Bug #91433

Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes

Allow referrer refresh in install tool

Added by Oliver Hader about 2 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-18
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

Associated revisions

Revision 86b9b4a2 (diff)
Added by Oliver Hader about 2 months ago

[BUGFIX] Allow referrer refresh in install tool

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

Resolves: #91433
Related: #91396
Releases: master, 9.5
Change-Id: I2a570da4f2a933e709d653b54f1d53d5055ef3f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64519
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision 8a137310 (diff)
Added by Oliver Hader about 2 months ago

[BUGFIX] Allow referrer refresh in install tool

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

Resolves: #91433
Related: #91396
Releases: master, 9.5
Change-Id: I2a570da4f2a933e709d653b54f1d53d5055ef3f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64518
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

History

#1 Updated by Oliver Hader about 2 months ago

  • Parent task set to #91384

#2 Updated by Gerrit Code Review about 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64518

#3 Updated by Gerrit Code Review about 2 months ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64519

#4 Updated by Oliver Hader about 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#5 Updated by Benni Mack about 2 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF