Bug #29976
CSRF token is always the same
| Status: | Resolved | Start date: | 2011-09-18 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | - | % Done: | 100% |
|
| Category: | Security | |||
| Target version: | TYPO3 Flow Base Distribution - 1.0.0 | |||
| PHP Version: | Complexity: | |||
| Has patch: | Affected Flow version: |
Description
This is probably a Windows issue (Windows 7, 64bit):
The blog example generates links like "posts/new?__csrfToken=00000000000000000000000000000000" for protected actions.
Associated revisions
[BUGFIX] Security_Randomizer fallback does not work
This fix should allow Security_Randomizer to work on Win x64
by making sure that the mt_rand fallback actually returns random
bytes.
see http://sourceforge.net/tracker/?group_id=294448&atid=1243705
for more details
Change-Id: I93c432e45071a3c5628e98b3fbefa7407c715c15
Resolves: #29976
History
#1 Updated by Christian Müller almost 4 years ago
That is a shortcoming of /Packages/Framework/TYPO3.FLOW3/Resources/PHP/iSecurity/Security_Randomizer.php, it also mentions in a comment that it probably won't work on Win 64-bit.
#2 Updated by Christian Müller almost 4 years ago
Maybe we should add a fallback to generate "not so strongly randomized data" to have it running on Win 64-bit but log the fact that it is not so secure? WDYT?
#3 Updated by Bastian Waidelich almost 4 years ago
Christian Mueller wrote:
Maybe we should add a fallback to generate "not so strongly randomized data" to have
it running on Win 64-bit but log the fact that it is not so secure? WDYT?
+1
The Randomizer already comes with a fallback to mt_rand - but the problem is, that (in my case) it doesn't reach that fallback as it considers "00000000000000000000000000000000" as valid result.
#4 Updated by Christian Müller almost 4 years ago
Yep I see,
I guess it goes wrong around line 219 for you, maybe you check that out. It fills an array with zeros then uses the .NET crypto stuff, but finally it returns the array filled with zeros. For me this code looks plain wrong, I think this $variant thingy is filled with the random bytes and so its content needs to be returned there.
#5 Updated by Mr. Hudson almost 4 years ago
- Status changed from New to Under Review
Patch set 1 of change I93c432e45071a3c5628e98b3fbefa7407c715c15 has been pushed to the review server.
It is available at http://review.typo3.org/5727
#6 Updated by Bastian Waidelich almost 4 years ago
FYI: We have added two bug reports to the "Improved Security" project at SourceSorge
#7 Updated by Mr. Hudson almost 4 years ago
Patch set 2 of change I93c432e45071a3c5628e98b3fbefa7407c715c15 has been pushed to the review server.
It is available at http://review.typo3.org/5727
#8 Updated by Christian Müller almost 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1dd7ba68d3f0b6d6b2c0f9ef9f480e80aab08f2d.