Bug #91396

Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes

Allow SSO authentication handlers to pass SSRF referrer checks

Added by Oliver Hader about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-14
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Scenario

Observation

  • request is actually correct
  • referrer is send - but with something "external" from /typo3/ (that the subject we want and must protect from being called directly)

Variations

  • cross-site
    • Referer: https://sso.example.org/auth
    • expected Referer: https://example.org/typo3/.+
  • same-site
    • Referer: https://example.org/?eID=auth
    • expected Referer: https://example.org/typo3/.+
  • same-origin (the regular case)
    • Referer: https://example.org/typo3/index.php?route=%2Flogin
    • expected Referer: https://example.org/typo3/.+

Related issues

Has duplicate TYPO3 Core - Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3Closed2020-05-15

Actions
#1

Updated by Oliver Hader about 1 year ago

  • Description updated (diff)
#2

Updated by Oliver Hader about 1 year ago

  • Status changed from New to Accepted
  • Target version set to 9.5.18 & 10.4.3
#3

Updated by Richard Haeser about 1 year ago

We have exactly this scenario with the OpenID extension: friendsoftypo3/openid

#4

Updated by Gerrit Code Review about 1 year ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492

#5

Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492

#6

Updated by David Rellstab about 1 year ago

Tested and verified the patch with our sso setup on TYPO3 9.5.17.

Patch resolves the issue for our use case.

#7

Updated by Gerrit Code Review about 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492

#8

Updated by Richard Haeser about 1 year ago

  • Has duplicate Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3 added
#9

Updated by Richard Haeser about 1 year ago

  • Has duplicate Bug #91415: After Update from 9.5.14 to 9.5.17 - backend and installer login are not working added
#10

Updated by Richard Haeser about 1 year ago

  • Has duplicate deleted (Bug #91415: After Update from 9.5.14 to 9.5.17 - backend and installer login are not working)
#11

Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#12

Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#13

Updated by Gerrit Code Review about 1 year ago

Patch set 3 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#14

Updated by Gerrit Code Review about 1 year ago

Patch set 4 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#15

Updated by Oliver Hader about 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#16

Updated by Gerrit Code Review about 1 year ago

  • Status changed from Resolved to Under Review

Patch set 5 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

#17

Updated by Oliver Hader about 1 year ago

  • Status changed from Under Review to Resolved
#18

Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF