Bug #36997
Use ActionRequest to validate authentication tokens
Status: | Resolved | Start date: | 2012-05-09 | |
---|---|---|---|---|
Priority: | Should have | Due date: | ||
Assigned To: | Bastian Waidelich | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.1 beta 1 | |||
PHP Version: | Complexity: | |||
Has patch: | No | Affected Flow version: | Git master |
Description
Currently the security context passes the HTTP Request to TokenInterface::updateCredentials()
in updateTokens()
.
This has the disadvantage that authentication tokens can only access raw GET / POST parameters from the HTTP request. Arguments that are only available through routing are not accessible.
Take for example a token based authentication mechanism:
Routes.yaml:
1- 2 uriPattern: 'aproveToken/{__authentication.Some.Package.Authentication.AuthenticationKey.code}' 3 defaults: 4 '@package': 'Some.Package' 5 '@controller': 'Some' 6 '@action': 'aproveToken'
in the authentication token there is no way to access the "__authentication.Some.Package.Authentication.AuthenticationKey.code" argument.
Associated revisions
[BUGFIX] Use ActionRequest to validate authentication tokens
Currently the security context passes the HTTP Request to
TokenInterface::updateCredentials() in updateTokens().
This has the disadvantage that authentication tokens can
only access raw GET / POST parameters from the HTTP request.
Arguments that are only available through routing are not accessible.
This change adjusts Security/Context, TokenInterface and the provided
implementations accordingly.
Change-Id: I8937d044a7837d8db0fdca342fd7b94d2eadd0ad
Fixes: #36997
Releases: 1.1
History
#1 Updated by Gerrit Code Review about 3 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100
#2 Updated by Gerrit Code Review about 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100
#3 Updated by Gerrit Code Review about 3 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100
#4 Updated by Bastian Waidelich about 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 2aa6a02414916d7f7725b0aa83a3b6fb63dc9568.