[SECURITY] Prevent editor controlled hmac content 23/26223/2
authorFranz G. Jahn <franzjahn@cron-it.de>
Tue, 10 Dec 2013 09:55:04 +0000 (10:55 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:55:08 +0000 (10:55 +0100)
An hmac of the editor controlled auto respond message was used to verifiy
the correctness of this message on submit. To prevent this, we add an
additional secret.

Change-Id: I1551feebd4dd84abeb3fb098175384f425f605a9
Fixes: #45043
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 344975268f4b9eb4ce7c664958647b9268ea03a8
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26223
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/frontend/Classes/ContentObject/FormContentObject.php
typo3/sysext/frontend/Classes/Controller/DataSubmissionController.php

index a1dc133..45ddaf6 100644 (file)
@@ -385,7 +385,7 @@ class FormContentObject extends \TYPO3\CMS\Frontend\ContentObject\AbstractConten
                                                // If this form includes an auto responder message, include a HMAC checksum field
                                                // in order to verify potential abuse of this feature.
                                                if (strlen($value) && GeneralUtility::inList($confData['fieldname'], 'auto_respond_msg')) {
-                                                       $hmacChecksum = GeneralUtility::hmac($value);
+                                                       $hmacChecksum = GeneralUtility::hmac($value, 'content_form');
                                                        $hiddenfields .= sprintf('<input type="hidden" name="auto_respond_checksum" id="%sauto_respond_checksum" value="%s" />', $prefix, $hmacChecksum);
                                                }
                                                if (strlen($value) && GeneralUtility::inList('recipient_copy,recipient', $confData['fieldname']) && $GLOBALS['TYPO3_CONF_VARS']['FE']['secureFormmail']) {
index b28b3d2..e009928 100644 (file)
@@ -135,7 +135,7 @@ class DataSubmissionController {
                        if ($this->autoRespondMessage !== '') {
                                // Check if the value of the auto responder message has been modified with evil intentions
                                $autoRespondChecksum = $valueList['auto_respond_checksum'];
-                               $correctHmacChecksum = Utility\GeneralUtility::hmac($this->autoRespondMessage);
+                               $correctHmacChecksum = Utility\GeneralUtility::hmac($this->autoRespondMessage, 'content_form');
                                if ($autoRespondChecksum !== $correctHmacChecksum) {
                                        Utility\GeneralUtility::sysLog('Possible misuse of DataSubmissionController auto respond method. Subject: ' . $valueList['subject'], 'Core', Utility\GeneralUtility::SYSLOG_SEVERITY_ERROR);
                                        return;