[TYPO3-mvc] !!! Introduced request hash
Robert Lemke
robert at typo3.org
Wed Oct 14 10:41:57 CEST 2009
Hi Oliver,
Am 13.10.2009 um 11:10 schrieb Oliver Klee:
> Sebastian Kurfürst schrieb:
>> 2) Introduction of a request hash check when objects are modified:
>> http://forge.typo3.org/issues/show/4960
>
> If I edit a record, will the hash then also be valid for other edits
> of
> the same record type? If so, this hash will not (yet) protect against
> XSRF because an attacker might use the form and then use the hash for
> attacks.
>
> For an XRSF protection, the hash needs to be unique to that instance
> of
> the form (and even that is not 100% safe).
we plan to implement such a safeguard for FLOW3:
http://forge.typo3.org/issues/show/2817
Cheers,
robert
More information about the TYPO3-project-typo3v4mvc
mailing list