Bug #91420
closed
Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes
MissingReferrerException TYPO3 v10.4.2
0%
Description
Hi,
a few days ago i installed a new Typo3 Instance (v.10.4.2) and i cannot access the admin panel (/typo3).
The admin panel is asking for my credentials, and after entering my credentials i am getting the error "#1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException - Missing referrer for /main".
If i want to access the Install Tool, i am also getting a MissingReferrerException.
I am using a setup with reverse proxy: Client --> nginx reverse proxy --> nginx with typo3
The reverse proxy (nginx) is setting a "same-origin" Referrer-Policy Header.
I already tried to debug and find the problem, but without any success... meanwhile i am pretty sure, that this is a bug.
I had the issue with Firefox 77.0b6, Firefox 68.8.0esr and Chromium 80.0.3987.149.
I already had seen a similar issue with v9.5.17 (https://forge.typo3.org/issues/91414) here. I guess the bug is existing in v10.4.2 as well as in v9.5.17...
Updated by Anonymous over 4 years ago
- Related to Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3 added
Updated by Anonymous over 4 years ago
- Related to Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes added
Updated by Oliver Hader over 4 years ago
- Subject changed from "#1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException - Missing referrer for /main" while accessing Typo3 v10.4.2 Admin Interface to MissingReferrerException TYPO3 v10.4.2
Updated by Oliver Hader over 4 years ago
- Probably
Referrer-Policy: same-originis fine and not causing these issues (given that there is not origin change during login) - Please post the relevant parts of your nginx proxy setup (protocols, method, ports, names would be most interesting here)
- Are referrer headers manipulated somehow, e.g. custom rules like http://nginx.org/en/docs/http/ngx_http_referer_module.html
- Please post the relevant settings used in
LocalConfiguration.phpforSYS/reverseProxy*properties
As a work-around it is possible to disable enforcing referrers like described in https://typo3.org/security/advisory/typo3-core-sa-2020-006 - however, it would be great to sort out the reasons for this scenario. Thanks in advance for your feedback!
Updated by Oliver Hader over 4 years ago
- Status changed from New to Needs Feedback
Updated by Anonymous over 4 years ago
Hi,
first of all, there is no protocol or domain change, so i agree that Referrer-Policy: same-origin should fit.
The nginx reverse proxy config is attached as file. The relevant includes are also attached. Not needed anymore, see below.
I do not manipulate or touch the Referrer in any way.
This is the part of my LocalConfiguration.php
'reverseProxyIP' => 'fd00:21:1::116',
'reverseProxyHeaderMultiValue' => 'first',
'reverseProxySSL' => '*',
'trustedHostsPattern' => 'abnahme.mydomain.de',
Ahh - i entered the wrong IP address here. 116 is the typo3 container itself, the nginx reverse proxy is 101. :x
I changed it and now it works... stupid Layer 8. :s
So for now, the problem seems to be solved. If not, i will report it here.
Sorry for that issue and thanks for your help - it seems that i do not see the wood for the trees.
Updated by Oliver Hader over 4 years ago
Thanks for your feedback and don't worry. Having the reverse proxy configuration here is actually a good thing to help others having a similar issue.
Updated by Oliver Hader over 4 years ago
- Status changed from Needs Feedback to Closed
Closing this ticket for the time being. Feel free to reopen in case there are additions. Thx
Updated by Oliver Hader over 4 years ago
- Related to Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTS added
Updated by Oliver Hader over 4 years ago
- Category changed from AdminPanel to Backend User Interface