Bug #55703
CSRF Protection with X-Flow-CsrfToken Header doesn't work
| Status: | Resolved | Start date: | 2014-02-05 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 100% |
|
| Category: | - | |||
| Target version: | TYPO3 Flow Base Distribution - 2.0.1 | |||
| PHP Version: | 5.4 | Complexity: | no-brainer | |
| Has patch: | No | Affected Flow version: | Flow 2.0.0 |
Description
If the CSRF Token is submited as X-Flow-CsrfToken Request Header, the token validation fails, even if the correct token is submited.
The CsrfProtection RequestPattern tries to get the X-Flow-CsrfToken Header in order to validate the request (around line 108 in TYPO3\Flow\Security\RequestPattern\CsrfProtection).
The header is transformed from X-Flow-CsrfToken to HTTP-X-FLOW-CSRFTOKEN through PHP and afterwards in TYPO3\Flow\Http around line 72 to X-Flow-Csrftoken (lower t in Token).
A solution could be to name the header X-Flow-Csrf-Token.
Affected Version is 2.1.0 (not available to choose)
csrfToken.diff
(861 Bytes)
Associated revisions
[BUGFIX] Fix header handling for CSRF tokens
This commit fixes a typo in the expected CSRF token header name.
Change-Id: I04a2b69084dafd07077384cb1cb6701cec197565
Fixes: #55703
Releases: master, 2.2, 2.1
[BUGFIX] Fix header handling for CSRF tokens
This commit fixes a typo in the expected CSRF token header name.
Change-Id: I04a2b69084dafd07077384cb1cb6701cec197565
Fixes: #55703
Releases: master, 2.2, 2.1
[BUGFIX] Fix header handling for CSRF tokens
This commit fixes a typo in the expected CSRF token header name.
Change-Id: I04a2b69084dafd07077384cb1cb6701cec197565
Fixes: #55703
Releases: master, 2.2, 2.1
History
#1 Updated by Gerrit Code Review about 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30234
#2 Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30234
#3 Updated by Gerrit Code Review about 1 year ago
Patch set 1 for branch 2.2 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30262
#4 Updated by Gerrit Code Review about 1 year ago
Patch set 1 for branch 2.1 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30263
#5 Updated by Gerrit Code Review about 1 year ago
Patch set 3 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30234
#6 Updated by Gerrit Code Review about 1 year ago
Patch set 1 for branch 2.2 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30264
#7 Updated by Gerrit Code Review about 1 year ago
Patch set 1 for branch 2.1 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30265
#8 Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch 2.1 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/30265
#9 Updated by Martin Helmich about 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset d7f56e9f467d26c372c15f64f217109dd954c56c.