[SECURITY] Avoid creation of backend users without password 21/59521/2
authorBenni Mack <benni@typo3.org>
Tue, 22 Jan 2019 08:41:09 +0000 (09:41 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Jan 2019 08:41:12 +0000 (09:41 +0100)
commite4d0cff40a4f8f597e52c20fff529e206bb62703
treee8f8d763d2a343423a613535fcc9385beff8a8a5
parentc81cca9e419e7aaed551b9b9a8d012ba7bffb287
[SECURITY] Avoid creation of backend users without password

When using FormEngine it is possible to create a Backend User
without setting a password (or username), which could lead to
issues when using third-party authentication providers.

A hook within DataHandler ensures to set a random username
and/or password if the data is handed into DataHandler without
proper data. Besides that new backend users are disabled per
default and have to be enable manually.

Resolves: #80269
Releases: master, 9.5, 8.7
Security-Commit: 09b19dc181a565ca4a237f96747c0c808eb1c11b
Security-Bulletin: TYPO3-CORE-SA-2019-002
Change-Id: If4fb1e05c5dd8018077daa0c2a47779b2ca14342
Reviewed-on: https://review.typo3.org/59521
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Hooks/BackendUserPasswordCheck.php [new file with mode: 0644]
typo3/sysext/core/Configuration/TCA/be_users.php
typo3/sysext/core/ext_localconf.php