• ohader's avatar
    [SECURITY] Protect persisted session IDs from being used directly · 13964141
    ohader authored and ohader's avatar ohader committed
    Instead of storing session IDs with their corresponding storage
    backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB)
    is being used. HMAC-MD5 had to be chosen to avoid breaking changes
    for limited field size in database fields (32 characters currently).
    This change also allows a fallback to non-hashed-session values,
    meaning that
    * set() and update() will create new session records with the hashed
    * get() contains a fallback to the non-hashed-version when no session
      with a hashed identifier is found
    Resolves: #91854
    Releases: master, 10.4, 9.5
    Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd
    Security-Bulletin: TYPO3-CORE-SA-2020-011
    Security-References: CVE-2020-26228
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66664
    Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
    Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>