Bug #91433

Story #91384: Backend login and referrer problems after recent TYPO3 9.5.17 and 10.4.2 security fixes

Allow referrer refresh in install tool

Added by Oliver Hader 12 months ago. Updated 12 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-18
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

#1

Updated by Oliver Hader 12 months ago

  • Parent task set to #91384
#2

Updated by Gerrit Code Review 12 months ago

  • Status changed from New to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64518

#3

Updated by Gerrit Code Review 12 months ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/64519

#4

Updated by Oliver Hader 12 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#5

Updated by Benni Mack 12 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF