[BUGFIX] Prevent backend cookie set in frontend 39/41939/5
authorNicole Cordes <typo3@cordes.co>
Fri, 24 Jul 2015 20:14:20 +0000 (22:14 +0200)
committerHelmut Hummel <helmut.hummel@typo3.org>
Mon, 27 Jul 2015 08:17:10 +0000 (10:17 +0200)
If you have an enabled rsaauth, the frontend login gets hashed before
sending the data. Due to a request to an ajax handler in rsaauth,
a backend user cookie is set in frontend mode as well.
This patch re-adds an eID script for frontend calls to prevent
unnecessary cookies.

Resolves: #68525
Releases: master
Change-Id: I67a12e617aaa766e839f3a9b6b535a5618236ecb
Reviewed-on: http://review.typo3.org/41939
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/core/Documentation/Changelog/master/Deprecation-67932-DeprecatedOldRsaauthApi.rst
typo3/sysext/rsaauth/Classes/Controller/RsaPublicKeyGenerationController.php [new file with mode: 0644]
typo3/sysext/rsaauth/Classes/RsaEncryptionEncoder.php
typo3/sysext/rsaauth/Resources/PHP/FrontendLoginRsaPublicKey.php [deleted file]
typo3/sysext/rsaauth/ext_localconf.php

index 1c1e903..c1085d7 100644 (file)
@@ -5,8 +5,8 @@ Deprecation: #67932 - Deprecated old rsaauth encryption API
 Description
 ===========
 
-The rsaauth API was rebuilt to be more generic. Therefore the Ajax Handler ``BackendLogin::getRsaPublicKey`` and
-the eID script ``FrontendLoginRsaPublicKey`` were marked as deprecated.
+The rsaauth API was rebuilt to be more generic. Therefore the Ajax Handler ``BackendLogin::getRsaPublicKey`` was marked as
+deprecated and the eID script ``FrontendLoginRsaPublicKey`` was removed.
 
 
 Affected Installations
@@ -18,4 +18,6 @@ Any installation using one of the entry points above in a third-party extension.
 Migration
 =========
 
-There is no reason to use the entry points on your own anymore. Please update your scripts to use the new rsaauth API.
+There is no reason to use the entry points on your own anymore. Please update your scripts to use the new rsaauth API. For backend
+request you should use the provided ajax handler ``RsaEncryption::getRsaPublicKey``. For frontend request you should use the
+provided eID script ``RsaPublicKeyGenerationController``.
diff --git a/typo3/sysext/rsaauth/Classes/Controller/RsaPublicKeyGenerationController.php b/typo3/sysext/rsaauth/Classes/Controller/RsaPublicKeyGenerationController.php
new file mode 100644 (file)
index 0000000..9818af1
--- /dev/null
@@ -0,0 +1,53 @@
+<?php
+namespace TYPO3\CMS\Rsaauth\Controller;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Http\ControllerInterface;
+use TYPO3\CMS\Core\Http\Response;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Rsaauth\Backend\BackendFactory;
+use TYPO3\CMS\Rsaauth\Storage\StorageFactory;
+
+/**
+ * eID script "RsaPublicKeyGenerationController" to generate an rsa key
+ */
+class RsaPublicKeyGenerationController implements ControllerInterface {
+
+       /**
+        * @param ServerRequestInterface $request
+        * @return Response
+        */
+       public function processRequest(ServerRequestInterface $request) {
+               /** @var Response $response */
+               $response = GeneralUtility::makeInstance(Response::class);
+               /** @var \TYPO3\CMS\Rsaauth\Backend\AbstractBackend $backend */
+               $backend = BackendFactory::getBackend();
+               if ($backend === NULL) {
+                       // add a HTTP 500 error code, if an error occurred
+                       return $response->withStatus(500);
+               }
+
+               $keyPair = $backend->createNewKeyPair();
+               $storage = StorageFactory::getStorage();
+               $storage->put($keyPair->getPrivateKey());
+               session_commit();
+               $content = $keyPair->getPublicKeyModulus() . ':' . sprintf('%x', $keyPair->getExponent()) . ':';
+               $response->getBody()->write($content);
+
+               return $response;
+       }
+
+}
index 69332cf..35997d4 100644 (file)
@@ -52,7 +52,7 @@ class RsaEncryptionEncoder implements SingletonInterface {
                        $pageRenderer->loadRequireJsModule('TYPO3/CMS/Rsaauth/RsaEncryptionModule');
                } else {
                        // Register ajax handler url
-                       $code = 'var TYPO3RsaEncryptionPublicKeyUrl = ' . GeneralUtility::quoteJSvalue(BackendUtility::getAjaxUrl('RsaEncryption::getRsaPublicKey')) . ';';
+                       $code = 'var TYPO3RsaEncryptionPublicKeyUrl = ' . GeneralUtility::quoteJSvalue(GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . 'index.php?eID=RsaPublicKeyGenerationController') . ';';
                        $pageRenderer->addJsInlineCode('TYPO3RsaEncryptionPublicKeyUrl', $code);
                        $javascriptPath = ExtensionManagementUtility::siteRelPath('rsaauth') . 'Resources/Public/JavaScript/';
                        if (!$GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['debug']) {
diff --git a/typo3/sysext/rsaauth/Resources/PHP/FrontendLoginRsaPublicKey.php b/typo3/sysext/rsaauth/Resources/PHP/FrontendLoginRsaPublicKey.php
deleted file mode 100644 (file)
index 73288b3..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
-<?php
-defined('TYPO3_MODE') or die();
-
-/*
- * This file is part of the TYPO3 CMS project.
- *
- * It is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License, either version 2
- * of the License, or any later version.
- *
- * For the full copyright and license information, please read the
- * LICENSE.txt file that was distributed with this source code.
- *
- * The TYPO3 project - inspiring people to share!
- */
-
-\TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog(
-       'The generation of the RSA public key was moved to the ajax handler \'RsaEncryptionEncoder::getRsaPublicKey\'. Please use the rsaauth api to encrypt your form fields. This script will be removed in TYPO3 CMS 8.'
-);
-
-/** @var \TYPO3\CMS\Rsaauth\Backend\AbstractBackend $backend */
-$backend = \TYPO3\CMS\Rsaauth\Backend\BackendFactory::getBackend();
-if ($backend !== NULL) {
-       $keyPair = $backend->createNewKeyPair();
-       $storage = \TYPO3\CMS\Rsaauth\Storage\StorageFactory::getStorage();
-       $storage->put($keyPair->getPrivateKey());
-       session_commit();
-
-       echo $keyPair->getPublicKeyModulus() . ':' . sprintf('%x', $keyPair->getExponent()) . ':';
-}
index ea37b58..e1f09ae 100644 (file)
@@ -38,7 +38,7 @@ $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_befunc.php']['displ
 );
 
 // eID for FrontendLoginRsaPublicKey
-$GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']['FrontendLoginRsaPublicKey'] = 'EXT:rsaauth/Resources/PHP/FrontendLoginRsaPublicKey.php';
+$GLOBALS['TYPO3_CONF_VARS']['FE']['eID_include']['RsaPublicKeyGenerationController'] = \TYPO3\CMS\Rsaauth\Controller\RsaPublicKeyGenerationController::class;
 
 \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class)->connect(
        \TYPO3\CMS\Backend\LoginProvider\UsernamePasswordLoginProvider::class,