Fixed bug #12458: Session fixation possibility in new sesion machanism of the install...
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:01:03 +0000 (09:01 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:01:03 +0000 (09:01 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@8365 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/install/mod/class.tx_install_session.php

index 8275878..827feca 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,7 @@
        * Fixed bug #14317: XSS in Extension Manager (thanks to Georg Ringer)
        * Fixed bug #13957: XSS in template analyzer (thanks to Georg Ringer)
        * Fixed bug #14215: XSS in beuser (thanks to Georg Ringer)
+       * Fixed bug #12458: Session fixation possibility in new sesion machanism of the install tool (thanks to Benjamin Mack, Helmut Hummel and Ernesto Baschny)
 
 2010-07-21  Ingo Renner  <ingo@typo3.org>
 
index 1a706e4..20f1bf0 100644 (file)
@@ -136,7 +136,8 @@ class tx_install_session {
         */
        public function startSession() {
                $_SESSION['created'] = time();
-               return session_id();
+                       // Be sure to use our own session id, so create a new one
+               return $this->renewSession();
        }
 
        /**
@@ -202,6 +203,8 @@ class tx_install_session {
                $_SESSION['lastSessionId'] = time();
                $_SESSION['tstamp'] = time();
                $_SESSION['expires'] = (time() + ($this->expireTimeInMinutes*60));
+                       // Renew the session id to avoid session fixation
+               $this->renewSession();
        }
 
        /**