[SECURITY] Protect core Ajax calls against CSRF 77/27877/5
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 26 Feb 2014 19:04:10 +0000 (20:04 +0100)
committerMarkus Klein <klein.t3@mfc-linz.at>
Fri, 28 Feb 2014 01:14:03 +0000 (02:14 +0100)
commit715e61b279846e9eb69e0deafaeef9f9869fb24a
treef10fc6d7ca9d05d4516ade77932f74b6a0306671
parentd9a4854f9934a41b108528379b5f9c6c962dff65
[SECURITY] Protect core Ajax calls against CSRF

The backend ajax handler that are directly registered
in DefaultConfiguration.php are now CSRF protected
if necessary.

Resolves: #56356
Releases: 6.2
Change-Id: Ia592f7f2b51c20326600b97d2ce10a5e5fdbfde7
Reviewed-on: https://review.typo3.org/27877
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
17 files changed:
typo3/js/tree.js
typo3/sysext/backend/Classes/Controller/BackendController.php
typo3/sysext/backend/Classes/Form/Element/InlineElement.php
typo3/sysext/backend/Classes/Form/FormEngine.php
typo3/sysext/backend/Classes/Template/DocumentTemplate.php
typo3/sysext/backend/Classes/Toolbar/ShortcutToolbarItem.php
typo3/sysext/backend/Resources/Public/JavaScript/DragUploader.js
typo3/sysext/backend/Resources/Public/JavaScript/jsfunc.inline.js
typo3/sysext/backend/Resources/Public/JavaScript/jsfunc.tceforms_suggest.js
typo3/sysext/backend/Resources/Public/JavaScript/modulemenu.js
typo3/sysext/backend/Resources/Public/JavaScript/shortcutmenu.js
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/filelist/Classes/Controller/FileListController.php
typo3/sysext/frontend/Classes/Controller/ExtDirectEidController.php
typo3/sysext/recordlist/Classes/Browser/ElementBrowser.php
typo3/sysext/rtehtmlarea/Classes/BrowseLinks.php
typo3/sysext/rtehtmlarea/Classes/SelectImage.php