Project

General

Profile

Actions

Bug #91420

closed

Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes

MissingReferrerException TYPO3 v10.4.2

Added by Anonymous over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
Start date:
2020-05-16
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hi,
a few days ago i installed a new Typo3 Instance (v.10.4.2) and i cannot access the admin panel (/typo3).

The admin panel is asking for my credentials, and after entering my credentials i am getting the error "#1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException - Missing referrer for /main".

If i want to access the Install Tool, i am also getting a MissingReferrerException.

I am using a setup with reverse proxy: Client --> nginx reverse proxy --> nginx with typo3

The reverse proxy (nginx) is setting a "same-origin" Referrer-Policy Header.
I already tried to debug and find the problem, but without any success... meanwhile i am pretty sure, that this is a bug.

I had the issue with Firefox 77.0b6, Firefox 68.8.0esr and Chromium 80.0.3987.149.

I already had seen a similar issue with v9.5.17 (https://forge.typo3.org/issues/91414) here. I guess the bug is existing in v10.4.2 as well as in v9.5.17...


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3Closed2020-05-15

Actions
Related to TYPO3 Core - Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTSClosedAndreas Kienast2020-05-14

Actions
Actions #1

Updated by Anonymous over 4 years ago

  • Related to Bug #91414: After update from 9.5.16 to 9.5.17 I get an error 'Missing referrer for /main' in /typo3 added
Actions #2

Updated by Anonymous over 4 years ago

  • Related to Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes added
Actions #3

Updated by Oliver Hader over 4 years ago

  • Subject changed from "#1588095935 TYPO3\CMS\Core\Http\Security\MissingReferrerException - Missing referrer for /main" while accessing Typo3 v10.4.2 Admin Interface to MissingReferrerException TYPO3 v10.4.2
Actions #4

Updated by Oliver Hader over 4 years ago

  • Probably Referrer-Policy: same-origin is fine and not causing these issues (given that there is not origin change during login)
  • Please post the relevant parts of your nginx proxy setup (protocols, method, ports, names would be most interesting here)
  • Are referrer headers manipulated somehow, e.g. custom rules like http://nginx.org/en/docs/http/ngx_http_referer_module.html
  • Please post the relevant settings used in LocalConfiguration.php for SYS/reverseProxy* properties

As a work-around it is possible to disable enforcing referrers like described in https://typo3.org/security/advisory/typo3-core-sa-2020-006 - however, it would be great to sort out the reasons for this scenario. Thanks in advance for your feedback!

Actions #5

Updated by Oliver Hader over 4 years ago

  • Status changed from New to Needs Feedback
Actions #6

Updated by Anonymous over 4 years ago

Hi,

first of all, there is no protocol or domain change, so i agree that Referrer-Policy: same-origin should fit.

The nginx reverse proxy config is attached as file. The relevant includes are also attached. Not needed anymore, see below.
I do not manipulate or touch the Referrer in any way.

This is the part of my LocalConfiguration.php

        'reverseProxyIP' => 'fd00:21:1::116',
        'reverseProxyHeaderMultiValue' => 'first',
        'reverseProxySSL' => '*',
        'trustedHostsPattern' => 'abnahme.mydomain.de',

Ahh - i entered the wrong IP address here. 116 is the typo3 container itself, the nginx reverse proxy is 101. :x
I changed it and now it works... stupid Layer 8. :s

So for now, the problem seems to be solved. If not, i will report it here.
Sorry for that issue and thanks for your help - it seems that i do not see the wood for the trees.

Actions #7

Updated by Oliver Hader over 4 years ago

Thanks for your feedback and don't worry. Having the reverse proxy configuration here is actually a good thing to help others having a similar issue.

Actions #8

Updated by Oliver Hader over 4 years ago

  • Status changed from Needs Feedback to Closed

Closing this ticket for the time being. Feel free to reopen in case there are additions. Thx

Actions #9

Updated by Oliver Hader over 4 years ago

  • Related to Bug #91406: "#1588095936: Missing referrer for Install Tool" in TYPO3 7.6.42 ELTS added
Actions #10

Updated by Oliver Hader over 4 years ago

  • Parent task set to #91384
Actions #11

Updated by Oliver Hader over 4 years ago

  • Category changed from AdminPanel to Backend User Interface
Actions

Also available in: Atom PDF