[SECURITY] Validate complete referring request 57/48257/2
authorHelmut Hummel <info@helhum.io>
Tue, 24 May 2016 07:44:16 +0000 (09:44 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 24 May 2016 07:44:18 +0000 (09:44 +0200)
commit404f09d491c96b294ded5e2741277dfbeba92807
tree1b00ba14de65f30732c54b5938a4e2ac7e489d7a
parenta8092e52750e3ba88f17357a2b2813ca3e4d9ee6
[SECURITY] Validate complete referring request

Instead of only checking for valid request arguments by using a hmac,
we now check the complete request including action, controller and vendor
to avoid spoofing these arguments and bypassing other security checks
during forwarding to the referring action.

Additionally, ReferringRequest is now separate from regular Request.
The meaning of properties starting with "@" is only valid for
processing a referring request. To avoid mixed concerns in using
the same Request implementation for regular requests and referring
requests, they are separated now.

Resolves: #76231
Resolves: #76256
Releases: master, 7.6, 6.2
Security-Commit: 3562e177f1720e62cab84232dcc67c580a3cc3db
Security-Bulletin: TYPO3-CORE-SA-2016-013
Change-Id: Idaed1d782168b20c3654304562d3a04047c8f234
Reviewed-on: https://review.typo3.org/48257
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/extbase/Classes/Mvc/Request.php
typo3/sysext/extbase/Classes/Mvc/Web/ReferringRequest.php [new file with mode: 0644]
typo3/sysext/extbase/Classes/Mvc/Web/Request.php
typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
typo3/sysext/fluid/Tests/Unit/ViewHelpers/FormViewHelperTest.php