Story #56052

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Implement CSRF Protection for ajax.php

Added by Helmut Hummel over 1 year ago. Updated over 1 year ago.

Status:Resolved Start date:2014-02-26
Priority:Should have Due date:
Assigned To:- % Done:

100%
Category:- Spent time: 11.00 hours
Target version:6.2.0
TYPO3 Version:6.2 Sprint Focus:
PHP Version:

Description

There is currently no API to get an AjaxURL. Following solutions should be evaluated:
  1. Re-Use ExtDirect Token or a similar token in top window for all ajax.php calls
  2. Register token check (on/off) with ajax id registration and add API to generate URI to a single Ajax ID with vaild token

Backwards Compatibility also needs to be taken into account here, at least for third party extensions with own Ajax scripts

Subtasks

Task #56345: Add API to CSRF protect Ajax calls in BackendResolved

Task #56356: Protect core Ajax calls against CSRFResolved

Task #56404: Make sure M parameter is first in URLResolved

Task #57096: Cleanup Ajax URL JS settingsResolved

Task #57196: Protect Ajax calls of core extensionsResolved

History

#1 Updated by Helmut Hummel over 1 year ago

  • Tracker changed from Story to Task
  • Remaining (hours) set to 16.0

#2 Updated by Helmut Hummel over 1 year ago

  • Tracker changed from Task to Story

#3 Updated by Ingo Schmitt over 1 year ago

  • Status changed from New to Resolved

Also available in: Atom PDF