Fixed bug #17184: Disable the CSRF protection in ExtDirect calls coming from the...
authorErnesto Baschny <ernst@cron-it.de>
Fri, 21 Jan 2011 22:19:36 +0000 (22:19 +0000)
committerErnesto Baschny <ernst@cron-it.de>
Fri, 21 Jan 2011 22:19:36 +0000 (22:19 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@10231 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_pagerenderer.php
t3lib/extjs/class.t3lib_extjs_extdirectrouter.php

index 53ff11d..85d9d8b 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,7 @@
 
 2011-01-21  Ernesto Baschny  <ernst@cron-it.de>
 
+       * Fixed bug #17184: Disable the CSRF protection in ExtDirect calls coming from the frontend (Thanks to Stefan Galinski)
        * Fixed bug #17201: The unit test for t3lib_formprotection_BackendFormProtection is broken (Thanks to Helmut Hummel)
        * Follow-up to issue #15589: Move debug functions to own utility class, missing t3lib_div commit from original patch, and declared all relevant methods "static" (Thanks to Stefan Galinski)
        * Fixed issue #17065: Use Swift Mailer in core (t3lib_mail_*) and deprecate t3lib_htmlmail and related settings (Thanks to Jigal van Hemert)
index f49ef4e..ff6cd16 100644 (file)
@@ -945,9 +945,12 @@ class t3lib_PageRenderer implements t3lib_Singleton {
         * @return void
         */
        public function addExtDirectCode() {
-               $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
-               $token = $formprotection->generateToken('extDirect');
-               $formprotection->persistTokens();
+               $token = '';
+               if (TYPO3_MODE === 'BE') {
+                       $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
+                       $token = $formprotection->generateToken('extDirect');
+                       $formprotection->persistTokens();
+               }
 
                        // Note: we need to iterate thru the object, because the addProvider method
                        // does this only with multiple arguments
index d9bbadf..5c6c90b 100644 (file)
@@ -77,7 +77,8 @@ class t3lib_extjs_ExtDirectRouter {
                        $request = array($request);
                }
 
-               $validToken = FALSE;
+               $backendUserExists = is_object($GLOBALS['BE_USER']);
+               $validToken = !$backendUserExists;
                $firstCall = TRUE;
                foreach ($request as $index => $singleRequest) {
                        $response[$index] = array(
@@ -87,7 +88,7 @@ class t3lib_extjs_ExtDirectRouter {
                        );
 
                        $token = array_pop($singleRequest->data);
-                       if ($firstCall) {
+                       if ($firstCall && $backendUserExists) {
                                $firstCall = FALSE;
                                $formprotection = t3lib_formprotection_Factory::get('t3lib_formprotection_BackendFormProtection');
                                $validToken = $formprotection->validateToken($token, 'extDirect');