[BUGFIX] Enforce RSA encryption for re-login modal 78/49478/4
authorHelmut Hummel <info@helhum.io>
Sun, 14 Aug 2016 13:06:24 +0000 (15:06 +0200)
committerAndreas Fernandez <typo3@scripting-base.de>
Mon, 29 Aug 2016 12:54:38 +0000 (14:54 +0200)
The RsaEncryption and the LoginRefresh module are loaded
independently by requireJS, which means they are loaded
asynchronous. This means that either one of those modules
is initialized first.

However the RsaEncryption module scans the DOM for form elements
and the LoginRefresh inserts a form. This means if the RsaEncryption
is initialized first, then the form created by LoginRefresh
will not be intercepted, leading to the (heisen-)bug described.

This change enforces the loading order by adding the RsaEncryption
as dependency to LoginRefresh and registering the form manually,
to make sure it will be intercepted and passwords
will transmitted encrypted.

Resolves: #75911
Releases: 7.6, master
Change-Id: Ib4aba70b3545f163a16a4eee62bed9e5a48b2fe7
Reviewed-on: https://review.typo3.org/49478
Tested-by: Bamboo TYPO3com <info@typo3.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
typo3/sysext/backend/Resources/Public/JavaScript/LoginRefresh.js
typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryptionModule.js

index dae798c..2bcd2cd 100644 (file)
@@ -16,7 +16,7 @@
  * Task that periodically checks if a blocking event in the backend occurred and
  * displays a proper dialog to the user.
  */
-define(['jquery', 'TYPO3/CMS/Backend/Notification', 'bootstrap'], function($, Typo3Notification) {
+define(['jquery', 'TYPO3/CMS/Backend/Notification', 'TYPO3/CMS/Rsaauth/RsaEncryptionModule', 'bootstrap'], function($, Typo3Notification, RsaEncryption) {
        /**
         *
         * @type {{identifier: {loginrefresh: string, lockedModal: string, loginFormModal: string}, options: {modalConfig: {backdrop: string}}, webNotification: null, intervalId: null, backendIsLocked: boolean, isTimingOut: boolean, $timeoutModal: string, $backendLockedModal: string, $loginForm: string, loginFramesetUrl: string, logoutUrl: string}}
@@ -224,8 +224,11 @@ define(['jquery', 'TYPO3/CMS/Backend/Notification', 'bootstrap'], function($, Ty
                                        LoginRefresh.$loginForm.find('form').submit();
                                })
                );
-
-               LoginRefresh.registerDefaultModalEvents(LoginRefresh.$loginForm).on('submit', LoginRefresh.submitForm);
+               var $LoginRefreshForm = LoginRefresh.$loginForm.find('#beLoginRefresh');
+               if (undefined !== RsaEncryption) {
+                       RsaEncryption.registerForm($LoginRefreshForm.get(0));
+               }
+               LoginRefresh.registerDefaultModalEvents($LoginRefreshForm).on('submit', LoginRefresh.submitForm);
 
                $('body').append(LoginRefresh.$loginForm);
        };
index 7d4d309..a6c5646 100644 (file)
@@ -19,8 +19,7 @@ define(['jquery', './RsaLibrary'], function($) {
        'use strict';
 
        /**
-        *
-        * @type {{$currentForm: null, fetchedRsaKey: boolean, initialize: Function, handleFormSubmitRequest: Function, handlePublicKeyResponse: Function}}
+        * @type {{$currentForm: null, fetchedRsaKey: boolean, initialize: Function, registerForm: Function, handleFormSubmitRequest: Function, handlePublicKeyResponse: Function}}
         * @exports TYPO3/CMS/Rsaauth/RsaEncryptionModule
         */
        var RsaEncryption = {
@@ -36,24 +35,23 @@ define(['jquery', './RsaLibrary'], function($) {
                fetchedRsaKey: false,
 
                /**
-                * Replace event handler of submit button
+                * Replace event handler of submit button for given form
+                *
+                * @param {Form} form Form DOM object
                 */
-               initialize: function() {
-                       $(':input[data-rsa-encryption]').closest('form').each(function() {
-                               var $this = $(this);
+               registerForm: function(form) {
+                       var $form = $(form);
 
-                               // Store the original submit handler that is executed later
-                               $this.data('original-onsubmit', $this.attr('onsubmit'));
+                       // Store the original submit handler that is executed later
+                       $form.data('original-onsubmit', $form.attr('onsubmit'));
 
-                               // Remove the original submit handler and register RsaEncryption.handleFormSubmitRequest instead
-                               $this.removeAttr('onsubmit').on('submit', RsaEncryption.handleFormSubmitRequest);
+                       // Remove the original submit handler and register RsaEncryption.handleFormSubmitRequest instead
+                       $form.removeAttr('onsubmit').on('submit', RsaEncryption.handleFormSubmitRequest);
 
-                               // Bind submit event first (this is a dirty hack with jquery internals, but there is no way around that)
-                               var handlers = $._data(this, 'events').submit;
-                               var handler = handlers.pop();
-                               handlers.unshift(handler);
-                       });
-                       rng_seed_time();
+                       // Bind submit event first (this is a dirty hack with jquery internals, but there is no way around that)
+                       var handlers = $._data(form, 'events').submit;
+                       var handler = handlers.pop();
+                       handlers.unshift(handler);
                },
 
                /**
@@ -133,6 +131,16 @@ define(['jquery', './RsaLibrary'], function($) {
                }
        };
 
+       /**
+        * Search for forms and add event handler
+        */
+       RsaEncryption.initialize = function() {
+               $(':input[data-rsa-encryption]').closest('form').each(function() {
+                       RsaEncryption.registerForm(this);
+               });
+               rng_seed_time();
+       };
+
        $(RsaEncryption.initialize);
 
        return RsaEncryption;