[SECURITY] Inherit access to module-related AJAX routes from modules

eliashaeussler · ohader · commit 4e867b7a30bb · 2025-09-09T10:03:27.000+02:00
Several AJAX routes are bound to specific backend modules. While backend modules have proper authorization checks in place, AJAX routes are open to any authenticated backend user. This patch introduces a new config option `inheritAccessFromModule` for AJAX routes which aims to close this gap. It allows to limit access to a specific AJAX route by inheriting access permissions from the given backend module. This is done for all AJAX routes which are used exclusively in specific backend modules. For example, the AJAX route for ext:recycler is now bound to the ext:recycler backend module, inheriting access permissions for this specific route from the given backend module permissions defined in the appropriate be_users / be_groups records. Resolves: #106983 Releases: main, 13.4, 12.4 Change-Id: I8ccaa28468945bc8c7e4fb7e7806ae208e4a46ab Security-Bulletin: TYPO3-CORE-SA-2025-021 Security-References: CVE-2025-59017 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/90631 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/backend/Classes/Middleware/BackendModuleValidator.php b/typo3/sysext/backend/Classes/Middleware/BackendModuleValidator.php
@@ -31,6 +31,7 @@
 use TYPO3\CMS\Backend\Routing\UriBuilder;
 use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Http\RedirectResponse;
+use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Localization\LanguageService;
 use TYPO3\CMS\Core\Messaging\FlashMessage;
 use TYPO3\CMS\Core\Messaging\FlashMessageQueue;
@@ -68,10 +69,19 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         $inaccessibleSubModule = null;
         $ensureToPersistUserSettings = false;
         $backendUser = $GLOBALS['BE_USER'] ?? null;
-        if (!$backendUser
-            || !$route->hasOption('module')
-            || !(($module = $route->getOption('module')) instanceof ModuleInterface)
-        ) {
+
+        if (!$backendUser) {
+            return $handler->handle($request);
+        }
+
+        // Exit if access to module was denied using module access inheritance check
+        $inheritAccessFromModule = $route->getOption('inheritAccessFromModule');
+        if ($inheritAccessFromModule !== null && !$this->moduleProvider->accessGranted($inheritAccessFromModule, $backendUser)) {
+            return new Response(null, 403);
+        }
+
+        $module = $route->getOption('module');
+        if (!$module instanceof ModuleInterface) {
             return $handler->handle($request);
         }
 
diff --git a/typo3/sysext/backend/Configuration/Backend/AjaxRoutes.php b/typo3/sysext/backend/Configuration/Backend/AjaxRoutes.php
@@ -17,6 +17,7 @@
         'path' => '/resource/rename',
         'methods' => ['POST'],
         'target' => Controller\Resource\ResourceController::class . '::renameResourceAction',
+        'inheritAccessFromModule' => 'media_management',
     ],
 
     // Link resource
@@ -30,12 +31,14 @@
     'file_process' => [
         'path' => '/file/process',
         'target' => Controller\File\FileController::class . '::processAjaxRequest',
+        'inheritAccessFromModule' => 'media_management',
     ],
 
     // Check if file exists
     'file_exists' => [
         'path' => '/file/exists',
         'target' => Controller\File\FileController::class . '::fileExistsInFolderAction',
+        'inheritAccessFromModule' => 'media_management',
     ],
 
     // Get details of a file reference in FormEngine
@@ -93,6 +96,7 @@
     'site_configuration_inline_create' => [
         'path' => '/siteconfiguration/inline/create',
         'target' => Controller\SiteInlineAjaxController::class . '::newInlineChildAction',
+        'inheritAccessFromModule' => 'site_configuration',
     ],
 
     // Validate slug input
@@ -105,6 +109,7 @@
     'site_configuration_inline_details' => [
         'path' => '/siteconfiguration/inline/details',
         'target' => Controller\SiteInlineAjaxController::class . '::openInlineChildAction',
+        'inheritAccessFromModule' => 'site_configuration',
     ],
 
