-
Instead of only checking for valid request arguments by using a hmac, we now check the complete request including action, controller and vendor to avoid spoofing these arguments and bypassing other security checks during forwarding to the referring action. Additionally, ReferringRequest is now separate from regular Request. The meaning of properties starting with "@" is only valid for processing a referring request. To avoid mixed concerns in using the same Request implementation for regular requests and referring requests, they are separated now. Resolves: #76231 Resolves: #76256 Releases: master, 7.6, 6.2 Security-Commit: 3562e177f1720e62cab84232dcc67c580a3cc3db Security-Bulletin: TYPO3-CORE-SA-2016-013 Change-Id: Idaed1d782168b20c3654304562d3a04047c8f234 Reviewed-on: https://review.typo3.org/48257 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
404f09d4