Task #55515: Add CSRF Protection for tce_file.php - Core - TYPO3 Forge

Core Indexed Search Linkvalidator Release Cycles Team Resources Workspaces & Versioning TYPO3 CMS Usability Team Community Extensions Distributions Feature-Requests TYPO3 6.2 Projects (+)(Archived Projects)

Task #55515

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Add CSRF Protection for tce_file.php

Added by Helmut Hummel over 1 year ago. Updated over 1 year ago.

Status:

Resolved

Start date:

2014-01-31

Priority:

Must have

Due date:

Assigned To:

Alexander Schnitzler

% Done:

100%

Category:

Spent time:

2.75 hours

Target version:

6.2.0

Estimated time:

32.00 hours

TYPO3 Version:

6.2

Complexity:

PHP Version:

Sprint Focus:

Description

tce_file.php works as API/ entry point for file operations and must be CSRF protected (like tce_db.php)

Add token check in tce_file.php
Search all places where tce_file.php is used and add the token
- Especially all JS (d&d fileupload) needs to get the token (d&d upload is handled by ajax.php and needs special handling. This will be targeted in another change)

Related issues

Associated revisions

Revision 75281c9c
Added by Alexander Schnitzler over 1 year ago

[!!!][SECURITY] Add CSRF Protection for tce_file.php

Add a token check in tce_file.php and token generation
everywhere forms for or links to tce_file.php are created.

Additionaly make sure, an instance of ExtendedFileUtility
is created in FileController on initialization to prevent
a fatal "Call to a member function on a non-object" error
in FileController::finish.

Releases: 6.2
Resolves: #55515
Change-Id: Ifd585661ac2cac6c88eaca5ad63b447d27e35395
Reviewed-on: https://review.typo3.org/27691
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

History

#1 Updated by Alexander Schnitzler over 1 year ago

Assigned To set to Alexander Schnitzler

#2 Updated by Gerrit Code Review over 1 year ago

Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27691

#3 Updated by Alexander Schnitzler over 1 year ago

% Done changed from 0 to 30

#4 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27691

#5 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27691

#6 Updated by Anonymous over 1 year ago

Status changed from Under Review to Resolved
% Done changed from 30 to 100

Applied in changeset 75281c9c7193fb28464a409836d4c8f7a79af9b9.

Also available in: Atom PDF

Core

Issues

Custom queries