[SECURITY] Avoid creation of backend users without password 35/59535/2
authorBenni Mack <benni@typo3.org>
Tue, 22 Jan 2019 08:42:53 +0000 (09:42 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Jan 2019 08:42:56 +0000 (09:42 +0100)
commitf6e0f545401a1b039a54605dba2d7afa5a6477e2
tree227890a2d5a6b76501079c7bef045f6a09034825
parentda6d0adf500cc933e01f4beda8db26669beaefb6
[SECURITY] Avoid creation of backend users without password

When using FormEngine it is possible to create a Backend User
without setting a password (or username), which could lead to
issues when using third-party authentication providers.

A hook within DataHandler ensures to set a random username
and/or password if the data is handed into DataHandler without
proper data. Besides that new backend users are disabled per
default and have to be enable manually.

Resolves: #80269
Releases: master, 9.5, 8.7
Security-Commit: f8a9edfed26ad48d13564ea99f27e0846671841c
Security-Bulletin: TYPO3-CORE-SA-2019-002
Change-Id: Ic1d84010717e3ac056f447fd373b31bbce8f65c6
Reviewed-on: https://review.typo3.org/59535
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Hooks/BackendUserPasswordCheck.php [new file with mode: 0644]
typo3/sysext/core/Configuration/TCA/be_users.php
typo3/sysext/core/ext_localconf.php