Commit a2074903 authored by Helmut Hummel's avatar Helmut Hummel Committed by Wouter Wolters
Browse files

[SECURITY] Disallow unauthorized module access

Changing the module dispatcher url from mod.php to index.php introduced a potential security leak,
as some modules could be called even with no user authenticated.

Fix and harden the checks in the module dispatcher to avoid that.

Resolves: #68232
Related: #68183
Releases: master
Change-Id: I60e91c654c6844cd60c2699418e7d816b355c928
Reviewed-on: http://review.typo3.org/41477


Reviewed-by: Benni Mack's avatarBenjamin Mack <benni@typo3.org>
Tested-by: Benni Mack's avatarBenjamin Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
parent 0e589aa0
......@@ -114,11 +114,12 @@ class Application implements ApplicationInterface {
protected function defineAdditionalEntryPointRelatedConstants() {
$currentScript = GeneralUtility::getIndpEnv('SCRIPT_NAME');
// activate "AJAX" handler when called with the GET variable ajaxID
if (GeneralUtility::_GET('ajaxID') !== NULL) {
// Activate "AJAX" handler when called with the GET variable ajaxID
if (!empty(GeneralUtility::_GET('ajaxID'))) {
$GLOBALS['TYPO3_AJAX'] = TRUE;
} elseif (GeneralUtility::_GET('ajaxID') === NULL && substr($currentScript, -16) === '/typo3/index.php') {
// allow backend login to work
// The following check is security relevant! DO NOT REMOVE!
} elseif (empty(GeneralUtility::_GET('M')) && substr($currentScript, -16) === '/typo3/index.php') {
// Allow backend login to work, disallow module access without authenticated backend user
define('TYPO3_PROCEED_IF_NO_USER', 1);
}
}
......
......@@ -16,6 +16,7 @@ namespace TYPO3\CMS\Backend\Http;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Core\Bootstrap;
use TYPO3\CMS\Core\FormProtection\BackendFormProtection;
use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
use TYPO3\CMS\Core\Exception;
use TYPO3\CMS\Core\Http\RequestHandlerInterface;
......@@ -132,7 +133,9 @@ class BackendModuleRequestHandler implements RequestHandlerInterface {
* @return bool
*/
protected function isValidModuleRequest() {
return $this->getFormProtection()->validateToken((string)$this->request->getQueryParams()['moduleToken'], 'moduleCall', (string)$this->request->getQueryParams()['M']);
return
$this->getFormProtection() instanceof BackendFormProtection
&& $this->getFormProtection()->validateToken((string)$this->request->getQueryParams()['moduleToken'], 'moduleCall', (string)$this->request->getQueryParams()['M']);
}
/**
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment