[SECURITY] Use signed storage PID during frontend authentication
This change ensures that individual storage page ids are valid by signing corresponding values with an HMAC. Resolves: #98010 Releases: main, 11.5, 10.4 Change-Id: I34d474ab23adca6bbcf20c108bb60acf6998bc6f Security-Bulletin: TYPO3-CORE-SA-2022-013 Security-References: CVE-2022-23501 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77090 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/felogin/Classes/Controller/AbstractLoginFormController.php 11 additions, 0 deletions...elogin/Classes/Controller/AbstractLoginFormController.php
- typo3/sysext/felogin/Classes/Controller/LoginController.php 2 additions, 2 deletionstypo3/sysext/felogin/Classes/Controller/LoginController.php
- typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php 8 additions, 3 deletions...frontend/Classes/Middleware/FrontendUserAuthenticator.php
Please register or sign in to comment