Feature #9547

Reactivate HMAC or implement substitute

Added by Bastian Waidelich about 11 years ago. Updated almost 11 years ago.

Status:
Rejected
Priority:
Must have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2010-09-01
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

Currently Fluid Forms still create a hidden "__hmac" field, but apparently that is no longer validated on the server side.
IMO we need this request hash validation to prevent CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks.
A possible alternative solution might be to store the form fields in a request stack (#3620)


Related issues

Is duplicate of TYPO3.Flow - Task #6606: RequestHash should be implemented by a firewall filterClosedAndreas Förthner2010-02-25

Actions
#1

Updated by Sebastian Kurfuerst about 11 years ago

after re-thinking about this, I also think we badly need this feature again.

#2

Updated by Karsten Dambekalns almost 11 years ago

  • Tracker changed from Bug to Feature
#3

Updated by Andreas Förthner almost 11 years ago

  • Status changed from New to Rejected

this is a duplicate...

Also available in: Atom PDF