[TYPO3-core] RFC: #17189: CSRF protection in Template module

Helmut Hummel helmut.hummel at typo3.org
Sat Jan 22 16:38:58 CET 2011


Hi,

On 21.01.11 22:55, Helmut Hummel wrote:

> It's incomplete. It does not break something, but needs to be improved.
> 
> I try to come up with a better solution.

Here we go. Since this is a major rework, I would say this needs the two
votes to get in.

Additional notes:

With this patch also the ajax save request (for t3editor) is protected.

This patch includes a change in typo3/file_edit.php to make the t3editor
also work with files. It does not affect the file saving in case the
editor is not activated, because the tokens are not yet checked in
tce_file.php.

I hardcoded the error message, if the token validation fails in the
t3editor ajax request, because I did not know how to use the JS language
stuff. I think this is minor, since the error message should not appear
anyway ;)

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 17189-csrf-template_v2.diff
Type: text/x-patch
Size: 9639 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110122/87dd6dfa/attachment.bin>


More information about the TYPO3-team-core mailing list