Skip to content
Snippets Groups Projects
Select Git revision
  • 12.4
  • main default
  • 11.5
  • 13.3
  • l10n_main
  • 13.1
  • 13.0
  • l10n_12.4
  • 10.4
  • 12.1
  • 9.5
  • 11.3
  • master
  • 11.1
  • TYPO3_8-7
  • 10.2
  • 9.3
  • 9.2
  • TYPO3_7-6
  • TYPO3_7-0
  • v13.3.1
  • v12.4.21
  • v11.5.40
  • v13.3.0
  • v12.4.20
  • v12.4.19
  • v12.4.18
  • v11.5.39
  • v12.4.17
  • v13.2.1
  • v13.2.0
  • v12.4.16
  • v11.5.38
  • v13.1.1
  • v12.4.15
  • v11.5.37
  • v13.1.0
  • v12.4.14
  • v12.4.13
  • v12.4.12
40 results
Compare History
user avatar
[SECURITY] Add feature toggle to disable record registration
Benni Mack authored 
The "recs" query parameter allows to write
arbitrary entries into a session, leading
to a possibility to create a reasonable amount
of frontend user sessions.

In order to prevent this situation, a new configuration
option $TYPO3_CONF_VARS[FE][enableRecordRegistration]
is added to disable the functionality completely.

The feature is disabled per default in order to apply
strong security defaults. Installations that rely on this
functionality have to manually enable the feauture and
its vulnerability by changing the according TYPO3_CONF_VARS
setting in the install tool.

A security report is added to display a warning
in the TYPO3 Backend.

Resolves: #80979
Releases: 8.7, 7.6
Security-Commit: e94871da34275de6b47e10f44a1fb16219598aa9
Security-Bulletin: TYPO3-CORE-SA-2018-012
Change-Id: I1c79525cde0f8a268b2e8747db55735e10668e75
Reviewed-on: https://review.typo3.org/59090


Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
fc2b4b9f
Name Last commit Last update