diff --git a/typo3/sysext/install/Classes/Controller/BackendModuleController.php b/typo3/sysext/install/Classes/Controller/BackendModuleController.php
index aadb37cda37861698689f3b45a3906f1a5414595..d9b8504f4fe2b86f3feb9f33e4be287e236fa236 100644
--- a/typo3/sysext/install/Classes/Controller/BackendModuleController.php
+++ b/typo3/sysext/install/Classes/Controller/BackendModuleController.php
@@ -210,7 +210,8 @@ class BackendModuleController
*/
protected function setAuthorizedAndRedirect(string $controller): ResponseInterface
{
- $this->getSessionService()->setAuthorizedBackendSession();
+ $userSession = $this->getBackendUser()->getSession();
+ $this->getSessionService()->setAuthorizedBackendSession($userSession);
$redirectLocation = PathUtility::getAbsoluteWebPath('install.php?install[controller]=' . $controller . '&install[context]=backend');
return new RedirectResponse($redirectLocation, 303);
}
diff --git a/typo3/sysext/install/Classes/Middleware/Maintenance.php b/typo3/sysext/install/Classes/Middleware/Maintenance.php
index 09ead1cc6c618fa8bef1008954f1e17d5618a7db..e77cd9f411253896e053cb9bc8d803fb8db1d049 100644
--- a/typo3/sysext/install/Classes/Middleware/Maintenance.php
+++ b/typo3/sysext/install/Classes/Middleware/Maintenance.php
@@ -143,6 +143,21 @@ class Maintenance implements MiddlewareInterface
// session related actions
$session = new SessionService();
+
+ // the backend user has an active session but the admin / maintainer
+ // rights have been revoked or the user was disabled or deleted in the meantime
+ if ($session->isAuthorizedBackendUserSession() && !$session->hasActiveBackendUserRoleAndSession()) {
+ // log out the user and destroy the session
+ $session->resetSession();
+ $session->destroySession();
+ $formProtection = FormProtectionFactory::get(
+ InstallToolFormProtection::class
+ );
+ $formProtection->clean();
+
+ return new HtmlResponse('', 403);
+ }
+
if ($actionName === 'preAccessCheck') {
$response = new JsonResponse([
'installToolLocked' => !$this->checkEnableInstallToolFile(),
diff --git a/typo3/sysext/install/Classes/Service/SessionService.php b/typo3/sysext/install/Classes/Service/SessionService.php
index 1d12c094aef03e21ea26a29f12ed30d1faf95cca..6fc93c3564f07cf36eaa58c0ae65885febb247a1 100644
--- a/typo3/sysext/install/Classes/Service/SessionService.php
+++ b/typo3/sysext/install/Classes/Service/SessionService.php
@@ -17,8 +17,15 @@ namespace TYPO3\CMS\Install\Service;
use Symfony\Component\HttpFoundation\Cookie;
use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Database\ConnectionPool;
+use TYPO3\CMS\Core\Database\Query\Restriction\DefaultRestrictionContainer;
+use TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;
use TYPO3\CMS\Core\Messaging\FlashMessage;
use TYPO3\CMS\Core\Security\BlockSerializationTrait;
+use TYPO3\CMS\Core\Session\Backend\HashableSessionBackendInterface;
+use TYPO3\CMS\Core\Session\Backend\SessionBackendInterface;
+use TYPO3\CMS\Core\Session\SessionManager;
+use TYPO3\CMS\Core\Session\UserSession;
use TYPO3\CMS\Core\SingletonInterface;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Install\Exception;
@@ -188,14 +195,28 @@ class SessionService implements SingletonInterface
/**
* Marks this session as an "authorized by backend user" one.
* This is called by BackendModuleController from backend context.
+ *
+ * @param UserSession $userSession session of the current backend user
*/
- public function setAuthorizedBackendSession()
+ public function setAuthorizedBackendSession(UserSession $userSession)
{
+ $nonce = bin2hex(random_bytes(20));
+ $sessionBackend = $this->getBackendUserSessionBackend();
+ // use hash mechanism of session backend, or pass plain value through generic hmac
+ $sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
+ ? $sessionBackend->hash($userSession->getIdentifier())
+ : hash_hmac('sha256', $userSession->getIdentifier(), $nonce);
+
$_SESSION['authorized'] = true;
$_SESSION['lastSessionId'] = time();
$_SESSION['tstamp'] = time();
$_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;
$_SESSION['isBackendSession'] = true;
+ $_SESSION['backendUserSession'] = [
+ 'nonce' => $nonce,
+ 'userId' => $userSession->getUserId(),
+ 'hmac' => $sessionHmac,
+ ];
// Renew the session id to avoid session fixation
$this->renewSession();
}
@@ -222,7 +243,7 @@ class SessionService implements SingletonInterface
*
* @return bool TRUE if this session has been authorized before and initialized by a backend system maintainer
*/
- public function isAuthorizedBackendUserSession()
+ public function isAuthorizedBackendUserSession(): bool
{
if (!$this->hasSessionCookie()) {
return false;
@@ -234,6 +255,49 @@ class SessionService implements SingletonInterface
return !$this->isExpired();
}
+ /**
+ * Evaluates whether the backend user that initiated this admin tool session,
+ * has an active role (is still admin & system maintainer) and has an active backend user interface session.
