Commit 59238797 authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[SECURITY] Synchronize admin tools session with backend user session

Admin tools sessions are revoked in case the initiatin backend user
does not have admin or system maintainer privileges anymore. Besides
that, revoking backend user interface sessions now also revokes access
to admin tools. Standalone install tool is not affected.

Resolves: #92019
Releases: main, 11.5, 10.4
Change-Id: I367098abd632fa34caa59e4e165f5ab1916894c5
Security-Bulletin: TYPO3-CORE-SA-2022-005
Security-References: CVE-2022-31050
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74905

Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent da611775
...@@ -175,7 +175,8 @@ class BackendModuleController ...@@ -175,7 +175,8 @@ class BackendModuleController
*/ */
protected function setAuthorizedAndRedirect(string $controller): ResponseInterface protected function setAuthorizedAndRedirect(string $controller): ResponseInterface
{ {
$this->getSessionService()->setAuthorizedBackendSession(); $userSession = $this->getBackendUser()->getSession();
$this->getSessionService()->setAuthorizedBackendSession($userSession);
$redirectLocation = PathUtility::getAbsoluteWebPath('install.php?install[controller]=' . $controller . '&install[context]=backend'); $redirectLocation = PathUtility::getAbsoluteWebPath('install.php?install[controller]=' . $controller . '&install[context]=backend');
return new RedirectResponse($redirectLocation, 303); return new RedirectResponse($redirectLocation, 303);
} }
......
...@@ -143,6 +143,21 @@ class Maintenance implements MiddlewareInterface ...@@ -143,6 +143,21 @@ class Maintenance implements MiddlewareInterface
// session related actions // session related actions
$session = new SessionService(); $session = new SessionService();
// the backend user has an active session but the admin / maintainer
// rights have been revoked or the user was disabled or deleted in the meantime
if ($session->isAuthorizedBackendUserSession() && !$session->hasActiveBackendUserRoleAndSession()) {
// log out the user and destroy the session
$session->resetSession();
$session->destroySession();
$formProtection = FormProtectionFactory::get(
InstallToolFormProtection::class
);
$formProtection->clean();
return new HtmlResponse('', 403);
}
if ($actionName === 'preAccessCheck') { if ($actionName === 'preAccessCheck') {
$response = new JsonResponse([ $response = new JsonResponse([
'installToolLocked' => !$this->checkEnableInstallToolFile(), 'installToolLocked' => !$this->checkEnableInstallToolFile(),
......
...@@ -17,8 +17,15 @@ namespace TYPO3\CMS\Install\Service; ...@@ -17,8 +17,15 @@ namespace TYPO3\CMS\Install\Service;
use Symfony\Component\HttpFoundation\Cookie; use Symfony\Component\HttpFoundation\Cookie;
use TYPO3\CMS\Core\Core\Environment; use TYPO3\CMS\Core\Core\Environment;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Database\Query\Restriction\DefaultRestrictionContainer;
use TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;
use TYPO3\CMS\Core\Messaging\FlashMessage; use TYPO3\CMS\Core\Messaging\FlashMessage;
use TYPO3\CMS\Core\Security\BlockSerializationTrait; use TYPO3\CMS\Core\Security\BlockSerializationTrait;
use TYPO3\CMS\Core\Session\Backend\HashableSessionBackendInterface;
use TYPO3\CMS\Core\Session\Backend\SessionBackendInterface;
use TYPO3\CMS\Core\Session\SessionManager;
use TYPO3\CMS\Core\Session\UserSession;
use TYPO3\CMS\Core\SingletonInterface; use TYPO3\CMS\Core\SingletonInterface;
use TYPO3\CMS\Core\Utility\GeneralUtility; use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Install\Exception; use TYPO3\CMS\Install\Exception;
...@@ -188,14 +195,28 @@ class SessionService implements SingletonInterface ...@@ -188,14 +195,28 @@ class SessionService implements SingletonInterface
/** /**
* Marks this session as an "authorized by backend user" one. * Marks this session as an "authorized by backend user" one.
* This is called by BackendModuleController from backend context. * This is called by BackendModuleController from backend context.
