Story #55509: Add CSRF Protection to mod.php - Core - TYPO3 Forge

Core Indexed Search Linkvalidator Release Cycles Team Resources Workspaces & Versioning TYPO3 CMS Usability Team Community Extensions Distributions Feature-Requests TYPO3 6.2 Projects (+)(Archived Projects)

Story #55509

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Add CSRF Protection to mod.php

Added by Helmut Hummel over 1 year ago. Updated over 1 year ago.

Status:

Resolved

Start date:

2014-02-26

Priority:

Should have

Due date:

Assigned To:

Helmut Hummel

% Done:

100%

Category:

Spent time:

35.25 hours

Target version:

6.2.0

TYPO3 Version:

6.2

Sprint Focus:

PHP Version:

Description

The mod.php dispatcher should check for a correct CSRF token.

It should be possible to disable CSRF protection in conf.php or Extbase addModule API t not break third party modules (needs to be ckecked if needed) take #55516 into account ( especially backwards compat for wizards)
BackendUtility::getModuleUrl() must add a token (based on module name)
Module menu must use BackendUtility::getModuleUrl()
All occurrences of hardcoded mod.php URLs must be changed to use BackendUtility::getModuleUrl() (at least one place in JS)

Subtasks

Related issues

Associated revisions

Revision 6e9e5455
Added by Helmut Hummel over 1 year ago

[!!!][SECURITY] Add CSRF protection to mod.php

Add a token check in mod.php and token generation
to BackendUtility::getModuleUrl()

Adapt code to use BackendUtility::getModuleUrl()
in every place where links are hardcoded.

Releases: 6.2
Resolves: #55509
Change-Id: I952c40fc1004a0a8d77c929927d37e1d93dcfef4
Reviewed-on: https://review.typo3.org/27636
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Revision 5bb52af5
Added by Wouter Wolters over 1 year ago

[BUGFIX] Cleanup EXT:cshmanual

Removed require_once which is deprecated.
Introduced a use-statement for GeneralUtility
Removed TYPO3_MOD_PATH
Links generated by make_seeAlso() were double htmlspecialchars
encoded after security patch https://review.typo3.org/27636

Resolves: #56826
Related: #55509
Releases: 6.2
Change-Id: I8effc7c6bf9828dde4f1c69754b207864b3122ba
Reviewed-on: https://review.typo3.org/28303
Reviewed-by: Stefan Neufeind
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

History

#1 Updated by Ingo Schmitt over 1 year ago

Assigned To set to Helmut Hummel

#2 Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#3 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#4 Updated by Helmut Hummel over 1 year ago

% Done changed from 0 to 30

#5 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#6 Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#7 Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#8 Updated by Helmut Hummel over 1 year ago

% Done changed from 30 to 90

#9 Updated by Gerrit Code Review over 1 year ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#10 Updated by Gerrit Code Review over 1 year ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#11 Updated by Helmut Hummel over 1 year ago

Status changed from Accepted to Resolved
% Done changed from 90 to 100

Applied in changeset 6e9e5455ba0c656e50ce94bc08d988bba9ec642e.

#12 Updated by Falk Aaron over 1 year ago

How to use \TYPO3\CMS\Extbase\Utility\ExtensionUtility::registerModule with navFrameScript parameter?

It does not work, as the modules are loaded before the BE_USER, so BackendUtility::getModuleUrl does only retrieve a "dummyToken".

May you help me out?

Also available in: Atom PDF

related to Vidi (List Component) - Bug #56392: vidi ModuleMenuView breaks typo3 git master	Resolved	2014-02-27
related to Vidi (List Component) - Bug #56871: File picker popup: Invalid form/module token detected. Ac...	Resolved	2014-03-13
related to Vidi (List Component) - Bug #56872: User Tools > FE Group: Validating the security token failed	Resolved	2014-03-13
related to Core - Bug #58138: CSRF with registerModule and navFrameScript	Resolved	2014-04-23
related to Core - Bug #62569: Function menu broken for old modules	Resolved	2014-10-30

Core

Issues

Custom queries