[TYPO3-core] RFC: #16439: Use the form protection API to implement a CSRF protection (1)

Ernesto Baschny [cron IT] ernst at cron-it.de
Thu Nov 18 04:06:27 CET 2010


Hi,

attached patch was committed to trunk, because else the intro package
wouldn't work on the last step: It makes an instance of a be_user to use
$tce to clear cache, and since there is no BE_SESSION the logoff()
routine drops in. This then throws the exception because of the new form
protection that does not expect this. So check if there is a BE_SESSION
before killing the form protection.

Cheers,
Ernesto

Helmut Hummel schrieb am 17.11.2010 10:16:
> Hi,
> 
> this is a SVN patch request.
> 
> Type: Security enhancement/ feature
> 
> Branches: trunk (please read [1] for an explanation why trunk only)
> 
> Problem:
> #16437 introduces a new form protection API that is currently not used
> anywhere
> 
> Solution:
> Use the form protection in the install tool and the user setup
> 
> Notes:
> 
> Test this in conjunction with #16437
> 
> Until the next beta releases I want to convert all backend modules to
> use the dispatcher, so that the some of the initialisation and token
> persisting can be done in a central place.
> 
> Of course more places need to be handled for a complete CSRF protection.
> This will be done latest until the firt release canditate.
> 
> 
> Regards Helmut
> 
> 
> [1]http://buzz.typo3.org/teams/security/article/typo3-45-will-be-the-most-secure-typo3-version-ever/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 16439-followup.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20101118/b0dfec07/attachment.txt>


More information about the TYPO3-team-core mailing list