Added feature #16439: Use the form protection API to implement the CSRF protection...
authorErnesto Baschny <ernst@cron-it.de>
Wed, 17 Nov 2010 11:26:18 +0000 (11:26 +0000)
committerErnesto Baschny <ernst@cron-it.de>
Wed, 17 Nov 2010 11:26:18 +0000 (11:26 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@9441 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_beuserauth.php
typo3/sysext/install/Resources/Private/Templates/AlterPasswordForm.html
typo3/sysext/install/mod/class.tx_install.php
typo3/sysext/setup/mod/index.php

index 601f5bd..53442a6 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,7 @@
 
        * Added feature #16027: Let typolink honour secure filelink configuration
        * Added feature #16437: Introduce a form protection API (Thanks to the Security Team: Oliver Klee, Helmut Hummel)
+       * Added feature #16439: Use the form protection API to implement the CSRF protection in user setup and install tool (Thanks to the Security Team: Oliver Klee, Helmut Hummel)
 
 2010-11-17  Benjamin Mack  <benni@typo3.org>
 
index 38d1ef1..847b433 100644 (file)
@@ -391,6 +391,16 @@ class t3lib_beUserAuth extends t3lib_userAuthGroup {
 
                return $isUserAllowedToLogin;
        }
+
+       /**
+        * Logs out the current user and clears the form protection tokens.
+        */
+       public function logoff() {
+               t3lib_formProtection_Factory::get(
+                       't3lib_formprotection_BackendFormProtection'
+               )->clean();
+               parent::logoff();
+       }
 }
 
 
index c8fda8c..274130b 100644 (file)
@@ -23,6 +23,7 @@
                                        </li>
                                        <li class="t3-install-hidden">
                                                <input type="hidden" name="installToolPassword_md5" value="1" />
+                                               <input type="hidden" name="formToken" value="###FORMTOKEN###" />
                                        </li>
                                </ol>
                        </fieldset>
index 5b1a75f..45866d7 100755 (executable)
@@ -161,6 +161,8 @@ require_once(t3lib_extMgm::extPath('install') . 'updates/class.tx_coreupdates_fl
 /**
  * Install Tool module
  *
+ * $Id$
+ *
  * @author     Kasper Skårhøj <kasperYYYY@typo3.com>
  * @author     Ingmar Schlecht <ingmar@typo3.org>
  * @package TYPO3
@@ -220,6 +222,13 @@ class tx_install extends t3lib_install {
         */
        protected $session = NULL;
 
+       /**
+        * the form protection instance used for creating and verifying form tokens
+        *
+        * @var t3lib_formprotection_InstallToolFormProtection
+        */
+       protected $formProtection = NULL;
+
        var $menuitems = array(
                'config' => 'Basic Configuration',
                'database' => 'Database Analyser',
@@ -373,6 +382,11 @@ class tx_install extends t3lib_install {
                        if($this->redirect_url) {
                                t3lib_utility_Http::redirect($this->redirect_url);
                        }
+
+                       $this->formProtection = t3lib_formProtection_Factory::get(
+                               't3lib_formprotection_InstallToolFormProtection'
+                       );
+                       $this->formProtection->injectInstallTool($this);
                } else {
                        $this->loginForm();
                }
@@ -527,6 +541,7 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                        TRUE,
                        TRUE
                );
+
                        // Send content to the page wrapper function
                $this->output($this->outputWrapper($content));
        }
@@ -753,6 +768,7 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                        if (is_file($enableInstallToolFile) && trim(file_get_contents($enableInstallToolFile)) !== 'KEEP_FILE') {
                                                unlink(PATH_typo3conf . 'ENABLE_INSTALL_TOOL');
                                        }
+                                       $this->formProtection->clean();
                                        $this->session->destroySession();
                                        t3lib_utility_Http::redirect($this->scriptSelf);
                                break;
@@ -906,6 +922,8 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                break;
                        }
                }
+
+               $this->formProtection->persistTokens();
        }
 
