[FEATURE] Restrict Backend Routes to specified HTTP methods (daf0b2d5) · Commits · TYPO3 / TYPO3.CMS

Commit daf0b2d5 authored Feb 05, 2021 by

Benni Mack Committed by Benjamin Franzke Feb 08, 2021

[FEATURE] Restrict Backend Routes to specified HTTP methods

Because TYPO3 Backend is based on the symfony/routing
components, it is now possible to also limit a route to only
e.g. a POST request by defining allowed methods in the
route registration.

This allows for more secure route behaviour, e.g. routes
that update the system, should semantically using POST requests.

Similarly this way, future non-HTML-routes in the TYPO3 Backend
could be set up (e.g. for REST APIs), utilizing the BE routing
directly.

For the time being, the password-forgot form
is now only allowed for POST methods, effectively
hardening this feature.

Resolves: #93455
Releases: master
Change-Id: I1c89f592ce17dfcd8a7e7674945c97c7c39969ba
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67655


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

parent 8cbd504f

Hide whitespace changes

Inline Side-by-side

Please register or to comment