[SECURITY] Add feature toggle to disable record registration 98/59098/2
authorBenni Mack <benni@typo3.org>
Tue, 11 Dec 2018 09:56:43 +0000 (10:56 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:56:45 +0000 (10:56 +0100)
commit05011d1248c54d00960e344fd920a6246da92415
tree9acad5cc47b46558076bf21aec6a87ff0efc6539
parent054799caf53b28ff92e00aff957fab88c45a7509
[SECURITY] Add feature toggle to disable record registration

The "recs" query parameter allows to write
arbitrary entries into a session, leading
to a possibility to create a reasonable amount
of frontend user sessions.

In order to prevent this situation, a new configuration
option $TYPO3_CONF_VARS[FE][enableRecordRegistration]
is added to disable the functionality completely.

The feature is disabled per default in order to apply
strong security defaults. Installations that rely on this
functionality have to manually enable the feauture and
its vulnerability by changing the according TYPO3_CONF_VARS
setting in the install tool.

A security report is added to display a warning
in the TYPO3 Backend.

Resolves: #80979
Releases: 8.7, 7.6
Security-Commit: 32762f9654fba3e8ddcf1f67d1c0fbf4967b5149
Security-Bulletin: TYPO3-CORE-SA-2018-012
Change-Id: I488bdf412361a0c56290deb842b16a3958501430
Reviewed-on: https://review.typo3.org/59098
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Configuration/DefaultConfigurationDescription.php
typo3/sysext/core/Configuration/FactoryConfiguration.php
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
typo3/sysext/lang/Resources/Private/Language/locallang_core.xlf
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/reports/Resources/Private/Language/locallang_reports.xlf