diff --git a/typo3/sysext/felogin/Classes/Controller/AbstractLoginFormController.php b/typo3/sysext/felogin/Classes/Controller/AbstractLoginFormController.php
index 1448016ac1b70d90103c8a702b66880a0f835cb2..5b1c6be9b7d4d802924338cb143e10f180a965b7 100644
--- a/typo3/sysext/felogin/Classes/Controller/AbstractLoginFormController.php
+++ b/typo3/sysext/felogin/Classes/Controller/AbstractLoginFormController.php
@@ -19,6 +19,7 @@ namespace TYPO3\CMS\FrontendLogin\Controller;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
+use TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication;
abstract class AbstractLoginFormController extends ActionController
{
@@ -47,4 +48,14 @@ abstract class AbstractLoginFormController extends ActionController
return array_unique($storagePids);
}
+
+ protected function getSignedStorageFolders(): string
+ {
+ $pidList = implode(',', $this->getStorageFolders());
+ return sprintf(
+ '%s@%s',
+ $pidList,
+ GeneralUtility::hmac($pidList, FrontendUserAuthentication::class)
+ );
+ }
}
diff --git a/typo3/sysext/felogin/Classes/Controller/LoginController.php b/typo3/sysext/felogin/Classes/Controller/LoginController.php
index f81fa3d99bf9d81a69c2b2e8a855ccd027bd2913..a1df224906f513b532047802787bf2e27cc8c656 100644
--- a/typo3/sysext/felogin/Classes/Controller/LoginController.php
+++ b/typo3/sysext/felogin/Classes/Controller/LoginController.php
@@ -156,7 +156,7 @@ class LoginController extends AbstractLoginFormController
[
'cookieWarning' => $this->showCookieWarning,
'messageKey' => $this->getStatusMessageKey(),
- 'storagePid' => implode(',', $this->getStorageFolders()),
+ 'storagePid' => $this->getSignedStorageFolders(),
'permaloginStatus' => $this->getPermaloginStatus(),
'redirectURL' => $this->redirectHandler->getLoginFormRedirectUrl($this->configuration, $this->isRedirectDisabled()),
'redirectReferrer' => $this->request->hasArgument('redirectReferrer') ? (string)$this->request->getArgument('redirectReferrer') : '',
@@ -202,7 +202,7 @@ class LoginController extends AbstractLoginFormController
[
'cookieWarning' => $this->showCookieWarning,
'user' => $this->userService->getFeUserData(),
- 'storagePid' => implode(',', $this->getStorageFolders()),
+ 'storagePid' => $this->getSignedStorageFolders(),
'noRedirect' => $this->isRedirectDisabled(),
'actionUri' => $this->redirectHandler->getLogoutFormRedirectUrl($this->configuration, $redirectPageLogout, $this->isRedirectDisabled()),
]
diff --git a/typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php b/typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php
index 1dad4f4e33f1c9884fc06d4f43964aeb6ab48864..bee3126ee4abcab594c0971a3f1a21ae8091be44 100644
--- a/typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php
+++ b/typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php
@@ -63,10 +63,15 @@ class FrontendUserAuthenticator implements MiddlewareInterface, LoggerAwareInter
{
$frontendUser = GeneralUtility::makeInstance(FrontendUserAuthentication::class);
+ $pidValue = (string)($request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? '');
+ $pidParts = GeneralUtility::trimExplode('@', $pidValue, true, 2);
+ $pid = $pidParts[0] ?? '';
+ $givenHash = $pidParts[1] ?? '';
+ $expectedHash = GeneralUtility::hmac($pid, FrontendUserAuthentication::class);
+
// List of page IDs where to look for frontend user records
- $pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
- if ($pid) {
- $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', (string)$pid));
+ if ($pid && hash_equals($expectedHash, $givenHash)) {
+ $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}
// Rate Limiting