[TYPO3-core] RFC: #17153: Protect C(R)UD actions against CSRF
Ernesto Baschny [cron IT]
ernst at cron-it.de
Thu Jan 20 15:56:31 CET 2011
Hi,
thanks again for waiting. As announced, I have committed the patch v2 to
trunk (rev. 10161).
It will still need to go through some more reviews but in the meanwhile
it can already be tested in trunk. I will announce this in the v4 list,
so that people pay attention if some action is not working anymore (like
saving a record and its not being saved) etc.
Cheers,
Ernesto
Ernesto Baschny [cron IT] schrieb am 20.01.2011 11:27:
> Hi Helmut,
>
> wow, amazing work!! Thanks.
>
> I just went over all the code and tested all mentioned situations.
>
> The "echo .." and using the response for the clearcache.js works, but it
> something that could be probably made more "API-like", but then again:
> It works and it is not a show-stopper.
>
> +1 by reading and testing, just some "minor cosmetics" in attached v2.
>
> I would be glad if we had more reviews by "testing". To speed up the
> process a bit, I will commit this patch in a couple of hours - if
> nothing big speaks against it until then. This way we get *more* people
> testing it. If it proves at the end to have still glitches or to break
> fundamentally, I will then revert it again. If there are just minor
> issues, we can also provide smaller follow-ups.
>
> The parts from the "version" extension have to be committed to the
> workspaces team repository. Helmut, could you already file the issue
> there with the patch for this particular sysext changes only, so that it
> doesn't get lost later on?
>
> Cheers,
> Ernesto
>
> Helmut Hummel schrieb am 20.01.2011 01:50:
>> Hi,
>>
>> this is a SVN patch request.
>>
>> Type: Security enhancement
>>
>> Branches: trunk
>>
>> Problem:
>> We have a form protection framework (introduced in #16439), but
>> currently it is only used to protect the user setup.
>>
>> Solution:
>> Implement it for all actions where data is created, updated or deleted.
>>
>> Notes:
>> The protection (check) has been implemented in the following places:
>> * alt_doc.php (which is the main editing frame if you open a record)
>> * tce_db.php (script the renders nothing, but accepts parameters and
>> hands them over to TCEmain
>> * extDirect router (This affects all Ext modules doing CRUD actions)
>>
>> Please test as much as you can, including the following:
>>
>> clipboard
>> clear cache menu
>> page module (save/ delete/ move records)
>> move wizard
>> all context menus (not new pagetree)
>> alt_doc.php (save/ delete/ move records)
>> taskcenter search (sql query)
>> lowlevel search
>> new pagetree
>> recycler
>> workspace module
>>
>> Please report if something does not work any more after applying this
>> patch especially if you get a flash message stating "Validating the
>> security token of this form has failed. Please reload the form and
>> submit it again."
>>
>> Some things are not optimal (like updating the token for the clear cache
>> menu, or the ExtDirect only using one single token until the page is
>> reloaded), but still it is better (more secure) than before.
>>
>> Also things are missing:
>> * IRRE needs to be checked and secured
>> * file operations need to be secured
>>
>> I will work on the missing things tomorrow and submit another RFC
>> Kind regards,
>> Helmut
>>
>
More information about the TYPO3-team-core
mailing list