     // Add a flex form section container
@@ -353,18 +358,21 @@
     'page_languages' => [
         'path' => '/records/localize/get-languages',
         'target' => Controller\Page\LocalizationController::class . '::getUsedLanguagesInPage',
+        'inheritAccessFromModule' => 'web_layout',
     ],
 
     // Get summary of records to localize
     'records_localize_summary' => [
         'path' => '/records/localize/summary',
         'target' => Controller\Page\LocalizationController::class . '::getRecordLocalizeSummary',
+        'inheritAccessFromModule' => 'web_layout',
     ],
 
     // Localize the records
     'records_localize' => [
         'path' => '/records/localize',
         'target' => Controller\Page\LocalizationController::class . '::localizeRecords',
+        'inheritAccessFromModule' => 'web_layout',
     ],
 
     // column selector
@@ -407,6 +415,7 @@
         'access' => 'systemMaintainer',
         'path' => '/security/csp/control',
         'target' => \TYPO3\CMS\Backend\Security\ContentSecurityPolicy\CspAjaxController::class . '::handleRequest',
+        'inheritAccessFromModule' => 'tools_csp',
     ],
 
     'sudo_mode_control' => [
diff --git a/typo3/sysext/backend/Tests/Functional/Fixtures/be_users_core.csv b/typo3/sysext/backend/Tests/Functional/Fixtures/be_users_core.csv
@@ -1,9 +1,9 @@
 be_users
-,uid,pid,tstamp,username,password,admin,disable,starttime,endtime,options,crdate,workspace_perms,deleted,TSconfig,lastlogin,workspace_id,usergroup,mfa
-,1,0,1366642540,admin,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,1,0,0,0,0,1366642540,1,0,,1371033743,0,,
-,2,0,1366642540,editor,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,0,0,0,0,3,1366642540,1,0,,1371033743,0,1,
-,3,0,1366642540,editor_with_groups,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,0,0,0,0,3,1366642540,1,0,"test.default.userValue = from_user_3",1371033743,0,"1,2,4,6",
-,4,0,1366642540,mfa_user,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,0,0,0,0,3,1366642540,1,0,,1371033743,0,,"{""totp"":{""secret"":""KRMVATZTJFZUC53FONXW2ZJB"",""active"":true,""attempts"":2}}"
-,5,0,1366642540,mfa_admin_locked,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,1,0,0,0,3,1366642540,1,0,,1371033743,0,,"{""totp"":{""secret"":""KRMVATZTJFZUC53FONXW2ZJB"",""active"":true,""attempts"":2},""recovery-codes"":{""active"":true,""attempts"":3,""codes"":[]}}"
+,uid,pid,tstamp,username,password,admin,disable,starttime,endtime,options,crdate,workspace_perms,deleted,TSconfig,lastlogin,workspace_id,usergroup,mfa,userMods
+,1,0,1366642540,admin,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,1,0,0,0,0,1366642540,1,0,,1371033743,0,,,
+,2,0,1366642540,editor,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,0,0,0,0,3,1366642540,1,0,,1371033743,0,1,,
+,3,0,1366642540,editor_with_groups,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,0,0,0,0,3,1366642540,1,0,"test.default.userValue = from_user_3",1371033743,0,"1,2,4,6",,"web_layout"
+,4,0,1366642540,mfa_user,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,0,0,0,0,3,1366642540,1,0,,1371033743,0,,"{""totp"":{""secret"":""KRMVATZTJFZUC53FONXW2ZJB"",""active"":true,""attempts"":2}}",
+,5,0,1366642540,mfa_admin_locked,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,1,0,0,0,3,1366642540,1,0,,1371033743,0,,"{""totp"":{""secret"":""KRMVATZTJFZUC53FONXW2ZJB"",""active"":true,""attempts"":2},""recovery-codes"":{""active"":true,""attempts"":3,""codes"":[]}}",
 ,6,0,1366642540,editor with typoscript,$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1,0,0,0,0,3,1366642540,1,0,"options.impexp.enableImportForNonAdminUser = 1
-options.impexp.enableExportForNonAdminUser = 1",1371033743,0,1,
+options.impexp.enableExportForNonAdminUser = 1",1371033743,0,1,,
diff --git a/typo3/sysext/backend/Tests/Functional/Middleware/BackendModuleValidatorTest.php b/typo3/sysext/backend/Tests/Functional/Middleware/BackendModuleValidatorTest.php
@@ -47,7 +47,7 @@ protected function setUp(): void
     {
         parent::setUp();
 
