[SECURITY] Add feature toggle to disable record registration 90/59090/2
authorBenni Mack <benni@typo3.org>
Tue, 11 Dec 2018 09:55:42 +0000 (10:55 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:55:44 +0000 (10:55 +0100)
commitfc2b4b9fb978088267f83e73cd401d4371dd40e3
tree48d99d405eeaf9b536a8314f84d021e4690ca7d3
parent7a5155e0137d01db7e5723849f0493ad5b0c98ac
[SECURITY] Add feature toggle to disable record registration

The "recs" query parameter allows to write
arbitrary entries into a session, leading
to a possibility to create a reasonable amount
of frontend user sessions.

In order to prevent this situation, a new configuration
option $TYPO3_CONF_VARS[FE][enableRecordRegistration]
is added to disable the functionality completely.

The feature is disabled per default in order to apply
strong security defaults. Installations that rely on this
functionality have to manually enable the feauture and
its vulnerability by changing the according TYPO3_CONF_VARS
setting in the install tool.

A security report is added to display a warning
in the TYPO3 Backend.

Resolves: #80979
Releases: 8.7, 7.6
Security-Commit: e94871da34275de6b47e10f44a1fb16219598aa9
Security-Bulletin: TYPO3-CORE-SA-2018-012
Change-Id: I1c79525cde0f8a268b2e8747db55735e10668e75
Reviewed-on: https://review.typo3.org/59090
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Configuration/FactoryConfiguration.php
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
typo3/sysext/lang/locallang_core.xlf
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/reports/Resources/Private/Language/locallang_reports.xlf