[SECURITY] Avoid ambiguous HMAC results

Cryptographic hashes being calculated from and for query parameters must only be used for a specific use-case or scope in order to avoid resulting hashes being ambiguous. Resolves: #91689 Releases: master, 10.4, 9.5 Change-Id: I59ca16fe71e27195b98a822607aab564425d248d Security-Bulletin: TYPO3-CORE-SA-2020-008 Security-References: CVE-2020-15098 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65123 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jul 28, 2020 · d2842eb · d2842eb
1 parent 6cd384b
commit d2842eb
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/typo3/sysext/backend/Classes/Controller/LinkBrowserController.php b/typo3/sysext/backend/Classes/Controller/LinkBrowserController.php
@@ -120,7 +120,7 @@ protected function areFieldChangeFunctionsValid($handleFlexformSections = false)
                 }
                 unset($value);
             }
-            $result = hash_equals(GeneralUtility::hmac(serialize($fieldChangeFunctions)), $this->parameters['fieldChangeFuncHash']);
+            $result = hash_equals(GeneralUtility::hmac(serialize($fieldChangeFunctions), 'backend-link-browser'), $this->parameters['fieldChangeFuncHash']);
         }
         return $result;
     }
@@ -135,7 +135,7 @@ protected function getBodyTagAttributes()
         $parameters = parent::getBodyTagAttributes();
 
         $formEngineParameters['fieldChangeFunc'] = $this->parameters['fieldChangeFunc'];
-        $formEngineParameters['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($this->parameters['fieldChangeFunc']));
+        $formEngineParameters['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($this->parameters['fieldChangeFunc']), 'backend-link-browser');
 
         $parameters['data-add-on-params'] .= HttpUtility::buildQueryString(['P' => $formEngineParameters], '&');
 

diff --git a/typo3/sysext/backend/Classes/Form/FieldControl/EditPopup.php b/typo3/sysext/backend/Classes/Form/FieldControl/EditPopup.php
@@ -74,7 +74,7 @@ public function render()
                 'flexFormDataStructurePath' => $flexFormDataStructurePath,
                 'hmac' => GeneralUtility::hmac('editform' . $itemName, 'wizard_js'),
                 'fieldChangeFunc' => $parameterArray['fieldChangeFunc'],
-                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc'])),
+                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc']), 'backend-link-browser'),
             ],
         ];
         $uriBuilder = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Routing\UriBuilder::class);

diff --git a/typo3/sysext/backend/Classes/Form/FieldControl/LinkPopup.php b/typo3/sysext/backend/Classes/Form/FieldControl/LinkPopup.php
@@ -60,7 +60,7 @@ public function render(): array
                 'itemName' => $itemName,
                 'hmac' => GeneralUtility::hmac('editform' . $itemName, 'wizard_js'),
                 'fieldChangeFunc' => $parameterArray['fieldChangeFunc'],
-                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc'])),
+                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc']), 'backend-link-browser'),
             ],
         ];
         /** @var \TYPO3\CMS\Backend\Routing\UriBuilder $uriBuilder */