+ *
+ * @return bool whether the backend user has an active role and backend user interface session
+ */
+ public function hasActiveBackendUserRoleAndSession(): bool
+ {
+ // @see \TYPO3\CMS\Install\Controller\BackendModuleController::setAuthorizedAndRedirect()
+ $backendUserSession = $this->getBackendUserSession();
+ $backendUserRecord = $this->getBackendUserRecord($backendUserSession['userId']);
+ if ($backendUserRecord === null || empty($backendUserRecord['uid'])) {
+ return false;
+ }
+ $isAdmin = (($backendUserRecord['admin'] ?? 0) & 1) === 1;
+ $systemMaintainers = array_map('intval', $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
+ // stop here, in case the current admin tool session does not belong to a backend user having admin & maintainer privileges
+ if (!$isAdmin || !in_array((int)$backendUserRecord['uid'], $systemMaintainers, true)) {
+ return false;
+ }
+
+ $sessionBackend = $this->getBackendUserSessionBackend();
+ foreach ($sessionBackend->getAll() as $sessionRecord) {
+ $sessionUserId = (int)($sessionRecord['ses_userid'] ?? 0);
+ // skip, in case backend user id does not match
+ if ($backendUserSession['userId'] !== $sessionUserId) {
+ continue;
+ }
+ $sessionId = (string)($sessionRecord['ses_id'] ?? '');
+ // use persisted hashed `ses_id` directly, or pass through hmac for plain values
+ $sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
+ ? $sessionId
+ : hash_hmac('sha256', $sessionId, $backendUserSession['nonce']);
+ // skip, in case backend user session id does not match
+ if ($backendUserSession['hmac'] !== $sessionHmac) {
+ continue;
+ }
+ // backend user id and session id matched correctly
+ return true;
+ }
+ return false;
+ }
+
/**
* Check if our session is expired.
* Useful only right after a FALSE "isAuthorized" to see if this is the
@@ -299,6 +363,20 @@ class SessionService implements SingletonInterface
return $messages;
}
+ /**
+ * @return array{userId: int, nonce: string, hmac: string} backend user session references
+ */
+ public function getBackendUserSession(): array
+ {
+ if (empty($_SESSION['backendUserSession'])) {
+ throw new Exception(
+ 'The backend user session is only available if invoked via the backend user interface.',
+ 1624879295
+ );
+ }
+ return $_SESSION['backendUserSession'];
+ }
+
/**
* Check if php session.auto_start is enabled
*
@@ -323,4 +401,52 @@ class SessionService implements SingletonInterface
[FILTER_REQUIRE_SCALAR, FILTER_NULL_ON_FAILURE]
);
}
+
+ /**
+ * Fetching a user record with uid=$uid.
+ * Functionally similar to TYPO3\CMS\Core\Authentication\BackendUserAuthentication::setBeUserByUid().
+ *
+ * @param int $uid The UID of the backend user
+ * @return array<string, int>|null The backend user record or NULL
+ */
+ protected function getBackendUserRecord(int $uid): ?array
+ {
+ $restrictionContainer = GeneralUtility::makeInstance(DefaultRestrictionContainer::class);
+ $restrictionContainer->add(GeneralUtility::makeInstance(RootLevelRestriction::class, ['be_users']));
+
+ $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('be_users');
+ $queryBuilder->setRestrictions($restrictionContainer);
+ $queryBuilder->select('uid', 'admin')
+ ->from('be_users')
+ ->where($queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($uid, \PDO::PARAM_INT)));
+
+ $resetBeUsersTca = false;
+ if (!isset($GLOBALS['TCA']['be_users'])) {
+ // The admin tool intentionally does not load any TCA information at this time.
+ // The database restictions, needs the enablecolumns TCA information
+ // for 'be_users' to load the user correctly.
+ // That is why this part of the TCA ($GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'])
+ // is simulated.
+ // The simulation state will be removed later to avoid unexpected side effects.
+ $GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'] = [
+ 'rootLevel' => 1,
+ 'deleted' => 'deleted',
+ 'disabled' => 'disable',
+ 'starttime' => 'starttime',
+ 'endtime' => 'endtime',
+ ];
+ $resetBeUsersTca = true;
+ }
+ $result = $queryBuilder->executeQuery()->fetchAssociative();
+ if ($resetBeUsersTca) {
+ unset($GLOBALS['TCA']['be_users']);
+ }
+
+ return is_array($result) ? $result : null;
+ }
+
+ protected function getBackendUserSessionBackend(): SessionBackendInterface
+ {
+ return GeneralUtility::makeInstance(SessionManager::class)->getSessionBackend('BE');
+ }
}
diff --git a/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php b/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php
index 19456fbc925c548edb0ecd55878c3a0b9c1584c5..9464e87f4d64a5a7b778c376dfd7a95e7398ee0c 100644
--- a/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php
+++ b/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php
@@ -19,6 +19,7 @@ namespace TYPO3\CMS\Install\Tests\Functional\Controller;
use TYPO3\CMS\Backend\Routing\UriBuilder;
use TYPO3\CMS\Backend\Template\ModuleTemplateFactory;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Core\ApplicationContext;
use TYPO3\CMS\Core\Core\Environment;
use TYPO3\CMS\Install\Controller\BackendModuleController;
@@ -87,7 +88,13 @@ class BackendModuleControllerTest extends FunctionalTestCase
Environment::isWindows() ? 'WINDOWS' : 'UNIX'
);
- // Authorized redirect to the install tool is performed, sudo mode is not required
+ // Authorized redirect to the admin tool is performed
+ // sudo mode is not required (due to development context)
+ $GLOBALS['BE_USER'] = new BackendUserAuthentication();
+ // using anonymous user session, which is fine for this test case
+ $GLOBALS['BE_USER']->initializeUserSessionManager();
+ $GLOBALS['BE_USER']->user = ['uid' => 1];
+
$response = $subject->{$action}();
self::assertEquals(303, $response->getStatusCode());
self::assertNotEmpty($response->getHeader('location'));