From 40f1ea7b84f82809c437839c5bfcfea33aad3d75 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Tue, 14 Jun 2022 09:11:49 +0200
Subject: [PATCH] [SECURITY] Synchronize admin tools session with backend user
session
Admin tools sessions are revoked in case the initiatin backend user
does not have admin or system maintainer privileges anymore. Besides
that, revoking backend user interface sessions now also revokes access
to admin tools. Standalone install tool is not affected.
Resolves: #92019
Releases: main, 11.5, 10.4
Change-Id: I367098abd632fa34caa59e4e165f5ab1916894c5
Security-Bulletin: TYPO3-CORE-SA-2022-005
Security-References: CVE-2022-31050
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74896
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
.../Controller/BackendModuleController.php | 2 +-
.../Classes/Middleware/Maintenance.php | 15 ++
.../Classes/Service/SessionService.php | 131 +++++++++++++++++-
.../BackendModuleControllerTest.php | 9 +-
4 files changed, 153 insertions(+), 4 deletions(-)
diff --git a/typo3/sysext/install/Classes/Controller/BackendModuleController.php b/typo3/sysext/install/Classes/Controller/BackendModuleController.php
index 4d76a340c87c..4476817d10ca 100644
--- a/typo3/sysext/install/Classes/Controller/BackendModuleController.php
+++ b/typo3/sysext/install/Classes/Controller/BackendModuleController.php
@@ -204,7 +204,7 @@ class BackendModuleController
*/
protected function setAuthorizedAndRedirect(string $controller): ResponseInterface
{
- $this->getSessionService()->setAuthorizedBackendSession();
+ $this->getSessionService()->setAuthorizedBackendSession($this->getBackendUser());
$redirectLocation = 'install.php?install[controller]=' . $controller . '&install[context]=backend';
return new RedirectResponse($redirectLocation, 303);
}
diff --git a/typo3/sysext/install/Classes/Middleware/Maintenance.php b/typo3/sysext/install/Classes/Middleware/Maintenance.php
index 335543a51598..32ab1714b451 100644
--- a/typo3/sysext/install/Classes/Middleware/Maintenance.php
+++ b/typo3/sysext/install/Classes/Middleware/Maintenance.php
@@ -145,6 +145,21 @@ class Maintenance implements MiddlewareInterface
// session related actions
$session = new SessionService();
+
+ // the backend user has an active session but the admin / maintainer
+ // rights have been revoked or the user was disabled or deleted in the meantime
+ if ($session->isAuthorizedBackendUserSession() && !$session->hasActiveBackendUserRoleAndSession()) {
+ // log out the user and destroy the session
+ $session->resetSession();
+ $session->destroySession();
+ $formProtection = FormProtectionFactory::get(
+ InstallToolFormProtection::class
+ );
+ $formProtection->clean();
+
+ return new HtmlResponse('', 403);
+ }
+
if ($actionName === 'preAccessCheck') {
$response = new JsonResponse([
'installToolLocked' => !$this->checkEnableInstallToolFile(),
diff --git a/typo3/sysext/install/Classes/Service/SessionService.php b/typo3/sysext/install/Classes/Service/SessionService.php
index 2ec76f019021..a85342c02099 100644
--- a/typo3/sysext/install/Classes/Service/SessionService.php
+++ b/typo3/sysext/install/Classes/Service/SessionService.php
@@ -15,11 +15,19 @@
namespace TYPO3\CMS\Install\Service;
+use Doctrine\DBAL\FetchMode;
use Symfony\Component\HttpFoundation\Cookie;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Database\ConnectionPool;
+use TYPO3\CMS\Core\Database\Query\Restriction\DefaultRestrictionContainer;
+use TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;
use TYPO3\CMS\Core\Http\CookieHeaderTrait;
use TYPO3\CMS\Core\Messaging\FlashMessage;
use TYPO3\CMS\Core\Security\BlockSerializationTrait;
+use TYPO3\CMS\Core\Session\Backend\HashableSessionBackendInterface;
+use TYPO3\CMS\Core\Session\Backend\SessionBackendInterface;
+use TYPO3\CMS\Core\Session\SessionManager;
use TYPO3\CMS\Core\SingletonInterface;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Install\Exception;
@@ -202,14 +210,28 @@ class SessionService implements SingletonInterface
/**
* Marks this session as an "authorized by backend user" one.
