[TASK] Add backward compatibility handling for frontend login signing
The security fix for TYPO3-CORE-SA-2022-013 enforced the `pid` HTTP parameter to be signed via HMAC during the frontend user authentication process. To provide better backward compatibility for those individual scenarios, the new `security.frontend.enforceLoginSigning` feature flag has been introduced, which is enabled per default, but can be disabled individually. Resolves: #99366 Releases: 11.5, 10.4 Change-Id: Ib633d7d3166a2f58caebc0a258699549b5cf2fa4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77155 Reviewed-by:Helmut Hummel <typo3@helhum.io> Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Showing
- typo3/sysext/core/Configuration/DefaultConfiguration.php 1 addition, 0 deletionstypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 3 additions, 0 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/core/Documentation/Changelog/10.4.x/Important-99366-AddBackwardCompatibilityHandlingForFrontendLoginSigning.rst 26 additions, 0 deletions...dBackwardCompatibilityHandlingForFrontendLoginSigning.rst
- typo3/sysext/felogin/Classes/Controller/AbstractLoginFormController.php 7 additions, 0 deletions...elogin/Classes/Controller/AbstractLoginFormController.php
- typo3/sysext/felogin/Classes/Controller/LoginController.php 2 additions, 2 deletionstypo3/sysext/felogin/Classes/Controller/LoginController.php
- typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php 8 additions, 1 deletion...frontend/Classes/Middleware/FrontendUserAuthenticator.php
Please register or sign in to comment