[TYPO3-core] RFC: #16439: Use the form protection API to implement a CSRF protection (1)
Ernesto Baschny [cron IT]
ernst at cron-it.de
Wed Nov 17 12:37:54 CET 2010
Ernesto Baschny [cron IT] schrieb am 17.11.2010 12:28:
> Helmut Hummel schrieb am 17.11.2010 10:16:
>
>> this is a SVN patch request.
>>
>> Type: Security enhancement/ feature
>>
>> Branches: trunk (please read [1] for an explanation why trunk only)
>>
>> Problem:
>> #16437 introduces a new form protection API that is currently not used
>> anywhere
>>
>> Solution:
>> Use the form protection in the install tool and the user setup
>>
>> Notes:
>>
>> Test this in conjunction with #16437
>>
>> Until the next beta releases I want to convert all backend modules to
>> use the dispatcher, so that the some of the initialisation and token
>> persisting can be done in a central place.
>>
>> Of course more places need to be handled for a complete CSRF protection.
>> This will be done latest until the firt release canditate.
>
> Thanks a lot! +1 by reading and testing.
>
> Committed to trunk rev. 9441.
Added the missing test case (tests/t3lib/t3lib_beuserauthTest.php) in
rev. 9444.
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list