[TYPO3-core] RFC: #17173: CSRF Bugfix: In the user settings module, saving form data is not possible if simulate user option is used.

Helmut Hummel helmut.hummel at typo3.org
Thu Jan 20 22:50:54 CET 2011


Hi,

This is a SVN patch request.

Type: Bugfix
Bugtracker reference: http://bugs.typo3.org/view.php?id=17173
Branch: trunk

Problem:
Form validation fails in the user setup module, if the "simulate user"
is used.

This happens because the form protection framework does access
$GLOBALS['BE_USER'] to store the tokens in the user session. However
this global var is replaced by the one for the simulated user (ugly but
that's how it is right now).

Solution:
Save the instance of the backend user during creation of the form
protection, so persisting and validating tokens is always done with the
real user session.

How to reproduce:
* go to "User Settings" -> "Admin Functions" -> "simulate backend user"
select "simple Editor".
* go to "Personal Data" changed "name" click on "Save configuration"

Following message appears and the form is not saved:
"Validating the security token of this form has failed. Please reload
the form and submit it again."

Additionally the CSH throws exceptions.

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 17173.diff
Type: text/x-patch
Size: 3568 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110120/35cc5cf0/attachment-0001.bin>


More information about the TYPO3-team-core mailing list