[SECURITY] Ensure validity of parameters submitted to ThumbnailController 53/57953/2
authorOliver Hader <oliver@typo3.org>
Fri, 17 Aug 2018 06:49:14 +0000 (08:49 +0200)
committerFrank Naegler <frank.naegler@typo3.org>
Fri, 17 Aug 2018 17:51:25 +0000 (19:51 +0200)
commit0200fec9a88287fa88acb4cef034ed5bc0adbdf1
tree6b0d968f836f75468460dd78fae1703c4d221812
parent040147faca1a02224146dc1e6065684b177432c5
[SECURITY] Ensure validity of parameters submitted to ThumbnailController

Parameters submitted to ThumbnailController via HTTP GET query parameters
can contain arbitrary information. Thus, it has to be verified that those
parameters are valid by signing them with a HMAC.

Prior to that the source code was vulnerable to information disclosure as
well as denial of service attacks due to unsanitized user input. A valid
backend user account was required in order to make use of these flaws.

Since the change which introduced this behavior was not released yet, the
security fixes are handled in public without additional announcements.

Resolves: #85875
Releases: master, 8.7
Change-Id: Ia53ba3756f140b0728b8fd1fb7e0527836639a6b
Reviewed-on: https://review.typo3.org/57953
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
typo3/sysext/backend/Classes/Controller/File/ThumbnailController.php
typo3/sysext/backend/Classes/Utility/BackendUtility.php
typo3/sysext/backend/Tests/Unit/Controller/File/ThumbnailControllerTest.php [new file with mode: 0644]