[SECURITY] Validate complete referring request 58/48258/2
authorHelmut Hummel <info@helhum.io>
Tue, 24 May 2016 07:44:23 +0000 (09:44 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 24 May 2016 07:44:25 +0000 (09:44 +0200)
commitf615301fd5ec86f5c2070c76d128bb266c8d72de
tree41905c0584539c106d71cbde403df1bcef762b79
parent26a7a3044838fd62f11d74d19caa0279038c2634
[SECURITY] Validate complete referring request

Instead of only checking for valid request arguments by using a hmac,
we now check the complete request including action, controller and vendor
to avoid spoofing these arguments and bypassing other security checks
during forwarding to the referring action.

Additionally, ReferringRequest is now separate from regular Request.
The meaning of properties starting with "@" is only valid for
processing a referring request. To avoid mixed concerns in using
the same Request implementation for regular requests and referring
requests, they are separated now.

Resolves: #76231
Resolves: #76256
Releases: master, 7.6, 6.2
Security-Commit: 3562e177f1720e62cab84232dcc67c580a3cc3db
Security-Bulletin: TYPO3-CORE-SA-2016-013
Change-Id: Ic94e11341df98c1326dc73c92a5c9e061a64cc9e
Reviewed-on: https://review.typo3.org/48258
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/extbase/Classes/Mvc/Request.php
typo3/sysext/extbase/Classes/Mvc/Web/ReferringRequest.php [new file with mode: 0644]
typo3/sysext/extbase/Classes/Mvc/Web/Request.php
typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
typo3/sysext/fluid/Tests/Unit/ViewHelpers/FormViewHelperTest.php