* This is called by BackendModuleController from backend context.
+ *
+ * @param BackendUserAuthentication $backendUser current backend user
*/
- public function setAuthorizedBackendSession()
+ public function setAuthorizedBackendSession(BackendUserAuthentication $backendUser)
{
+ $nonce = bin2hex(random_bytes(20));
+ $sessionBackend = $this->getBackendUserSessionBackend();
+ // use hash mechanism of session backend, or pass plain value through generic hmac
+ $sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
+ ? $sessionBackend->hash($backendUser->id)
+ : hash_hmac('sha256', $backendUser->id, $nonce);
+
$_SESSION['authorized'] = true;
$_SESSION['lastSessionId'] = time();
$_SESSION['tstamp'] = time();
$_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;
$_SESSION['isBackendSession'] = true;
+ $_SESSION['backendUserSession'] = [
+ 'nonce' => $nonce,
+ 'userId' => (int)$backendUser->user['uid'],
+ 'hmac' => $sessionHmac,
+ ];
// Renew the session id to avoid session fixation
$this->renewSession();
}
@@ -236,7 +258,7 @@ class SessionService implements SingletonInterface
*
* @return bool TRUE if this session has been authorized before and initialized by a backend system maintainer
*/
- public function isAuthorizedBackendUserSession()
+ public function isAuthorizedBackendUserSession(): bool
{
if (!$this->hasSessionCookie()) {
return false;
@@ -248,6 +270,49 @@ class SessionService implements SingletonInterface
return !$this->isExpired();
}
+ /**
+ * Evaluates whether the backend user that initiated this admin tool session,
+ * has an active role (is still admin & system maintainer) and has an active backend user interface session.
+ *
+ * @return bool whether the backend user has an active role and backend user interface session
+ */
+ public function hasActiveBackendUserRoleAndSession(): bool
+ {
+ // @see \TYPO3\CMS\Install\Controller\BackendModuleController::setAuthorizedAndRedirect()
+ $backendUserSession = $this->getBackendUserSession();
+ $backendUserRecord = $this->getBackendUserRecord($backendUserSession['userId']);
+ if ($backendUserRecord === null || empty($backendUserRecord['uid'])) {
+ return false;
+ }
+ $isAdmin = (($backendUserRecord['admin'] ?? 0) & 1) === 1;
+ $systemMaintainers = array_map('intval', $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
+ // stop here, in case the current admin tool session does not belong to a backend user having admin & maintainer privileges
+ if (!$isAdmin || !in_array((int)$backendUserRecord['uid'], $systemMaintainers, true)) {
+ return false;
+ }
+
+ $sessionBackend = $this->getBackendUserSessionBackend();
+ foreach ($sessionBackend->getAll() as $sessionRecord) {
+ $sessionUserId = (int)($sessionRecord['ses_userid'] ?? 0);
+ // skip, in case backend user id does not match
+ if ($backendUserSession['userId'] !== $sessionUserId) {
+ continue;
+ }
+ $sessionId = (string)($sessionRecord['ses_id'] ?? '');
+ // use persisted hashed `ses_id` directly, or pass through hmac for plain values
+ $sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
+ ? $sessionId
+ : hash_hmac('sha256', $sessionId, $backendUserSession['nonce']);
+ // skip, in case backend user session id does not match
+ if ($backendUserSession['hmac'] !== $sessionHmac) {
+ continue;
+ }
+ // backend user id and session id matched correctly
+ return true;
+ }
+ return false;
+ }
+
/**
* Check if our session is expired.
