[BUGFIX] Information disclosure during backend login
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 27 Jul 2011 10:27:10 +0000 (12:27 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:28:28 +0000 (12:28 +0200)
Change-Id: I02e956d3cb41657f68475a3de861ed13fa8b0eb3
Resolves: #24456
Reviewed-on: http://review.typo3.org/3740
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_userauth.php
typo3/sysext/dbal
typo3/sysext/extbase
typo3/sysext/version
typo3/sysext/workspaces

index 81eb2d2..15a9e37 100644 (file)
@@ -199,6 +199,9 @@ abstract class t3lib_userAuth {
                        // Make certain that NO user is set initially
                $this->user = '';
 
+                       // We need a PHP session session for most login levels
+               session_start();
+
                        // Check to see if anyone has submitted login-information and if so register the user with the session. $this->user[uid] may be used to write log...
                $this->checkAuthentication();
 
@@ -1240,7 +1243,6 @@ abstract class t3lib_userAuth {
 
                                        // Check challenge stored in cookie:
                                if ($this->challengeStoredInCookie) {
-                                       session_start();
                                        if ($_SESSION['login_challenge'] !== $loginData['chalvalue']) {
                                                if ($this->writeDevLog) {
                                                        t3lib_div::devLog('PHP Session stored challenge "' . $_SESSION['login_challenge'] . '" and submitted challenge "' . $loginData['chalvalue'] . '" did not match, so authentication failed!', 't3lib_userAuth', 2);
index de88553..688b884 160000 (submodule)
@@ -1 +1 @@
-Subproject commit de8855392d499d4dfae432f655e5768607876376
+Subproject commit 688b884937bf1235211e8f44b4d9a59ef919b887
index 1f91233..cb40907 160000 (submodule)
@@ -1 +1 @@
-Subproject commit 1f912339b0cf090619aa0d07cb185207040eb978
+Subproject commit cb40907bb6bcf902a41a2d8a583183c4c49f1791
index a0c4b87..9331443 160000 (submodule)
@@ -1 +1 @@
-Subproject commit a0c4b87a39a89af62866d0baaf8622ed5af59a13
+Subproject commit 9331443ce092313992b05fd4c3182861ed835d32
index 24c4ca6..b91dd03 160000 (submodule)
@@ -1 +1 @@
-Subproject commit 24c4ca68663be14e1b1dd0b446a38cdad098f1ac
+Subproject commit b91dd03e87c2b3b82e5c595b83e1aaf8428c5632