[TYPO3-core] RFC: #17173: CSRF Bugfix: In the user settings module, saving form data is not possible if simulate user option is used.
Ernesto Baschny [cron IT]
ernst at cron-it.de
Fri Jan 21 19:13:01 CET 2011
Helmut Hummel schrieb am 20.01.2011 22:50:
> This is a SVN patch request.
>
> Type: Bugfix
> Bugtracker reference: http://bugs.typo3.org/view.php?id=17173
> Branch: trunk
>
> Problem:
> Form validation fails in the user setup module, if the "simulate user"
> is used.
>
> This happens because the form protection framework does access
> $GLOBALS['BE_USER'] to store the tokens in the user session. However
> this global var is replaced by the one for the simulated user (ugly but
> that's how it is right now).
>
> Solution:
> Save the instance of the backend user during creation of the form
> protection, so persisting and validating tokens is always done with the
> real user session.
>
> How to reproduce:
> * go to "User Settings" -> "Admin Functions" -> "simulate backend user"
> select "simple Editor".
> * go to "Personal Data" changed "name" click on "Save configuration"
>
> Following message appears and the form is not saved:
> "Validating the security token of this form has failed. Please reload
> the form and submit it again."
>
> Additionally the CSH throws exceptions.
+1 by reading and testing. Additional testing was done by the original
reporter and it works.
Committed to trunk, rev. 10221.
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list