Commit 85d3e70d authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[SECURITY] Avoid ambiguous HMAC results

Cryptographic hashes being calculated from and for query
parameters must only be used for a specific use-case or
scope in order to avoid resulting hashes being ambiguous.

Resolves: #91689
Releases: master, 10.4, 9.5
Change-Id: I59ca16fe71e27195b98a822607aab564425d248d
Security-Bulletin: TYPO3-CORE-SA-2020-008
Security-References: CVE-2020-15098
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65125

Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 6069aa2e
......@@ -119,7 +119,7 @@ class LinkBrowserController extends AbstractLinkBrowserController
}
unset($value);
}
$result = hash_equals(GeneralUtility::hmac(serialize($fieldChangeFunctions)), $this->parameters['fieldChangeFuncHash']);
$result = hash_equals(GeneralUtility::hmac(serialize($fieldChangeFunctions), 'backend-link-browser'), $this->parameters['fieldChangeFuncHash']);
}
return $result;
}
......@@ -135,7 +135,7 @@ class LinkBrowserController extends AbstractLinkBrowserController
$parameters = parent::getBodyTagAttributes();
$formEngineParameters['fieldChangeFunc'] = $this->parameters['fieldChangeFunc'];
$formEngineParameters['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($this->parameters['fieldChangeFunc']));
$formEngineParameters['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($this->parameters['fieldChangeFunc']), 'backend-link-browser');
$parameters['data-add-on-params'] .= HttpUtility::buildQueryString(['P' => $formEngineParameters], '&');
......
......@@ -78,7 +78,7 @@ class EditPopup extends AbstractNode
'flexFormDataStructurePath' => $flexFormDataStructurePath,
'hmac' => GeneralUtility::hmac('editform' . $itemName, 'wizard_js'),
'fieldChangeFunc' => $parameterArray['fieldChangeFunc'],
'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc'])),
'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc']), 'backend-link-browser'),
],
];
$uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
......
......@@ -63,7 +63,7 @@ class LinkPopup extends AbstractNode
'itemName' => $itemName,
'hmac' => GeneralUtility::hmac('editform' . $itemName, 'wizard_js'),
'fieldChangeFunc' => $parameterArray['fieldChangeFunc'],
'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc'])),
'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc']), 'backend-link-browser'),
],
];
/** @var \TYPO3\CMS\Backend\Routing\UriBuilder $uriBuilder */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment