Bug #91414

Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes

After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3

Added by Bernhard Giner 6 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
Start date:
2020-05-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

I get Error #1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException Missing referrer for /main after upgrading

Steps to reproduce:
1. try to access the backend with https://www.somedomain.tld/typo3/


Files

TYPO3_Exception#1588095935.html (43.1 KB) TYPO3_Exception#1588095935.html Bernhard Giner, 2020-05-15 15:22

Related issues

Related to TYPO3 Core - Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTSClosedAndreas Fernandez2020-05-14

Actions
Related to TYPO3 Core - Bug #91420: MissingReferrerException TYPO3 v10.4.2Closed2020-05-16

Actions
Is duplicate of TYPO3 Core - Bug #91396: Allow SSO authentication handlers to pass SSRF referrer checksClosedOliver Hader2020-05-14

Actions
#1

Updated by Richard Haeser 6 months ago

  • Is duplicate of Bug #91396: Allow SSO authentication handlers to pass SSRF referrer checks added
#2

Updated by Oliver Hader 6 months ago

  • Status changed from New to Needs Feedback

"Missing Referrer" is a bit different to the other issues.

  • Which browser version is used?
  • Is the website being served from behind a (reverse) proxy?
  • Are any "Referrer-Policy" HTTP headers sent or defined?

https://typo3.org/security/advisory/typo3-core-sa-2020-006 mentions a ways to work-around missing referrer by disabling the corresponding feature. Still it would be interesting for us to know why those referrer headers are missing. Thanks in advance for further feedback!

#3

Updated by Oliver Hader 6 months ago

  • Related to Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTS added
#4

Updated by Patrick no-lastname-given 6 months ago

I can confirm this issue after update to 9.5.17.

Chrome 81.0.4044.138 or Firefox 76.0.1
Website served with plesk. Proxy mode enabled (nginx forwards requests to apache via proxies)
Referrer-policy header is set to strict-origin.

Backend works again if the referrer-policy header is changed to same-origin.

#5

Updated by K. F. 6 months ago

  • Related to Bug #91420: MissingReferrerException TYPO3 v10.4.2 added
#6

Updated by Oliver Hader 6 months ago

Thanks for your feedback, and good that it works now having correct HTTP headers in place with

Referrer-Policy: same-origin

#7

Updated by Oliver Hader 6 months ago

  • Status changed from Needs Feedback to Closed

Closing this ticket for the time being. Feel free to reopen in case there are additions. Thx

#8

Updated by Oliver Hader 6 months ago

  • Parent task set to #91384
#9

Updated by Kurt Gusbeth 6 months ago

After Updating from TYPO3 9.5.9 to 9.5.18 we get this error message:

(1/1) #1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException
Missing referrer for /main

We have added the header "Referrer-Policy: same-origin" to the .htaccess, but it didnĀ“t helped.
What can we do else?
Here is the header information:

/typo3/index.php?route=%2Fmain&token=ca0e633432542c6292efd8a9d4de0b359ae1f67b&referrer-refresh=1591084408
Host: www.xyz.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: be_lastLoginProvider=1433416747; be_lastLoginProvider=1433416747; _pk_id.17.4492=3990bea59705926c.1587455457.9.1591084125.1591084090.; dp_cookieconsent_status={"dp--cookie-statistics":true,"dp--cookie-marketing":true}; cookieconsent_status=dismiss; _pk_ses.17.4492=1; be_typo_user=f58c567b55c8b3fe0b0ad76c81d0ce49; phpMyAdmin=uvcumsohs2o9sn95eqmg0d503h; PHPSESSID=uvcumsohs2o9sn95eqmg0d503h
Upgrade-Insecure-Requests: 1

GET: HTTP/1.1 200 OK
Date: Tue, 02 Jun 2020 07:53:31 GMT
Server: Apache/2.4.25 (Debian)
Expires: 0
Last-Modified: Tue, 02 Jun 2020 07:53:31 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Encoding: gzip
X-UA-Compatible: IE=edge
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
Content-Length: 283
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=16000000; includeSubDomains; preload;

#10

Updated by Kurt Gusbeth 6 months ago

Additional information: other people does not have this problem on the same site.

#11

Updated by Kurt Gusbeth 3 months ago

PS: the problem can be fixed with this setting:
[SYS][features][security.backend.enforceReferrer] = false
in the Localconf.

Also available in: Atom PDF