Bug #28257
Avoid Credentials to be stored in the request
Status: | Resolved | Start date: | 2011-07-16 | |
---|---|---|---|---|
Priority: | Should have | Due date: | ||
Assigned To: | Karsten Dambekalns | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.0 beta 1 | |||
PHP Version: | Complexity: | |||
Has patch: | Affected Flow version: |
Description
When you authenticate using the PersistedUsernamePasswordProvider username & password are copied to the GET Arguments of the following request when used in SubRequests (plugins / widgets) because POST arguments are merged in the RequestBuilder. To avoid this, we should use "internal request arguments" for authentication (see #25802).
Concrete: The strings 'TYPO3.FLOW3.Security.Authentication.Token.UsernamePassword.username' and 'TYPO3.FLOW3.Security.Authentication.Token.UsernamePassword.password' in \TYPO3\FLOW3\Security\Authentication\Token\UsernamePassword::updateCredentials() should be replaced.
It could even be just __username & __password IMO.
Note: documentation and referring comments needs to be adjusted. To avoid headache, the token could still check for the old post vars and throw an exception (in dev context) / create a log entry (in other contexts)
Associated revisions
[!!!][BUGFIX] Avoid Credentials to be stored in the request
When you authenticate using the PersistedUsernamePasswordProvider
username & password are copied to the GET Arguments of the following
request when used in SubRequests (plugins / widgets) because POST
arguments are merged in the RequestBuilder.
This change fixes this by prepending username & password with two
underscores, turning them into "internal request arguments" (see #25802)
Change-Id: Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26
Resolves: #28257
History
#1 Updated by Mr. Hudson about 4 years ago
- Status changed from New to Under Review
Patch set 1 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375
#2 Updated by Mr. Hudson about 4 years ago
Patch set 2 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375
#3 Updated by Karsten Dambekalns almost 4 years ago
Well, about the simple rename - we support multiple tokens and all that fuzz. So, wouldn't we need to be able to separate login data for different tokens / providers? Andreas, what do you think?
#4 Updated by Bastian Waidelich almost 4 years ago
Karsten Dambekalns wrote:
Well, about the simple rename - we support multiple tokens and all that fuzz. [...]
Not sure.. but we could replace1<input type="text" name="TYPO3[FLOW3][Security][Authentication][Token][UsernamePassword][username]" ... />
with1<input type="text" name="__authentication[TYPO3.FLOW3][Security][Authentication][Token][UsernamePassword][username]" ... />
to make sure..
#5 Updated by Karsten Dambekalns almost 4 years ago
- Status changed from Under Review to Accepted
- Assigned To set to Karsten Dambekalns
I'll adjust the change.
#6 Updated by Mr. Hudson almost 4 years ago
- Status changed from Accepted to Under Review
Patch set 3 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375
#7 Updated by Mr. Hudson almost 4 years ago
Patch set 4 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375
#8 Updated by Mr. Hudson almost 4 years ago
Patch set 5 of change Ifdee053fc1c1dc2338dddf7b759ce6b6bcd00a26 has been pushed to the review server.
It is available at http://review.typo3.org/3375
#9 Updated by Bastian Waidelich almost 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset c78ca09b43614a84601f2f121c9f1c68bcb89350.