[BUGFIX] Use 403 header instead of 401 header 99/57399/3
authorMarkus Klein <markus.klein@typo3.org>
Wed, 27 Jun 2018 17:00:12 +0000 (19:00 +0200)
committerMarkus Klein <markus.klein@typo3.org>
Mon, 10 Sep 2018 07:53:20 +0000 (09:53 +0200)
The usage of a 401 header must be accompanied by a valid
www-authenticate header, which does not support form-based logins.

Resolves: #85411
Releases: master, 8.7
Change-Id: I71062c58a7d846214f1fec41e78cce4ae72955f3
Reviewed-on: https://review.typo3.org/57399
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/backend/Configuration/SiteConfiguration/site_errorhandling.php
typo3/sysext/backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf
typo3/sysext/core/Classes/Resource/Hook/FileDumpEIDHookInterface.php
typo3/sysext/core/Documentation/Changelog/9.2/Feature-84581-SiteHandling.rst
typo3/sysext/install/Classes/Http/RequestHandler.php
typo3/sysext/install/Resources/Public/JavaScript/Modules/Router.js

index a86e450..5265fd6 100644 (file)
@@ -32,7 +32,6 @@ return [
                     'items' => [
                         ['LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorCode.404', '404'],
                         ['LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorCode.403', '403'],
-                        ['LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorCode.401', '401'],
                         ['LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorCode.500', '500'],
                         ['LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorCode.503', '503'],
                         ['LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorCode.0', '0'],
index 6c0b47e..309aac2 100644 (file)
@@ -86,9 +86,6 @@
                        <trans-unit id="site_errorhandling.errorCode.403">
                                <source>403 (Forbidden)</source>
                        </trans-unit>
-                       <trans-unit id="site_errorhandling.errorCode.401">
-                               <source>401 (Unauthorized)</source>
-                       </trans-unit>
                        <trans-unit id="site_errorhandling.errorCode.500">
                                <source>500 (Internal Server Error)</source>
                        </trans-unit>
index 7bd301e..268c457 100644 (file)
@@ -23,7 +23,8 @@ interface FileDumpEIDHookInterface
     /**
      * Perform custom security/access when accessing file
      * Method should issue 403 if access is rejected
-     * or 401 if authentication is required
+     * or 401 if authentication is required via an authorized HTTP authorization scheme.
+     * A 401 header must be accompanied by a www-authenticate header!
      *
      * @param \TYPO3\CMS\Core\Resource\ResourceInterface $file
      */
index fd3eea6..bd7995e 100644 (file)
@@ -100,10 +100,10 @@ config.yaml
           # href to the content source to display (accepts both fully qualified URLs as well as TYPO3 internal link syntax
           errorContentSource: 't3://page?uid=8'
         -
-          errorCode: '401'
+          errorCode: '403'
           errorHandler: Fluid
           # Path to the Template File to show
-          errorFluidTemplate: 'EXT:my_extension/Resources/Private/Templates/ErrorPages/401.html'
+          errorFluidTemplate: 'EXT:my_extension/Resources/Private/Templates/ErrorPages/403.html'
           # Optional Templates root path
           errorFluidTemplatesRootPath: 'EXT:my_extension/Resources/Private/Templates/ErrorPages'
           # Optional Layouts root path
@@ -154,7 +154,7 @@ subset of TCA features is supported.
 In practice the configuration can be extended, but only with very simple fields like the basic config type :php:`input`,
 and even for this one not all features are possible, for example the :php:`eval` options are limited. The code throws
 exceptions or just ignores settings it does not support. While some of the limits may be relaxed a bit over time, many
-will be kept. The goal is to allow developers to extend the site configuration with a couple of simple things like 
+will be kept. The goal is to allow developers to extend the site configuration with a couple of simple things like
 an input field for a Google API key. However it is **not possible to extend with complex TCA** like inline relations,
 database driven select fields, Flex Form handling and similar.
 
index cab7932..f2a6f3e 100644 (file)
@@ -171,7 +171,7 @@ class RequestHandler implements RequestHandlerInterface
                 || !$this->checkSessionLifetime($session)
                 || !$session->isAuthorized()
             ) {
-                return new HtmlResponse('', 401, ['WWW-Authenticate' => 'FormBased']);
+                return new HtmlResponse('', 403);
             }
             $session->refreshSession();
             if (!array_key_exists($controllerName, $this->controllers)) {
index d4720f9..df271be 100644 (file)
@@ -211,7 +211,7 @@ define([
 
     handleAjaxError: function(xhr) {
       var message = '';
-      if (xhr.status === 401) {
+      if (xhr.status === 403) {
         // Install tool session expired - depending on context render error message or login
         var context = $(this.selectorBody).data('context');
         if (context === 'backend') {