Bug #36997: Use ActionRequest to validate authentication tokens - TYPO3.Flow - TYPO3 Forge

TYPO3 Flow Base Distribution TYPO3.Eel TYPO3.Flow TYPO3.Fluid TYPO3.Kickstart TYPO3.Welcome Packages Applications

Bug #36997

Use ActionRequest to validate authentication tokens

Added by Bastian Waidelich about 3 years ago. Updated about 3 years ago.

Status:

Resolved

Start date:

2012-05-09

Priority:

Should have

Due date:

Assigned To:

Bastian Waidelich

% Done:

100%

Category:

Security

Target version:

TYPO3 Flow Base Distribution - 1.1 beta 1

PHP Version:

Complexity:

Has patch:

Affected Flow version:

Git master

Description

Currently the security context passes the HTTP Request to TokenInterface::updateCredentials() in updateTokens().

This has the disadvantage that authentication tokens can only access raw GET / POST parameters from the HTTP request. Arguments that are only available through routing are not accessible.

Take for example a token based authentication mechanism:

Routes.yaml:

1-
2  uriPattern: 'aproveToken/{__authentication.Some.Package.Authentication.AuthenticationKey.code}'
3  defaults:
4    '@package':    'Some.Package'
5    '@controller': 'Some'
6    '@action':     'aproveToken'

in the authentication token there is no way to access the "__authentication.Some.Package.Authentication.AuthenticationKey.code" argument.

Associated revisions

Revision 2aa6a024
Added by Bastian Waidelich about 3 years ago

[BUGFIX] Use ActionRequest to validate authentication tokens

Currently the security context passes the HTTP Request to
TokenInterface::updateCredentials() in updateTokens().
This has the disadvantage that authentication tokens can
only access raw GET / POST parameters from the HTTP request.
Arguments that are only available through routing are not accessible.

This change adjusts Security/Context, TokenInterface and the provided
implementations accordingly.

Change-Id: I8937d044a7837d8db0fdca342fd7b94d2eadd0ad
Fixes: #36997
Releases: 1.1

Revision bbdafabc
Added by Karsten Dambekalns about 3 years ago

[BUGFIX] Use ActionRequest to validate PasswordToken

The (new) PasswordToken was not included in the fix for #36997.

Change-Id: I6c9792669c52200dacf58ca08f9a94f7d35edbcd
Related: #36997
Releases: 1.1

History

#1 Updated by Gerrit Code Review about 3 years ago

Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#2 Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#3 Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#4 Updated by Bastian Waidelich about 3 years ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset 2aa6a02414916d7f7725b0aa83a3b6fb63dc9568.

Also available in: Atom PDF

TYPO3.Flow

Issues

Custom queries