[SECURITY] Validate complete referring request 56/48256/2
authorHelmut Hummel <info@helhum.io>
Tue, 24 May 2016 07:44:08 +0000 (09:44 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 24 May 2016 07:44:10 +0000 (09:44 +0200)
commit21ed4054212babb7ec75d80a24f95c6ba25bd2fb
tree1f3efc4dbdbeaba888647868bd87f2380ccc3db4
parentf790645247241c34f691077b35d3d928b4467164
[SECURITY] Validate complete referring request

Instead of only checking for valid request arguments by using a hmac,
we now check the complete request including action, controller and vendor
to avoid spoofing these arguments and bypassing other security checks
during forwarding to the referring action.

Additionally, ReferringRequest is now separate from regular Request.
The meaning of properties starting with "@" is only valid for
processing a referring request. To avoid mixed concerns in using
the same Request implementation for regular requests and referring
requests, they are separated now.

Resolves: #76231
Resolves: #76256
Releases: master, 7.6, 6.2
Security-Commit: e4eb0e63ace525a68f172aa9be1af23d69ea2ab2
Security-Bulletin: TYPO3-CORE-SA-2016-013
Change-Id: I334b2aa9ea3de0778adb38f007b1bd5e5a6a1be5
Reviewed-on: https://review.typo3.org/48256
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/extbase/Classes/Mvc/Request.php
typo3/sysext/extbase/Classes/Mvc/Web/ReferringRequest.php [new file with mode: 0644]
typo3/sysext/extbase/Classes/Mvc/Web/Request.php
typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
typo3/sysext/fluid/Tests/Unit/ViewHelpers/FormViewHelperTest.php