[SECURITY] Protect arguments of form __referrer with HMAC
authorFelix Oertel <f@oer.tel>
Wed, 28 Mar 2012 10:02:57 +0000 (12:02 +0200)
committerFelix Oertel <f@oer.tel>
Wed, 28 Mar 2012 11:40:46 +0000 (13:40 +0200)
commitc34bf90785d2e0905afeca298f676216e076f66f
tree752fb0b3571530b4a65fe0fce769c2dd9a23c615
parent0632b7e1c86ce2d0534361bad7bf71c0fadb0d93
[SECURITY] Protect arguments of form __referrer with HMAC

The request arguments of the referring request are
a serialized string written to one of the hidden
fields in a Fluid form. This string has to be protected
by a HMAC to protect Extbase from possible unserialize
attacks.

Note: For now there is no object known within Extbase,
that could be used for an unserialize exploit!

Change-Id: Ic59b34bd9b58e43158ebe05116c8f577334a729e
Security-Bulletin: TYPO3-CORE-SA-2012-001
Related: #35310
Releases: 1.4, 4.7, 6.0
typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php