[TYPO3-mvc] !!! Introduced request hash

[Sebastian Kurfürst]

Hi Oliver,


> If I edit a record, will the hash then also be valid for other edits of
> the same record type? If so, this hash will not (yet) protect against
> XSRF because an attacker might use the form and then use the hash for
> attacks.
Yep, this is correct for now. We (for now) wanted to close a big
security hole inside Extbase, but this is not yet a CSRF protection.

Adding that is easy, but we have to think all the consequences,
especially for v4 and caching, that's why we did not add it yet.

Greets,
Sebastian