[SECURITY] Prevent persistent username in filesystem 69/49069/2
authorWouter Wolters <typo3@wouterwolters.nl>
Tue, 19 Jul 2016 10:16:35 +0000 (12:16 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:16:39 +0000 (12:16 +0200)
commit7471988ae4739c48961b3d334727c192b6b59f59
treec4187a573fa32ab40e385fa8c04ac4cfc27bdd36
parent6e35feed9c10070bc9c459f2c51bcb41b1d39d70
[SECURITY] Prevent persistent username in filesystem

The language label for the refresh login popup contains the
username already and is persisted to the filesystem. Use
TYPO3.configuration.username and replace it with JavaScript
instead to prevent the information disclosure.

Resolves: #75933
Releases: master, 7.6, 6.2
Security-Commit: a0f0e8ef937ced52bd6d2ca8a8b00e82e3ba689d
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I5e65e746bccbc29ed4fc0355a118c8657648b0f8
Reviewed-on: https://review.typo3.org/49069
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Controller/BackendController.php
typo3/sysext/backend/Resources/Public/JavaScript/LoginRefresh.js
typo3/sysext/workspaces/Classes/Controller/PreviewController.php