[SECURITY] Ensure validity of parameters submitted to ThumbnailController 43/57943/7
authorOliver Hader <oliver@typo3.org>
Fri, 17 Aug 2018 06:49:14 +0000 (08:49 +0200)
committerFrank Naegler <frank.naegler@typo3.org>
Fri, 17 Aug 2018 17:05:04 +0000 (19:05 +0200)
commit5dbcb5da27bc43bb2a19c770e4d226f47c7bcf0c
treeba7a2de51b7293268156d1c0672397f841eefb07
parent92616fb8d081e9ff08801ba8e2da6bdf494a027d
[SECURITY] Ensure validity of parameters submitted to ThumbnailController

Parameters submitted to ThumbnailController via HTTP GET query parameters
can contain arbitrary information. Thus, it has to be verified that those
parameters are valid by signing them with a HMAC.

Prior to that the source code was vulnerable to information disclosure as
well as denial of service attacks due to unsanitized user input. A valid
backend user account was required in order to make use of these flaws.

Since the change which introduced this behavior was not released yet, the
security fixes are handled in public without additional announcements.

Resolves: #85875
Releases: master, 8.7
Change-Id: Ia53ba3756f140b0728b8fd1fb7e0527836639a6b
Reviewed-on: https://review.typo3.org/57943
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
typo3/sysext/backend/Classes/Controller/File/ThumbnailController.php
typo3/sysext/backend/Classes/Utility/BackendUtility.php
typo3/sysext/backend/Tests/Unit/Controller/File/ThumbnailControllerTest.php [new file with mode: 0644]