[TYPO3-v4] C(R)UD actions are now protected against CSRF (RFC #17153)

Ernesto Baschny [cron IT] ernst at cron-it.de
Thu Jan 20 16:26:15 CET 2011


Hi folks,

Helmut came up with a solution to provide a CSRF protection for almost
all important C(R)UD (create update delete) operations that are done
through backend forms, Ajax/ExtDirect calls and URLs. This means that
all these operations are now protected from being triggered by a
malicious link.

The patch was committed to trunk now in RFC #17153 (rev. 10161). I
announce this here, because we need much more testing and reviewing of
that particular feature, because it has of course the potential to
"break" stuff which was working before. Helmut did an awefully great job
and was very careful and I also on my reviews.

So please consider "looking out" for any situation when something
"should have been saved" but "wasn't" and try to check out if it is
related to "security tokens". As soon as you try to commit some change
without the correct token, you should see this Exception:

"Invalid Security Token" (ExtDirect)

 or

"Validating the security token of this form has failed. Please reload
the form and submit it again."  (this is already translated on some
languages, e.g. German)

If you are able to reproduce that situation, please report as a reply to
the RFC #17153 in the core list.

Thanks!

Cheers,
Ernesto


More information about the TYPO3-project-v4 mailing list