[SECURITY] Mitigate timing discrepancies during user authentication
Observing response time during user authentication can be used to distinguish between existing and non-existing user accounts. This change introduces `MimicServiceInterface::mimicAuthUser` - to be implemented by 3rd party authentication services - which simulates corresponding times regular processing would usually take. Resolves: #98217 Releases: main, 11.5, 10.4 Change-Id: I143ae0d3877dffe6f2decbb3f0cf8c9d9cb6ca0b Security-Bulletin: TYPO3-CORE-SA-2022-007 Security-References: CVE-2022-36105 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75710 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php 9 additions, 0 deletions...ore/Classes/Authentication/AbstractUserAuthentication.php
- typo3/sysext/core/Classes/Authentication/AuthenticationService.php 17 additions, 1 deletion...ext/core/Classes/Authentication/AuthenticationService.php
- typo3/sysext/core/Classes/Authentication/MimicServiceInterface.php 35 additions, 0 deletions...ext/core/Classes/Authentication/MimicServiceInterface.php
Please register or sign in to comment