-        $this->importCSVDataSet(__DIR__ . '/../Fixtures/be_users.csv');
+        $this->importCSVDataSet(__DIR__ . '/../Fixtures/be_users_core.csv');
         $backendUser = $this->setUpBackendUser(1);
         $GLOBALS['LANG'] = $this->get(LanguageServiceFactory::class)->createFromUserPreferences($backendUser);
 
@@ -72,6 +72,36 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         };
     }
 
+    #[Test]
+    public function processReturnsForbiddenResponseIfModuleInheritanceAccessCheckFails(): void
+    {
+        $this->setUpBackendUser(2);
+
+        $GLOBALS['TYPO3_REQUEST'] = $request = $this->request->withAttribute(
+            'route',
+            new Route('/some/route', ['inheritAccessFromModule' => 'web_layout']),
+        );
+
+        $response = $this->subject->process($request, $this->requestHandler);
+
+        self::assertSame(403, $response->getStatusCode());
+    }
+
+    #[Test]
+    public function processReturnsOkResponseIfModuleInheritanceAccessCheckIsSuccessful(): void
+    {
+        $this->setUpBackendUser(3);
+
+        $GLOBALS['TYPO3_REQUEST'] = $request = $this->request->withAttribute(
+            'route',
+            new Route('/some/route', ['inheritAccessFromModule' => 'web_layout']),
+        );
+
+        $response = $this->subject->process($request, $this->requestHandler);
+
+        self::assertSame(200, $response->getStatusCode());
+    }
+
     #[Test]
     public function moduleIsAddedToRequest(): void
     {
diff --git a/typo3/sysext/beuser/Configuration/Backend/AjaxRoutes.php b/typo3/sysext/beuser/Configuration/Backend/AjaxRoutes.php
@@ -8,5 +8,6 @@
     'user_access_permissions' => [
         'path' => '/users/access/permissions',
         'target' => \TYPO3\CMS\Beuser\Controller\PermissionController::class . '::handleAjaxRequest',
+        'inheritAccessFromModule' => 'permissions_pages',
     ],
 ];
diff --git a/typo3/sysext/core/Documentation/Changelog/12.4.x/Important-106983-HardenedAccessToModule-relatedAJAXRoutes.rst b/typo3/sysext/core/Documentation/Changelog/12.4.x/Important-106983-HardenedAccessToModule-relatedAJAXRoutes.rst
@@ -0,0 +1,39 @@
+..  include:: /Includes.rst.txt
+
+..  _important-106983-1750962567:
+
+==================================================================
+Important: #106983 - Hardened access to module-related AJAX routes
+==================================================================
+
+See :issue:`106983`
+
+Description
+===========
+
+AJAX routes which are exclusively used in a specific backend module can now be
+configured to inherit access from the respective module. A new configuration
+option :php:`inheritAccessFromModule` is introduced to control this behavior.
+It is already added to several existing AJAX routes shipped by TYPO3 core.
+
+Requests to routes with an appropriate access check in place will result in a
+403 response if the current backend user lacks required permissions.
+
+Example configuration
+=====================
+
+In the following example, the `mymodule_myroute` AJAX route inherits access
+checks from the `mymodule` backend module:
+
+..  code-block:: php
+    :caption: EXT:my_extension/Configuration/Backend/AjaxRoutes.php
+
+    return [
+        'mymodule_myroute' => [
+            'path' => '/mymodule/myroute',
+            'target' => \MyVendor\MyExtension\Controller\MySpecialController::class . '::mySpecialAction',
+            'inheritAccessFromModule' => 'mymodule',
+        ],
+    ];
+
+..  index:: Backend
diff --git a/typo3/sysext/dashboard/Configuration/Backend/AjaxRoutes.php b/typo3/sysext/dashboard/Configuration/Backend/AjaxRoutes.php
@@ -8,66 +8,78 @@
         'path' => '/dashboard/dashboards/get',
         'target' => DashboardAjaxController::class . '::getDashboards',
         'methods' => ['GET'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_dashboard_add' => [
         'path' => '/dashboard/dashboard/add',
         'target' => DashboardAjaxController::class . '::addDashboard',
         'methods' => ['POST'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_dashboard_edit' => [
         'path' => '/dashboard/dashboard/edit',
         'target' => DashboardAjaxController::class . '::editDashboard',
         'methods' => ['POST'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_dashboard_update' => [
         'path' => '/dashboard/dashboard/update',
         'target' => DashboardAjaxController::class . '::updateDashboard',
         'methods' => ['POST'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_dashboard_delete' => [
         'path' => '/dashboard/dashboard/delete',
         'target' => DashboardAjaxController::class . '::deleteDashboard',
         'methods' => ['POST'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
 
