[TYPO3-core] RFC: #17153: Protect C(R)UD actions against CSRF
Ernesto Baschny [cron IT]
ernst at cron-it.de
Thu Jan 20 11:27:07 CET 2011
Hi Helmut,
wow, amazing work!! Thanks.
I just went over all the code and tested all mentioned situations.
The "echo .." and using the response for the clearcache.js works, but it
something that could be probably made more "API-like", but then again:
It works and it is not a show-stopper.
+1 by reading and testing, just some "minor cosmetics" in attached v2.
I would be glad if we had more reviews by "testing". To speed up the
process a bit, I will commit this patch in a couple of hours - if
nothing big speaks against it until then. This way we get *more* people
testing it. If it proves at the end to have still glitches or to break
fundamentally, I will then revert it again. If there are just minor
issues, we can also provide smaller follow-ups.
The parts from the "version" extension have to be committed to the
workspaces team repository. Helmut, could you already file the issue
there with the patch for this particular sysext changes only, so that it
doesn't get lost later on?
Cheers,
Ernesto
Helmut Hummel schrieb am 20.01.2011 01:50:
> Hi,
>
> this is a SVN patch request.
>
> Type: Security enhancement
>
> Branches: trunk
>
> Problem:
> We have a form protection framework (introduced in #16439), but
> currently it is only used to protect the user setup.
>
> Solution:
> Implement it for all actions where data is created, updated or deleted.
>
> Notes:
> The protection (check) has been implemented in the following places:
> * alt_doc.php (which is the main editing frame if you open a record)
> * tce_db.php (script the renders nothing, but accepts parameters and
> hands them over to TCEmain
> * extDirect router (This affects all Ext modules doing CRUD actions)
>
> Please test as much as you can, including the following:
>
> clipboard
> clear cache menu
> page module (save/ delete/ move records)
> move wizard
> all context menus (not new pagetree)
> alt_doc.php (save/ delete/ move records)
> taskcenter search (sql query)
> lowlevel search
> new pagetree
> recycler
> workspace module
>
> Please report if something does not work any more after applying this
> patch especially if you get a flash message stating "Validating the
> security token of this form has failed. Please reload the form and
> submit it again."
>
> Some things are not optimal (like updating the token for the clear cache
> menu, or the ExtDirect only using one single token until the page is
> reloaded), but still it is better (more secure) than before.
>
> Also things are missing:
> * IRRE needs to be checked and secured
> * file operations need to be secured
>
> I will work on the missing things tomorrow and submit another RFC
> Kind regards,
> Helmut
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 17153_v2.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110120/00b97df0/attachment.txt>
More information about the TYPO3-team-core
mailing list