*
* @param UserSession $userSession session of the current backend user
*/ */
public function setAuthorizedBackendSession() public function setAuthorizedBackendSession(UserSession $userSession)
{ {
$nonce = bin2hex(random_bytes(20));
$sessionBackend = $this->getBackendUserSessionBackend();
// use hash mechanism of session backend, or pass plain value through generic hmac
$sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
? $sessionBackend->hash($userSession->getIdentifier())
: hash_hmac('sha256', $userSession->getIdentifier(), $nonce);
$_SESSION['authorized'] = true; $_SESSION['authorized'] = true;
$_SESSION['lastSessionId'] = time(); $_SESSION['lastSessionId'] = time();
$_SESSION['tstamp'] = time(); $_SESSION['tstamp'] = time();
$_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60; $_SESSION['expires'] = time() + $this->expireTimeInMinutes * 60;
$_SESSION['isBackendSession'] = true; $_SESSION['isBackendSession'] = true;
$_SESSION['backendUserSession'] = [
'nonce' => $nonce,
'userId' => $userSession->getUserId(),
'hmac' => $sessionHmac,
];
// Renew the session id to avoid session fixation // Renew the session id to avoid session fixation
$this->renewSession(); $this->renewSession();
} }
...@@ -222,7 +243,7 @@ class SessionService implements SingletonInterface ...@@ -222,7 +243,7 @@ class SessionService implements SingletonInterface
* *
* @return bool TRUE if this session has been authorized before and initialized by a backend system maintainer * @return bool TRUE if this session has been authorized before and initialized by a backend system maintainer
*/ */
public function isAuthorizedBackendUserSession() public function isAuthorizedBackendUserSession(): bool
{ {
if (!$this->hasSessionCookie()) { if (!$this->hasSessionCookie()) {
return false; return false;
...@@ -234,6 +255,49 @@ class SessionService implements SingletonInterface ...@@ -234,6 +255,49 @@ class SessionService implements SingletonInterface
return !$this->isExpired(); return !$this->isExpired();
} }
/**
* Evaluates whether the backend user that initiated this admin tool session,
* has an active role (is still admin & system maintainer) and has an active backend user interface session.
*
* @return bool whether the backend user has an active role and backend user interface session
*/
public function hasActiveBackendUserRoleAndSession(): bool
{
// @see \TYPO3\CMS\Install\Controller\BackendModuleController::setAuthorizedAndRedirect()
$backendUserSession = $this->getBackendUserSession();
$backendUserRecord = $this->getBackendUserRecord($backendUserSession['userId']);
if ($backendUserRecord === null || empty($backendUserRecord['uid'])) {
return false;
}
$isAdmin = (($backendUserRecord['admin'] ?? 0) & 1) === 1;
$systemMaintainers = array_map('intval', $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
// stop here, in case the current admin tool session does not belong to a backend user having admin & maintainer privileges
if (!$isAdmin || !in_array((int)$backendUserRecord['uid'], $systemMaintainers, true)) {
return false;
}
$sessionBackend = $this->getBackendUserSessionBackend();
foreach ($sessionBackend->getAll() as $sessionRecord) {
$sessionUserId = (int)($sessionRecord['ses_userid'] ?? 0);
// skip, in case backend user id does not match
if ($backendUserSession['userId'] !== $sessionUserId) {
continue;
}
$sessionId = (string)($sessionRecord['ses_id'] ?? '');
// use persisted hashed `ses_id` directly, or pass through hmac for plain values
$sessionHmac = $sessionBackend instanceof HashableSessionBackendInterface
? $sessionId
: hash_hmac('sha256', $sessionId, $backendUserSession['nonce']);
// skip, in case backend user session id does not match
if ($backendUserSession['hmac'] !== $sessionHmac) {
continue;
}
// backend user id and session id matched correctly
return true;
}
return false;
}
/** /**
* Check if our session is expired. * Check if our session is expired.
