[BUGFIX] Allow referrer refresh in install tool

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

Resolves: #91433
Related: #91396
Releases: master, 9.5
Change-Id: I2a570da4f2a933e709d653b54f1d53d5055ef3f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64519


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

typo3/sysext/install/Classes/Middleware/Maintenance.php

@@ -382,7 +382,7 @@ class Maintenance implements MiddlewareInterface
             return null;
         }
         return (new ReferrerEnforcer($request))->handle([
-            'flags' => ['refresh-empty'],
+            'flags' => ['refresh-always'],
             'subject' => 'Install Tool',
         ]);
     }