[TYPO3-core] RFC: #16439: Use the form protection API to implement a CSRF protection (1)
Helmut Hummel
helmut at typo3.org
Wed Nov 17 10:16:55 CET 2010
Hi,
this is a SVN patch request.
Type: Security enhancement/ feature
Branches: trunk (please read [1] for an explanation why trunk only)
Problem:
#16437 introduces a new form protection API that is currently not used
anywhere
Solution:
Use the form protection in the install tool and the user setup
Notes:
Test this in conjunction with #16437
Until the next beta releases I want to convert all backend modules to
use the dispatcher, so that the some of the initialisation and token
persisting can be done in a central place.
Of course more places need to be handled for a complete CSRF protection.
This will be done latest until the firt release canditate.
Regards Helmut
[1]http://buzz.typo3.org/teams/security/article/typo3-45-will-be-the-most-secure-typo3-version-ever/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 16439.diff
Type: text/x-patch
Size: 9922 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20101117/204cf482/attachment-0001.bin>
More information about the TYPO3-team-core
mailing list