* Useful only right after a FALSE "isAuthorized" to see if this is the * Useful only right after a FALSE "isAuthorized" to see if this is the
...@@ -299,6 +363,20 @@ class SessionService implements SingletonInterface ...@@ -299,6 +363,20 @@ class SessionService implements SingletonInterface
return $messages; return $messages;
} }
/**
* @return array{userId: int, nonce: string, hmac: string} backend user session references
*/
public function getBackendUserSession(): array
{
if (empty($_SESSION['backendUserSession'])) {
throw new Exception(
'The backend user session is only available if invoked via the backend user interface.',
1624879295
);
}
return $_SESSION['backendUserSession'];
}
/** /**
* Check if php session.auto_start is enabled * Check if php session.auto_start is enabled
* *
...@@ -323,4 +401,52 @@ class SessionService implements SingletonInterface ...@@ -323,4 +401,52 @@ class SessionService implements SingletonInterface
[FILTER_REQUIRE_SCALAR, FILTER_NULL_ON_FAILURE] [FILTER_REQUIRE_SCALAR, FILTER_NULL_ON_FAILURE]
); );
} }
/**
* Fetching a user record with uid=$uid.
* Functionally similar to TYPO3\CMS\Core\Authentication\BackendUserAuthentication::setBeUserByUid().
*
* @param int $uid The UID of the backend user
* @return array<string, int>|null The backend user record or NULL
*/
protected function getBackendUserRecord(int $uid): ?array
{
$restrictionContainer = GeneralUtility::makeInstance(DefaultRestrictionContainer::class);
$restrictionContainer->add(GeneralUtility::makeInstance(RootLevelRestriction::class, ['be_users']));
$queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('be_users');
$queryBuilder->setRestrictions($restrictionContainer);
$queryBuilder->select('uid', 'admin')
->from('be_users')
->where($queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($uid, \PDO::PARAM_INT)));
$resetBeUsersTca = false;
if (!isset($GLOBALS['TCA']['be_users'])) {
// The admin tool intentionally does not load any TCA information at this time.
// The database restictions, needs the enablecolumns TCA information
// for 'be_users' to load the user correctly.
// That is why this part of the TCA ($GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'])
// is simulated.
// The simulation state will be removed later to avoid unexpected side effects.
$GLOBALS['TCA']['be_users']['ctrl']['enablecolumns'] = [
'rootLevel' => 1,
'deleted' => 'deleted',
'disabled' => 'disable',
'starttime' => 'starttime',
'endtime' => 'endtime',
];
$resetBeUsersTca = true;
}
$result = $queryBuilder->executeQuery()->fetchAssociative();
if ($resetBeUsersTca) {
unset($GLOBALS['TCA']['be_users']);
}
return is_array($result) ? $result : null;
}
protected function getBackendUserSessionBackend(): SessionBackendInterface
{
return GeneralUtility::makeInstance(SessionManager::class)->getSessionBackend('BE');
}
} }
...@@ -19,6 +19,7 @@ namespace TYPO3\CMS\Install\Tests\Functional\Controller; ...@@ -19,6 +19,7 @@ namespace TYPO3\CMS\Install\Tests\Functional\Controller;
use TYPO3\CMS\Backend\Routing\UriBuilder; use TYPO3\CMS\Backend\Routing\UriBuilder;
use TYPO3\CMS\Backend\Template\ModuleTemplateFactory; use TYPO3\CMS\Backend\Template\ModuleTemplateFactory;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Core\ApplicationContext; use TYPO3\CMS\Core\Core\ApplicationContext;
use TYPO3\CMS\Core\Core\Environment; use TYPO3\CMS\Core\Core\Environment;
use TYPO3\CMS\Install\Controller\BackendModuleController; use TYPO3\CMS\Install\Controller\BackendModuleController;
...@@ -84,7 +85,13 @@ class BackendModuleControllerTest extends FunctionalTestCase ...@@ -84,7 +85,13 @@ class BackendModuleControllerTest extends FunctionalTestCase
Environment::isWindows() ? 'WINDOWS' : 'UNIX' Environment::isWindows() ? 'WINDOWS' : 'UNIX'
); );
// Authorized redirect to the install tool is performed, sudo mode is not required // Authorized redirect to the admin tool is performed
// sudo mode is not required (due to development context)
$GLOBALS['BE_USER'] = new BackendUserAuthentication();
// using anonymous user session, which is fine for this test case
$GLOBALS['BE_USER']->initializeUserSessionManager();
$GLOBALS['BE_USER']->user = ['uid' => 1];
$response = $subject->{$action}(); $response = $subject->{$action}();
self::assertEquals(303, $response->getStatusCode()); self::assertEquals(303, $response->getStatusCode());
self::assertNotEmpty($response->getHeader('location')); self::assertNotEmpty($response->getHeader('location'));
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment