[TYPO3-core] RFC: #17153: Protect C(R)UD actions against CSRF

Helmut Hummel helmut.hummel at typo3.org
Thu Jan 20 01:50:20 CET 2011


Hi,

this is a SVN patch request.

Type: Security enhancement

Branches: trunk

Problem:
We have a form protection framework (introduced in #16439), but
currently it is only used to protect the user setup.

Solution:
Implement it for all actions where data is created, updated or deleted.

Notes:
The protection (check) has been implemented in the following places:
* alt_doc.php (which is the main editing frame if you open a record)
* tce_db.php (script the renders nothing, but accepts parameters and
hands them over to TCEmain
* extDirect router (This affects all Ext modules doing CRUD actions)

Please test as much as you can, including the following:

clipboard
clear cache menu
page module (save/ delete/ move records)
move wizard
all context menus (not new pagetree)
alt_doc.php (save/ delete/ move records)
taskcenter search (sql query)
lowlevel search
new pagetree
recycler
workspace module

Please report if something does not work any more after applying this
patch especially if you get a flash message stating "Validating the
security token of this form has failed. Please reload the form and
submit it again."

Some things are not optimal (like updating the token for the clear cache
menu, or the ExtDirect only using one single token until the page is
reloaded), but still it is better (more secure) than before.

Also things are missing:
* IRRE needs to be checked and secured
* file operations need to be secured

I will work on the missing things tomorrow and submit another RFC
Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 17153.diff
Type: text/x-patch
Size: 37811 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110120/77b6cc62/attachment-0001.bin>


More information about the TYPO3-team-core mailing list