Follow-up to #17153: Protect C(R)UD actions against CSRF - Add token to ExtDirect...
authorSteffen Kamper <info@sk-typo3.de>
Thu, 20 Jan 2011 23:14:55 +0000 (23:14 +0000)
committerSteffen Kamper <info@sk-typo3.de>
Thu, 20 Jan 2011 23:14:55 +0000 (23:14 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@10178 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_pagerenderer.php
t3lib/extjs/class.t3lib_extjs_extdirectrouter.php

index d8cf036..e9125f5 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,7 @@
 
 2011-01-20  Steffen Kamper  <steffen@typo3.org>
 
+       * Follow-up to #17153: Protect C(R)UD actions against CSRF - Add token to ExtDirect calls (Thanks to Stefan Galinski)
        * Fixed bug #17178: Rename extension "list" to "recordlist"
        * Fixed bug #17162: Missing localization in t3lib_tsstyleconfig
 
index 8c1ca71..f49ef4e 100644 (file)
@@ -963,6 +963,12 @@ class t3lib_PageRenderer implements t3lib_Singleton {
                                                        transaction.data = [token];
                                                }
                                        });
+
+                                       provider.on("call", function(provider, transaction, meta) {
+                                               if (transaction.isForm) {
+                                                       transaction.params.securityToken = token;
+                                               }
+                                       });
                                }
                        })();
 
@@ -1885,4 +1891,4 @@ class t3lib_PageRenderer implements t3lib_Singleton {
 if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_pagerenderer.php'])) {
        include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_pagerenderer.php']);
 }
-?>
\ No newline at end of file
+?>
index 2a66702..d9bbadf 100644 (file)
@@ -60,7 +60,10 @@ class t3lib_extjs_ExtDirectRouter {
                        $request->action = $postParameters['extAction'];
                        $request->method = $postParameters['extMethod'];
                        $request->tid = $postParameters['extTID'];
+
+                       unset($_POST['securityToken']);
                        $request->data = array($_POST + $_FILES);
+                       $request->data[] = $postParameters['securityToken'];
                } elseif (!empty($rawPostData)) {
                        $request = json_decode($rawPostData);
                } else {
@@ -159,4 +162,4 @@ if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLA
        include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/extjs/class.t3lib_extjs_extdirectrouter.php']);
 }
 
-?>
\ No newline at end of file
+?>