[TYPO3-core] RFC: #17153: Protect C(R)UD actions against CSRF

[Helmut Hummel]

Hi Ernesto,

Am 20.01.2011 11:27, schrieb Ernesto Baschny [cron IT]:

> wow, amazing work!!

Thanks. I got a few more grey hair while doing it ;)

> The "echo .." and using the response for the clearcache.js works, but it
> something that could be probably made more "API-like", but then again:
> It works and it is not a show-stopper.

Yes. I wondered, that the Cache menu does not use the Ajax API for that, 
but directly called the tce_db.php.

I can adjust this as followup, but I wanted to stay focused on the main 
part first.

> +1 by reading and testing, just some "minor cosmetics" in attached v2.

Thanks.

> I would be glad if we had more reviews by "testing". To speed up the
> process a bit, I will commit this patch in a couple of hours - if
> nothing big speaks against it until then. This way we get *more* people
> testing it.

That sounds good.

> If it proves at the end to have still glitches or to break
> fundamentally, I will then revert it again. If there are just minor
> issues, we can also provide smaller follow-ups.

I considered a lot of things while working on this until I found a good 
way to do it. All major things (alt_doc.php, list module) work properly 
and if it happens that I forgot one place, it can easily be fixed.

It only will not work, if
a) A token is not created for a request
b) The token is created but not persisted.

Both would be just onliners (I did not find more places that do Ajax 
requests to the protectes scripts).

> The parts from the "version" extension have to be committed to the
> workspaces team repository. Helmut, could you already file the issue
> there with the patch for this particular sysext changes only, so that it
> doesn't get lost later on?

Done. http://forge.typo3.org/issues/12397

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org