[BUGFIX] Redirect BE user to login on invalid module/route token

Resolves: #69763
Releases: master, 7.6
Change-Id: I2d9e80b7c669c55067690aedf5a7c91256d7c28b
Reviewed-on: https://review.typo3.org/50660

Reviewed-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

typo3/sysext/backend/Classes/Http/RequestHandler.php

@@ -16,6 +16,7 @@ namespace TYPO3\CMS\Backend\Http;
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException;
 use TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException;
 use TYPO3\CMS\Core\Core\Bootstrap;
 use TYPO3\CMS\Core\Http\RequestHandlerInterface;
@@ -68,7 +69,14 @@ class RequestHandler implements RequestHandlerInterface
         $this->boot($pathToRoute === '/login');
 
         // Check if the router has the available route and dispatch.
-        return $this->dispatch($request);
+        try {
+            return $this->dispatch($request);
+
+        // When token was invalid redirect to login
+        } catch (InvalidRequestTokenException $e) {
+            $url = GeneralUtility::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir;
+            \TYPO3\CMS\Core\Utility\HttpUtility::redirect($url);
+        }
     }
 
     /**

typo3/sysext/backend/Classes/Http/RouteDispatcher.php

@@ -16,7 +16,7 @@ namespace TYPO3\CMS\Backend\Http;
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
-use TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException;
+use TYPO3\CMS\Backend\Routing\Exception\InvalidRequestTokenException;
 use TYPO3\CMS\Backend\Routing\Route;
 use TYPO3\CMS\Backend\Routing\Router;
 use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
@@ -46,7 +46,7 @@ class RouteDispatcher extends Dispatcher implements DispatcherInterface
         $route = $router->matchRequest($request);
         $request = $request->withAttribute('route', $route);
         if (!$this->isValidRequest($request)) {
-            throw new RouteNotFoundException('Invalid request for route "' . $route->getPath() . '"', 1425389455);
+            throw new InvalidRequestTokenException('Invalid request for route "' . $route->getPath() . '"', 1425389455);
         }
 
         $targetIdentifier = $route->getOption('target');

typo3/sysext/backend/Classes/Routing/Exception/InvalidRequestTokenException.php

+<?php
+namespace TYPO3\CMS\Backend\Routing\Exception;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+/**
+ * Exception thrown when request token was invalid
+ */
+class InvalidRequestTokenException extends \TYPO3\CMS\Core\Exception
+{
+}