[!!!][FEATURE] Introduce CSRF-like request-token handling (9cb30fb9) · Commits · TYPO3 / TYPO3.CMS

Commit 9cb30fb9 authored 2 years ago by

Oliver Hader Committed by Oliver Hader 2 years ago

[!!!][FEATURE] Introduce CSRF-like request-token handling

A CSRF-like request-token handling has been introduced, to
mitigate potential cross-site requests on actions with side-effects.
This approach does not require an existing server-side user session,
but uses a nonce (number used once) as a "pre-session". The main scope
is to ensure a user actually has visited a page, before submitting
data to the web server.

Introduces package https://packagist.org/packages/firebase/php-jwt
> composer req firebase/php-jwt

Besides that, AbstractUserAuthentication has been changed to require
this introduced request-token, to mitigate Login CSRF attacks.

The security enhancement potentially break custom login templates
and application handlers - this is why it is introduced and enforced
for TYPO3 v12.0.

Resolves: #97305
Releases: main
Change-Id: I74d9e1890017aae4a00999f549ea04716d68f721
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74183


Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

parent 3bd7ba7d

Branches