     // Presets
     'dashboard_presets_get' => [
         'path' => '/dashboard/presets/get',
         'target' => DashboardAjaxController::class . '::getPresets',
         'methods' => ['GET'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
 
     // Categories
     'dashboard_categories_get' => [
         'path' => '/dashboard/categories/get',
         'target' => DashboardAjaxController::class . '::getCategories',
         'methods' => ['GET'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
 
     // Widgets
     'dashboard_widget_get' => [
         'path' => '/dashboard/widget/get',
         'target' => DashboardAjaxController::class . '::getWidget',
         'methods' => ['GET'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_widget_add' => [
         'path' => '/dashboard/widget/add',
         'target' => DashboardAjaxController::class . '::addWidget',
         'methods' => ['POST'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_widget_remove' => [
         'path' => '/dashboard/widget/remove',
         'target' => DashboardAjaxController::class . '::removeWidget',
         'methods' => ['POST'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_widget_settings_get' => [
         'path' => '/dashboard/widget/settings/get',
         'target' => DashboardAjaxController::class . '::getWidgetSettings',
         'methods' => ['GET'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
     'dashboard_widget_settings_update' => [
         'path' => '/dashboard/widget/settings/update',
         'target' => DashboardAjaxController::class . '::updateWidgetSettings',
         'methods' => ['POST'],
+        'inheritAccessFromModule' => 'dashboard',
     ],
 ];
diff --git a/typo3/sysext/recycler/Configuration/Backend/AjaxRoutes.php b/typo3/sysext/recycler/Configuration/Backend/AjaxRoutes.php
@@ -8,5 +8,6 @@
     'recycler' => [
         'path' => '/recycler',
         'target' => \TYPO3\CMS\Recycler\Controller\RecyclerAjaxController::class . '::dispatch',
+        'inheritAccessFromModule' => 'recycler',
     ],
 ];
diff --git a/typo3/sysext/workspaces/Configuration/Backend/AjaxRoutes.php b/typo3/sysext/workspaces/Configuration/Backend/AjaxRoutes.php
@@ -12,5 +12,6 @@
     'workspace_dispatch' => [
         'path' => '/workspace/dispatch',
         'target' => \TYPO3\CMS\Workspaces\Controller\WorkspacesAjaxController::class . '::dispatch',
+        'inheritAccessFromModule' => 'workspaces_admin',
     ],
 ];
