Task #55515

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Add CSRF Protection for tce_file.php

Added by Helmut Hummel over 1 year ago. Updated over 1 year ago.

Status:Resolved Start date:2014-01-31
Priority:Must have Due date:
Assigned To:Alexander Schnitzler % Done:

100%

Category:- Spent time: 2.75 hours
Target version:6.2.0 Estimated time:32.00 hours
TYPO3 Version:6.2 Complexity:
PHP Version: Sprint Focus:

Description

tce_file.php works as API/ entry point for file operations and must be CSRF protected (like tce_db.php)

  • Add token check in tce_file.php
  • Search all places where tce_file.php is used and add the token
    • Especially all JS (d&d fileupload) needs to get the token (d&d upload is handled by ajax.php and needs special handling. This will be targeted in another change)

Related issues

blocked by Core - Bug #56084: t3editor is not usable any more Resolved 2014-02-18

Associated revisions

Revision 75281c9c
Added by Alexander Schnitzler over 1 year ago

[!!!][SECURITY] Add CSRF Protection for tce_file.php

Add a token check in tce_file.php and token generation
everywhere forms for or links to tce_file.php are created.

Additionaly make sure, an instance of ExtendedFileUtility
is created in FileController on initialization to prevent
a fatal "Call to a member function on a non-object" error
in FileController::finish.

Releases: 6.2
Resolves: #55515
Change-Id: Ifd585661ac2cac6c88eaca5ad63b447d27e35395
Reviewed-on: https://review.typo3.org/27691
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

History

#1 Updated by Alexander Schnitzler over 1 year ago

  • Assigned To set to Alexander Schnitzler

#2 Updated by Gerrit Code Review over 1 year ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27691

#3 Updated by Alexander Schnitzler over 1 year ago

  • % Done changed from 0 to 30

#4 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27691

#5 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27691

#6 Updated by Anonymous over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 30 to 100

Also available in: Atom PDF