Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Protect persisted session IDs from being used directly
Instead of storing session IDs with their corresponding storage backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB) is being used. HMAC-MD5 had to be chosen to avoid breaking changes for limited field size in database fields (32 characters currently). This change also allows a fallback to non-hashed-session values, meaning that * set() and update() will create new session records with the hashed identifier * get() contains a fallback to the non-hashed-version when no session with a hashed identifier is found Resolves: #91854 Releases: master, 10.4, 9.5 Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd Security-Bulletin: TYPO3-CORE-SA-2020-011 Security-References: CVE-2020-26228 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66660 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
13 changed files
with
169 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 23 additions & 0 deletions
23
typo3/sysext/core/Classes/Session/Backend/HashableSessionBackendInterface.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
/* | ||
* This file is part of the TYPO3 CMS project. | ||
* | ||
* It is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU General Public License, either version 2 | ||
* of the License, or any later version. | ||
* | ||
* For the full copyright and license information, please read the | ||
* LICENSE.txt file that was distributed with this source code. | ||
* | ||
* The TYPO3 project - inspiring people to share! | ||
*/ | ||
|
||
namespace TYPO3\CMS\Core\Session\Backend; | ||
|
||
interface HashableSessionBackendInterface | ||
{ | ||
public function hash(string $sessionId): string; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
typo3/sysext/core/Tests/Acceptance/Fixtures/be_sessions.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<dataset> | ||
<be_sessions> | ||
<!-- hash_hmac('md5', '886526ce72b86870739cc41991144ec1', sha1('iAmInvalid' . 'core-session-backend')) --> | ||
<ses_id>a7475832dbc0aa7ed07bb1f800520d16</ses_id> | ||
<ses_iplock>[DISABLED]</ses_iplock> | ||
<ses_userid>1</ses_userid> | ||
<ses_tstamp>1777777777</ses_tstamp> | ||
<ses_data></ses_data> | ||
<ses_backuserid>0</ses_backuserid> | ||
</be_sessions> | ||
<be_sessions> | ||
<!-- hash_hmac('md5', 'ff83dfd81e20b34c27d3e97771a4525a', sha1('iAmInvalid' . 'core-session-backend')) --> | ||
<ses_id>b99a7e54850ef064b7181d0de7d67900</ses_id> | ||
<ses_iplock>[DISABLED]</ses_iplock> | ||
<ses_userid>2</ses_userid> | ||
<ses_tstamp>1777777777</ses_tstamp> | ||
<ses_data></ses_data> | ||
<ses_backuserid>0</ses_backuserid> | ||
</be_sessions> | ||
</dataset> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.