* Useful only right after a FALSE "isAuthorized" to see if this is the
@@ -313,6 +378,20 @@ class SessionService implements SingletonInterface
return $messages;
}
+ /**
+ * @return array{userId: int, nonce: string, hmac: string} backend user session references
+ */
+ public function getBackendUserSession(): array
+ {
+ if (empty($_SESSION['backendUserSession'])) {
+ throw new Exception(
+ 'The backend user session is only available if invoked via the backend user interface.',
+ 1624879295
+ );
+ }
+ return $_SESSION['backendUserSession'];
+ }
+
/**
* Check if php session.auto_start is enabled
*
@@ -337,4 +416,52 @@ class SessionService implements SingletonInterface
[FILTER_REQUIRE_SCALAR, FILTER_NULL_ON_FAILURE]
);
}
+
+ /**
+ * Fetching a user record with uid=$uid.
+ * Functionally similar to TYPO3\CMS\Core\Authentication\BackendUserAuthentication::setBeUserByUid().
+ *
+ * @param int $uid The UID of the backend user
+ * @return array<string, int>|null The backend user record or NULL
+ */
+ protected function getBackendUserRecord(int $uid): ?array
+ {
+ $restrictionContainer = GeneralUtility::makeInstance(DefaultRestrictionContainer::class);
+ $restrictionContainer->add(GeneralUtility::makeInstance(RootLevelRestriction::class, ['be_users']));
+
+ $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('be_users');
+ $queryBuilder->setRestrictions($restrictionContainer);
+ $queryBuilder->select('uid', 'admin')
+ ->from('be_users')
+ ->where($queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($uid, \PDO::PARAM_INT)));
+
+ $resetBeUsersTca = false;
+ if (!isset($GLOBALS['TCA']['be_users'])) {
+ // The admin tool intentionally does not load any TCA information at this time.
+ // The database restictions, needs the enablecolumns TCA information
+ // for 'be_users' to load the user correctly.
+ // That is why this part of the TCA ($GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'])
+ // is simulated.
+ // The simulation state will be removed later to avoid unexpected side effects.
+ $GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'] = [
+ 'rootLevel' => 1,
+ 'deleted' => 'deleted',
+ 'disabled' => 'disable',
+ 'starttime' => 'starttime',
+ 'endtime' => 'endtime',
+ ];
+ $resetBeUsersTca = true;
+ }
+ $result = $queryBuilder->execute()->fetch(FetchMode::ASSOCIATIVE);
+ if ($resetBeUsersTca) {
+ unset($GLOBALS['TCA']['be_users']);
+ }
+
+ return is_array($result) ? $result : null;
+ }
+
+ protected function getBackendUserSessionBackend(): SessionBackendInterface
+ {
+ return GeneralUtility::makeInstance(SessionManager::class)->getSessionBackend('BE');
+ }
}
diff --git a/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php b/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php
index c2cbe2a667d3..fbe9fd063b50 100644
--- a/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php
+++ b/typo3/sysext/install/Tests/Functional/Controller/BackendModuleControllerTest.php
@@ -17,6 +17,7 @@ declare(strict_types=1);
namespace TYPO3\CMS\Install\Tests\Functional\Controller;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Core\ApplicationContext;
use TYPO3\CMS\Core\Core\Environment;
use TYPO3\CMS\Install\Controller\BackendModuleController;
@@ -56,7 +57,13 @@ class BackendModuleControllerTest extends FunctionalTestCase
Environment::isWindows() ? 'WINDOWS' : 'UNIX'
);
- // Authorized redirect to the install tool is performed, sudo mode is not required
+ // Authorized redirect to the admin tool is performed
+ // sudo mode is not required (due to development context)
+ $GLOBALS['BE_USER'] = new BackendUserAuthentication();
+ // using anonymous user session, which is fine for this test case
+ $GLOBALS['BE_USER']->id = $GLOBALS['BE_USER']->createSessionId();
+ $GLOBALS['BE_USER']->user = ['uid' => 1];
+
$response = $subject->{$action}();
self::assertEquals(303, $response->getStatusCode());
self::assertNotEmpty($response->getHeader('location'));
--
GitLab