluated whether non-standard file extensions lead to unexpected
handling on the server-side, such as `test.php.wrong` being evaluated
as PHP or `test.html.wrong` being served with `text/html` content type.

Resolves: #91354
Releases: master, 9.5
Change-Id: Ie6584692f39706aad2a25bad27bb201f4c1045e9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64458
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision dcac1c70 (diff)
Added by Oliver Hader 2 months ago

[TASK] Integrate server response security checks

In order to evaluate potential server misconfigurations and to reduce
the potential of security implications in general, a new HTTP response
check is integrated to "Environment Status" and the "Security" section
in the reports module.

It is evaluated whether non-standard file extensions lead to unexpected
handling on the server-side, such as `test.php.wrong` being evaluated
as PHP or `test.html.wrong` being served with `text/html` content type.

Resolves: #91354
Releases: master, 9.5
Change-Id: Ie6584692f39706aad2a25bad27bb201f4c1045e9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450
Tested-by: Benjamin Franzke <>
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

History

#1 Updated by Gerrit Code Review 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#2 Updated by Gerrit Code Review 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#3 Updated by Gerrit Code Review 2 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#4 Updated by Gerrit Code Review 2 months ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#5 Updated by Gerrit Code Review 2 months ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#6 Updated by Gerrit Code Review 2 months ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#7 Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64458

#8 Updated by Gerrit Code Review 2 months ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64458

#9 Updated by Gerrit Code Review 2 months ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#10 Updated by Gerrit Code Review 2 months ago

Patch set 3 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64458

#11 Updated by Gerrit Code Review 2 months ago

Patch set 4 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64458

#12 Updated by Gerrit Code Review 2 months ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450

#13 Updated by Oliver Hader 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#14 Updated by Benni Mack 2 months ago

  • Status changed from Resolved to Closed

#16 Updated by Chris topher about 1 month ago

  • Precedes Bug #91493: Add documentary and improve warnings for "Server Response on static files" check added

#17 Updated by Chris topher about 1 month ago

  • Precedes Bug #91605: Amend .htaccess - fix wrong mime types added

#18 Updated by Oliver Hader 3 days ago

  • Precedes Bug #91767: ServerResponseCheck doesn't use TYPO3 HTTP config for GuzzleHttp Client added

Also available in: Atom PDF