[SECURITY] Prevent editor controlled hmac content 82/26182/2
authorFranz G. Jahn <franzjahn@cron-it.de>
Tue, 10 Dec 2013 09:51:17 +0000 (10:51 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:51:22 +0000 (10:51 +0100)
An hmac of the editor controlled auto respond message was used to verifiy
the correctness of this message on submit. To prevent this, we add an
additional secret.

Fixes: #45043
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
(cherry picked from commit 66013e46f09b38343ac22d9e231328966bff0c6e)
Security-Commit: fa5bdd2ac518555f21ec857dc31d2991a1e937ad
Security-Bulletin: TYPO3-CORE-SA-2013-004

Change-Id: I66b1ddc379577fc3ed67012384a15c38a6b76a03
Reviewed-on: https://review.typo3.org/26182
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_formmail.php
typo3/sysext/cms/tslib/content/class.tslib_content_form.php

index 2a506e2..700158d 100644 (file)
@@ -157,7 +157,7 @@ class t3lib_formmail {
                        if ($this->autoRespondMessage !== '') {
                                        // Check if the value of the auto responder message has been modified with evil intentions
                                $autoRespondChecksum = $valueList['auto_respond_checksum'];
-                               $correctHmacChecksum = t3lib_div::hmac($this->autoRespondMessage);
+                               $correctHmacChecksum = t3lib_div::hmac($this->autoRespondMessage, 'content_form');
                                if ($autoRespondChecksum !== $correctHmacChecksum) {
                                        t3lib_div::sysLog('Possible misuse of t3lib_formmail auto respond method. Subject: ' . $valueList['subject'],
                                                'Core',
index 0d0230c..600665f 100644 (file)
@@ -514,7 +514,7 @@ class tslib_content_Form extends tslib_content_Abstract {
                                                        // If this form includes an auto responder message, include a HMAC checksum field
                                                        // in order to verify potential abuse of this feature.
                                                if (strlen($value) && t3lib_div::inList($confData['fieldname'], 'auto_respond_msg')) {
-                                                       $hmacChecksum = t3lib_div::hmac($value);
+                                                       $hmacChecksum = t3lib_div::hmac($value, 'content_form');
                                                        $hiddenfields .= sprintf(
                                                                '<input type="hidden" name="auto_respond_checksum" id="%sauto_respond_checksum" value="%s" />',
                                                                $prefix,
@@ -884,4 +884,4 @@ if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLA
        include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['tslib/content/class.tslib_content_form.php']);
 }
 
-?>
\ No newline at end of file
+?>