[SECURITY] Validate complete referring request
Instead of only checking for valid request arguments by using a hmac, we now check the complete request including action, controller and vendor to avoid spoofing these arguments and bypassing other security checks during forwarding to the referring action. Additionally, ReferringRequest is now separate from regular Request. The meaning of properties starting with "@" is only valid for processing a referring request. To avoid mixed concerns in using the same Request implementation for regular requests and referring requests, they are separated now. Resolves: #76231 Resolves: #76256 Releases: master, 7.6, 6.2 Security-Commit: 3562e177f1720e62cab84232dcc67c580a3cc3db Security-Bulletin: TYPO3-CORE-SA-2016-013 Change-Id: Ic94e11341df98c1326dc73c92a5c9e061a64cc9e Reviewed-on: https://review.typo3.org/48258 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/extbase/Classes/Mvc/Request.php 2 additions, 21 deletionstypo3/sysext/extbase/Classes/Mvc/Request.php
- typo3/sysext/extbase/Classes/Mvc/Web/ReferringRequest.php 56 additions, 0 deletionstypo3/sysext/extbase/Classes/Mvc/Web/ReferringRequest.php
- typo3/sysext/extbase/Classes/Mvc/Web/Request.php 7 additions, 9 deletionstypo3/sysext/extbase/Classes/Mvc/Web/Request.php
- typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php 37 additions, 0 deletionstypo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
- typo3/sysext/fluid/Tests/Unit/ViewHelpers/FormViewHelperTest.php 9 additions, 5 deletions...ysext/fluid/Tests/Unit/ViewHelpers/FormViewHelperTest.php
Please register or sign in to comment