[SECURITY] Mitigate CSRF in backend deeplinking

This change adds a "redirect" section to disable
backend deeplinking for non-module routes by default,
and only allows for included / defined GET paramaters
for such routes.

Resolves: #94496
Releases: master
Change-Id: Iab3bcbfe42d44cd12c5748e3b0cddb4478dbe975
Security-Bulletin: TYPO3-CORE-SA-2021-014
Security-References: CVE-2021-41113
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71437
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

typo3/sysext/backend/Classes/Routing/RouteRedirect.php

@@ -21,6 +21,7 @@
 use TYPO3\CMS\Backend\Routing\Exception\MethodNotAllowedException;
 use TYPO3\CMS\Backend\Routing\Exception\RouteNotFoundException;
 use TYPO3\CMS\Backend\Routing\Exception\RouteTypeNotAllowedException;
+use TYPO3\CMS\Core\Utility\ArrayUtility;
 
 /**
  * A value object representing redirects within Backend routing.
@@ -133,5 +134,18 @@ public function resolve(Router $router): void
                 1627407452
             );
         }
+        $settings = $route->getOption('redirect');
+        if (($settings['enable'] ?? false) !== true) {
+            throw new RouteNotFoundException(
+                sprintf('Route "%s" cannot be redirected', $this->name),
+                1627407511
+            );
+        }
+        // Only use allowed arguments, if set, otherwise no parameters are allowed
+        if (!empty($settings['parameters'])) {
+            $this->parameters = ArrayUtility::intersectRecursive($this->parameters, (array)$settings['parameters']);
+        } else {
+            $this->parameters = [];
+        }
     }
 }

typo3/sysext/backend/Configuration/Backend/Routes.php

@@ -133,11 +133,23 @@
     'db_new' => [
         'path' => '/record/new',
         'target' => Controller\NewRecordController::class . '::mainAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'id' => true,
+            ],
+        ],
     ],
 
     'db_new_pages' => [
         'path' => '/record/new-page',
         'target' => Controller\NewRecordController::class . '::newPageAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'id' => true,
+            ],
+        ],
     ],
 
     // Register sort pages
@@ -150,6 +162,12 @@
     'pages_new' => [
         'path' => '/pages/new',
         'target' => Controller\Page\NewMultiplePagesController::class . '::mainAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'id' => true,
+            ],
+        ],
     ],
 
     // Register new content element module (used in a modal)
@@ -208,6 +226,12 @@
     'record_edit' => [
         'path' => '/record/edit',
         'target' => Controller\EditDocumentController::class . '::mainAction',
+        'redirect' => [
+            'enable' => true,
+            'parameters' => [
+                'edit' => true,
+            ],
+        ],
     ],
 
     // Thumbnails

typo3/sysext/core/Documentation/Changelog/11.2/Feature-93988-BackendModuleURLsReflectIntoBrowserAddressbar.rst

@@ -25,4 +25,16 @@ Impact
 
 Editors can share links to certain records or include these in bug reports.
 
+This feature is enabled for all modules. For non-module routes this feature
+will only work if configured via `Routes.php` by adding a `redirect` section:
+
+:php:
+    'redirect' => [
+        'enable' => true,
+        // Transferred parameters when redirecting
+        'parameters' => [
+            'my-parameter-name' => true
+        ]
+    ],
+
 .. index:: Backend, JavaScript, ext:backend