[SECURITY] Protect persisted session IDs from being used directly
Instead of storing session IDs with their corresponding storage backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB) is being used. HMAC-MD5 had to be chosen to avoid breaking changes for limited field size in database fields (32 characters currently). This change also allows a fallback to non-hashed-session values, meaning that * set() and update() will create new session records with the hashed identifier * get() contains a fallback to the non-hashed-version when no session with a hashed identifier is found Resolves: #91854 Releases: master, 10.4, 9.5 Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd Security-Bulletin: TYPO3-CORE-SA-2020-011 Security-References: CVE-2020-26228 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66664 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/beuser/Classes/Controller/BackendUserController.php 2 additions, 2 deletions...ysext/beuser/Classes/Controller/BackendUserController.php
- typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php 12 additions, 0 deletions...ore/Classes/Authentication/AbstractUserAuthentication.php
- typo3/sysext/core/Classes/Session/Backend/DatabaseSessionBackend.php 40 additions, 8 deletions...t/core/Classes/Session/Backend/DatabaseSessionBackend.php
- typo3/sysext/core/Classes/Session/Backend/HashableSessionBackendInterface.php 23 additions, 0 deletions...asses/Session/Backend/HashableSessionBackendInterface.php
- typo3/sysext/core/Classes/Session/Backend/RedisSessionBackend.php 30 additions, 12 deletions...sext/core/Classes/Session/Backend/RedisSessionBackend.php
- typo3/sysext/core/Classes/Session/SessionManager.php 10 additions, 3 deletionstypo3/sysext/core/Classes/Session/SessionManager.php
- typo3/sysext/core/Tests/Acceptance/Fixtures/be_sessions.xml 21 additions, 0 deletionstypo3/sysext/core/Tests/Acceptance/Fixtures/be_sessions.xml
- typo3/sysext/core/Tests/Acceptance/Support/Extension/BackendCoreEnvironment.php 1 addition, 1 deletion...s/Acceptance/Support/Extension/BackendCoreEnvironment.php
- typo3/sysext/core/Tests/Acceptance/Support/Extension/PageTreeCoreEnvironment.php 1 addition, 1 deletion.../Acceptance/Support/Extension/PageTreeCoreEnvironment.php
- typo3/sysext/core/Tests/Functional/Session/Backend/DatabaseSessionBackendTest.php 3 additions, 1 deletion...Functional/Session/Backend/DatabaseSessionBackendTest.php
- typo3/sysext/core/Tests/Functional/Session/Backend/RedisSessionBackendTest.php 3 additions, 1 deletion...ts/Functional/Session/Backend/RedisSessionBackendTest.php
- typo3/sysext/core/Tests/Functional/Session/SessionManagerTest.php 17 additions, 12 deletions...sext/core/Tests/Functional/Session/SessionManagerTest.php
- typo3/sysext/frontend/Tests/Unit/Authentication/FrontendUserAuthenticationTest.php 6 additions, 3 deletions...ts/Unit/Authentication/FrontendUserAuthenticationTest.php
Please register or sign in to comment