Story #55509

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Add CSRF Protection to mod.php

Added by Helmut Hummel over 1 year ago. Updated over 1 year ago.

Status:Resolved Start date:2014-02-26
Priority:Should have Due date:
Assigned To:Helmut Hummel % Done:

100%

Category:- Spent time: 35.25 hours
Target version:6.2.0
TYPO3 Version:6.2 Sprint Focus:
PHP Version:

Description

The mod.php dispatcher should check for a correct CSRF token.

  • It should be possible to disable CSRF protection in conf.php or Extbase addModule API t not break third party modules (needs to be ckecked if needed) take #55516 into account ( especially backwards compat for wizards)
  • BackendUtility::getModuleUrl() must add a token (based on module name)
  • Module menu must use BackendUtility::getModuleUrl()
  • All occurrences of hardcoded mod.php URLs must be changed to use BackendUtility::getModuleUrl() (at least one place in JS)

Subtasks

Task #56359: Fix module access regressionsResolved

Task #56453: Improve usability with multiple tabs openResolved


Related issues

related to Vidi (List Component) - Bug #56392: vidi ModuleMenuView breaks typo3 git master Resolved 2014-02-27
related to Vidi (List Component) - Bug #56871: File picker popup: Invalid form/module token detected. Ac... Resolved 2014-03-13
related to Vidi (List Component) - Bug #56872: User Tools > FE Group: Validating the security token failed Resolved 2014-03-13
related to Core - Bug #58138: CSRF with registerModule and navFrameScript Resolved 2014-04-23
related to Core - Bug #62569: Function menu broken for old modules Resolved 2014-10-30

Associated revisions

Revision 6e9e5455
Added by Helmut Hummel over 1 year ago

[!!!][SECURITY] Add CSRF protection to mod.php

Add a token check in mod.php and token generation
to BackendUtility::getModuleUrl()

Adapt code to use BackendUtility::getModuleUrl()
in every place where links are hardcoded.

Releases: 6.2
Resolves: #55509
Change-Id: I952c40fc1004a0a8d77c929927d37e1d93dcfef4
Reviewed-on: https://review.typo3.org/27636
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Revision 5bb52af5
Added by Wouter Wolters over 1 year ago

[BUGFIX] Cleanup EXT:cshmanual

  • Removed require_once which is deprecated.
  • Introduced a use-statement for GeneralUtility
  • Removed TYPO3_MOD_PATH
  • Links generated by make_seeAlso() were double htmlspecialchars
    encoded after security patch https://review.typo3.org/27636

Resolves: #56826
Related: #55509
Releases: 6.2
Change-Id: I8effc7c6bf9828dde4f1c69754b207864b3122ba
Reviewed-on: https://review.typo3.org/28303
Reviewed-by: Stefan Neufeind
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

History

#1 Updated by Ingo Schmitt over 1 year ago

  • Assigned To set to Helmut Hummel

#2 Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#3 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#4 Updated by Helmut Hummel over 1 year ago

  • % Done changed from 0 to 30

#5 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#6 Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#7 Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#8 Updated by Helmut Hummel over 1 year ago

  • % Done changed from 30 to 90

#9 Updated by Gerrit Code Review over 1 year ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#10 Updated by Gerrit Code Review over 1 year ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27636

#11 Updated by Helmut Hummel over 1 year ago

  • Status changed from Accepted to Resolved
  • % Done changed from 90 to 100

#12 Updated by Falk Aaron over 1 year ago

How to use \TYPO3\CMS\Extbase\Utility\ExtensionUtility::registerModule with navFrameScript parameter?

It does not work, as the modules are loaded before the BE_USER, so BackendUtility::getModuleUrl does only retrieve a "dummyToken".

May you help me out?

Also available in: Atom PDF