        /**
@@ -2104,13 +2122,24 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                                        $doit=1;
                                                                        if ($k=='BE' && $vk=='installToolPassword') {
                                                                                if ($value) {
-                                                                                       if (isset($_POST['installToolPassword_check']) && (!t3lib_div::_GP('installToolPassword_check') || strcmp(t3lib_div::_GP('installToolPassword_check'),$value))) {
-                                                                                               $doit=0;
-                                                                                               $this->errorMessages[] = '
-                                                                                                       The two passwords did not
-                                                                                                       match! The password was not
-                                                                                                       changed.
-                                                                                               ';
+                                                                                       if (isset($_POST['installToolPassword_check'])) {
+                                                                                               if (!$this->formProtection->validateToken(
+                                                                                                       (string) $_POST['formToken'],
+                                                                                                       'installToolPassword',
+                                                                                                       'change'
+                                                                                               )) {
+                                                                                                       $doit = FALSE;
+                                                                                                       break;
+                                                                                               }
+
+                                                                                               if (!t3lib_div::_GP('installToolPassword_check')
+                                                                                                       || strcmp(t3lib_div::_GP('installToolPassword_check'), $value)
+                                                                                               ) {
+                                                                                                       $doit = FALSE;
+                                                                                                       $this->errorMessages[]
+                                                                                                               = 'The two passwords did not ' .
+                                                                                                                       'match! The password was not changed.';
+                                                                                               }
                                                                                        }
                                                                                        if (t3lib_div::_GP('installToolPassword_md5'))  $value =md5($value);
                                                                                } else $doit=0;
@@ -7964,7 +7993,10 @@ $out="
                        'action' => $this->scriptSelf.'?TYPO3_INSTALL[type]=extConfig',
                        'enterPassword' => 'Enter new password:',
                        'enterAgain' => 'Enter again:',
-                       'submit' => 'Set new password'
+                       'submit' => 'Set new password',
+                       'formToken' => $this->formProtection->generateToken(
+                               'installToolPassword', 'change'
+                       ),
                );
                        // Fill the markers
                $content = t3lib_parsehtml::substituteMarkerArray(
@@ -8319,6 +8351,20 @@ $out="
                $bytes = t3lib_div::generateRandomBytes($keyLength);
                return substr(bin2hex($bytes), -96);
        }
+
+       /**
+        * Adds an error message that should be displayed.
+        *
+        * @param string $messageText
+        *        the text of the message to display, must not be empty
+        */
+       public function addErrorMessage($messageText) {
+               if ($messageText == '') {
+                       throw new InvalidArgumentException('$messageText must not be empty.');
+               }
+
+               $this->errorMessages[] = $messageText;
+       }
 }
 
 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/install/mod/class.tx_install.php']) {
index 98ebbee..cf8bc92 100755 (executable)
@@ -129,11 +129,10 @@ class SC_mod_user_setup_index {
 
        /**
         * If settings are submitted to _POST[DATA], store them
-        * NOTICE: This method is called before the template.php is included. See buttom of document
-        *
-        * @return      void
+        * NOTICE: This method is called before the template.php is included. See
+        * bottom of document.
         */
-       function storeIncomingData()    {
+       public function storeIncomingData() {
                /* @var $BE_USER t3lib_beUserAuth */
                global $BE_USER;
 
@@ -144,8 +143,14 @@ class SC_mod_user_setup_index {
                $storeRec = array();
                $fieldList = $this->getFieldsFromShowItem();
 
-               if (is_array($d))       {
-
+               $formProtection = t3lib_formProtection_Factory::get(
+                       't3lib_formprotection_BackendFormProtection'
+               );
+               if (is_array($d) && $formProtection->validateToken(
+                               (string) t3lib_div::_POST('formToken'),
+                               'BE user setup', 'edit'
+                       )
+               ) {
                                // UC hashed before applying changes
                        $save_before = md5(serialize($BE_USER->uc));
 
@@ -428,19 +433,22 @@ class SC_mod_user_setup_index {
 
                $this->content .= $this->doc->spacer(20) . $this->doc->getDynTabMenu($menuItems, 'user-setup', FALSE, FALSE, 0, 1, FALSE, 1, $this->dividers2tabs);
 
+               $formProtection = t3lib_formProtection_Factory::get(
+                       't3lib_formprotection_BackendFormProtection'
+               );
+               $formToken = $formProtection->generateToken('BE user setup', 'edit');
 
                        // Submit and reset buttons
                $this->content .= $this->doc->spacer(20);
                $this->content .= $this->doc->section('',
                        t3lib_BEfunc::cshItem('_MOD_user_setup', 'reset', $BACK_PATH) . '
                        <input type="hidden" name="simUser" value="'.$this->simUser.'" />
+                       <input type="hidden" name="formToken" value="' . $formToken . '" />
                        <input type="submit" name="data[save]" value="'.$LANG->getLL('save').'" />
                        <input type="submit" name="data[setValuesToDefault]" value="'.$LANG->getLL('resetConfiguration').'" onclick="return confirm(\''.$LANG->getLL('setToStandardQuestion').'\');" />
                        <input type="submit" name="data[clearSessionVars]" value="' . $LANG->getLL('clearSessionVars') . '"  onclick="return confirm(\'' . $LANG->getLL('clearSessionVarsQuestion') . '\');" />'
                );
 
-
-
                        // Notice
                $this->content .= $this->doc->spacer(30);
                $flashMessage = t3lib_div::makeInstance(
@@ -977,4 +985,6 @@ $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
 
+t3lib_formProtection_Factory::get('t3lib_formprotection_BackendFormProtection')
+       ->persistTokens();
 ?>
\ No newline at end of file