[TYPO3-core] RFC: #16439: Use the form protection API to implement a CSRF protection (1)
Ernesto Baschny [cron IT]
ernst at cron-it.de
Thu Nov 18 04:06:27 CET 2010
Hi,
attached patch was committed to trunk, because else the intro package
wouldn't work on the last step: It makes an instance of a be_user to use
$tce to clear cache, and since there is no BE_SESSION the logoff()
routine drops in. This then throws the exception because of the new form
protection that does not expect this. So check if there is a BE_SESSION
before killing the form protection.
Cheers,
Ernesto
Helmut Hummel schrieb am 17.11.2010 10:16:
> Hi,
>
> this is a SVN patch request.
>
> Type: Security enhancement/ feature
>
> Branches: trunk (please read [1] for an explanation why trunk only)
>
> Problem:
> #16437 introduces a new form protection API that is currently not used
> anywhere
>
> Solution:
> Use the form protection in the install tool and the user setup
>
> Notes:
>
> Test this in conjunction with #16437
>
> Until the next beta releases I want to convert all backend modules to
> use the dispatcher, so that the some of the initialisation and token
> persisting can be done in a central place.
>
> Of course more places need to be handled for a complete CSRF protection.
> This will be done latest until the firt release canditate.
>
>
> Regards Helmut
>
>
> [1]http://buzz.typo3.org/teams/security/article/typo3-45-will-be-the-most-secure-typo3-version-ever/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 16439-followup.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20101118/b0dfec07/attachment.txt>
More information about the TYPO3-team-core
mailing list