[TYPO3-core] RFC: 11089 Fixing the built-in shopping basket
Helmut Hummel
typo3 at jhpc.de
Sat May 16 10:42:12 CEST 2009
Hi,
Am 15.05.2009 23:56 Uhr, schrieb Oliver Hader:
>
>>
>> Notes:
>> We are not sure if this implies any other security issues by removing
>> the check.
>> Security team: Please advise.
>
> We have been able to reproduce this issue and your patch solves it.
> However, concerning security, I'm not sure if it is a solution. Maybe
> it's also enough to move "$this->cookieId = $id;" in line 236 below the
> session fixation stuff...
>
> However, +1 on testing
I confirm that the proposed patch works and is a straightforward
solution. The intention of the check in record_registration in my
understanding was to check if the Session-ID fetched from the cookie (or
a special GET variable) is "valid" (in regard of it is the same as the
Session-ID currently used).
I don't see why this check is needed, since there's no way to avoid that
a client that uses a proper ID may be a bot or script or the like. The
ID is provided by TYPO3 and can easily be used by _any_ client.
Only the comment above should be removed also, when making this change.
So if this will be fixed during the commit I'll give my +1 by reading
and testing.
Kind regards
Helmut
More information about the TYPO3-team-core
mailing list