[SECURITY] Prevent persistent username in filesystem 81/49081/2
authorWouter Wolters <typo3@wouterwolters.nl>
Tue, 19 Jul 2016 10:17:58 +0000 (12:17 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:18:02 +0000 (12:18 +0200)
The language label for the refresh login popup contains the
username already and is persisted to the filesystem. Use
TYPO3.configuration.username and replace it with JavaScript
instead to prevent the information disclosure.

Resolves: #75933
Releases: master, 7.6, 6.2
Security-Commit: 0e7b21b3f455fef6703656889c43993976a4a6bc
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I14964781014b95d9753ad8d6ed79df5f25c1fa5c
Reviewed-on: https://review.typo3.org/49081
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Controller/BackendController.php
typo3/sysext/backend/Resources/Public/JavaScript/LoginRefresh.js

index 30cb953..10549fd 100644 (file)
@@ -479,7 +479,7 @@ class BackendController
             'waitTitle' => $lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.refresh_login_logging_in'),
             'refresh_login_failed' => $lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.refresh_login_failed'),
             'refresh_login_failed_message' => $lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.refresh_login_failed_message'),
-            'refresh_login_title' => sprintf($lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.refresh_login_title'), htmlspecialchars($this->getBackendUser()->user['username'])),
+            'refresh_login_title' => $lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.refresh_login_title'),
             'login_expired' => $lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.login_expired'),
             'refresh_login_username' => $lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.refresh_login_username'),
             'refresh_login_password' => $lang->sL('LLL:EXT:lang/locallang_core.xlf:mess.refresh_login_password'),
index c298de1..dae798c 100644 (file)
@@ -204,7 +204,8 @@ define(['jquery', 'TYPO3/CMS/Backend/Notification', 'bootstrap'], function($, Ty
 
                LoginRefresh.$loginForm = LoginRefresh.generateModal(LoginRefresh.identifier.loginFormModal);
                LoginRefresh.$loginForm.addClass('t3-modal-notice');
-               LoginRefresh.$loginForm.find('.modal-header h4').text(TYPO3.LLL.core.refresh_login_title);
+               var refresh_login_title = String(TYPO3.LLL.core.refresh_login_title).replace('%s', TYPO3.configuration.username);
+               LoginRefresh.$loginForm.find('.modal-header h4').text(refresh_login_title);
                LoginRefresh.$loginForm.find('.modal-body').append(
                        $('<p />').text(TYPO3.LLL.core.login_expired),
                        $('<form />', {id: 'beLoginRefresh', method: 'POST', action: TYPO3.settings.ajaxUrls['login']}).append(