[SECURITY] Prevent persistent username in filesystem 81/49081/2
authorWouter Wolters <typo3@wouterwolters.nl>
Tue, 19 Jul 2016 10:17:58 +0000 (12:17 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:18:02 +0000 (12:18 +0200)
commit93ce286759a7afe01dee53b69165ba8f0a674cf7
tree1b76462ac345696de5bdcdf4ae6c240a88fd8a59
parent9ba09a9f270bdb568f0ed57d1912820bd869f5a6
[SECURITY] Prevent persistent username in filesystem

The language label for the refresh login popup contains the
username already and is persisted to the filesystem. Use
TYPO3.configuration.username and replace it with JavaScript
instead to prevent the information disclosure.

Resolves: #75933
Releases: master, 7.6, 6.2
Security-Commit: 0e7b21b3f455fef6703656889c43993976a4a6bc
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I14964781014b95d9753ad8d6ed79df5f25c1fa5c
Reviewed-on: https://review.typo3.org/49081
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Controller/BackendController.php
typo3/sysext/backend/Resources/Public/JavaScript/LoginRefresh.js