-
Instead of storing session IDs with their corresponding storage backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB) is being used. HMAC-MD5 had to be chosen to avoid breaking changes for limited field size in database fields (32 characters currently). This change also allows a fallback to non-hashed-session values, meaning that * set() and update() will create new session records with the hashed identifier * get() contains a fallback to the non-hashed-version when no session with a hashed identifier is found Resolves: #91854 Releases: master, 10.4, 9.5 Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd Security-Bulletin: TYPO3-CORE-SA-2020-011 Security-References: CVE-2020-26228 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66664 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
13964141
