[SECURITY] Enforce HTTP method assertions for backend modules

Resolves: #104456
Releases: main, 13.4, 12.4
Change-Id: Ic679584a343b6d35e81325a03148b0cff81f1d27
Security-Bulletin: TYPO3-CORE-SA-2025-003
Security-Bulletin: TYPO3-CORE-SA-2025-004
Security-Bulletin: TYPO3-CORE-SA-2025-005
Security-Bulletin: TYPO3-CORE-SA-2025-006
Security-Bulletin: TYPO3-CORE-SA-2025-007
Security-Bulletin: TYPO3-CORE-SA-2025-008
Security-References: CVE-2024-55893
Security-References: CVE-2024-55894
Security-References: CVE-2024-55920
Security-References: CVE-2024-55921
Security-References: CVE-2024-55922
Security-References: CVE-2024-55923
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/87744
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

Build/Sources/Sass/dashboard/_widget.scss

@@ -91,6 +91,9 @@
     opacity: .5;
     border-radius: 4px;
     transition: opacity .2s ease-in-out;
+    background: none;
+    border: none;
+    appearance: none;
 
     &:hover,
     &:focus {

Build/Sources/TypeScript/dashboard/dashboard-delete.ts

@@ -24,8 +24,9 @@ class DashboardDelete {
   }
 
   public initialize(): void {
-    new RegularEvent('click', function (this: HTMLElement, e: Event): void {
+    new RegularEvent('click', function (this: HTMLButtonElement, e: Event): void {
       e.preventDefault();
+      const form = this.form;
       const modal = Modal.confirm(
         this.dataset.modalTitle,
         this.dataset.modalQuestion,
@@ -47,7 +48,7 @@ class DashboardDelete {
       modal.addEventListener('button.clicked', (e: Event): void => {
         const target = e.target as HTMLButtonElement;
         if (target.getAttribute('name') === 'delete') {
-          window.location.href = this.getAttribute('href');
+          form.requestSubmit();
         }
         Modal.dismiss();
       });

Build/Sources/TypeScript/dashboard/widget-remover.ts

@@ -24,8 +24,9 @@ class WidgetRemover {
   }
 
   public initialize(): void {
-    new RegularEvent('click', function (this: HTMLElement, e: Event): void {
+    new RegularEvent('click', function (this: HTMLButtonElement, e: Event): void {
       e.preventDefault();
+      const form = this.form;
       const modal = Modal.confirm(
         this.dataset.modalTitle,
         this.dataset.modalQuestion,
@@ -47,7 +48,7 @@ class WidgetRemover {
       modal.addEventListener('button.clicked', (e: Event): void => {
         const target = e.target as HTMLButtonElement;
         if (target.getAttribute('name') === 'delete') {
-          window.location.href = this.getAttribute('href');
+          form.requestSubmit();
         }
         modal.hideModal();
       });

Build/Sources/TypeScript/dashboard/widget-selector.ts

@@ -19,20 +19,22 @@ class WidgetSelector {
 
   private readonly selector: string = '.js-dashboard-addWidget';
 
+  private modal: ModalElement|null = null;
+
   constructor() {
     this.initialize();
   }
 
   public initialize(): void {
-    new RegularEvent('click', function (this: HTMLElement, e: Event): void {
+    new RegularEvent('click', (e: Event, trigger: HTMLElement): void => {
       e.preventDefault();
 
       const modalContent = new DocumentFragment();
       modalContent.append((document.getElementById('widgetSelector') as HTMLTemplateElement).content.cloneNode(true));
 
       const configuration = {
         type: Modal.types.default,
-        title: this.dataset.modalTitle,
+        title: trigger.dataset.modalTitle,
         size: Modal.sizes.medium,
         severity: SeverityEnum.notice,
         content: modalContent,
@@ -55,8 +57,15 @@ class WidgetSelector {
           modal.hideModal();
         }
       });
+      this.modal = modal;
     }).delegateTo(document, this.selector);
 
+    new RegularEvent('typo3.dashboard.addWidgetDone', (): void => {
+      this.modal?.hideModal();
+      this.modal = null;
+      location.reload();
+    }).bindTo(top.document);
+
     // Display button only if all initialized
     document.querySelectorAll(this.selector).forEach((item) => {
       item.classList.remove('hide');

Build/Sources/TypeScript/extensionmanager/main.ts

@@ -112,8 +112,13 @@ class ExtensionManager {
                 text: TYPO3.lang['button.reimport'],
                 btnClass: 'btn-warning',
                 trigger: (): void => {
-                  window.location.href = target.href;
-                  Modal.dismiss();
+                  NProgress.start();
+                  new AjaxRequest(target.href).post({}).then((): void => {
+                    location.reload();
+                  }).finally((): void => {
+                    NProgress.done();
+                    Modal.dismiss();
+                  });
                 },
               },
             ],
@@ -198,7 +203,7 @@ class ExtensionManager {
 
   private removeExtensionFromDisk(trigger: HTMLAnchorElement): void {
     NProgress.start();
-    new AjaxRequest(trigger.href).get().then((): void => {
+    new AjaxRequest(trigger.href).post({}).then((): void => {
       location.reload();
     }).finally((): void => {
       NProgress.done();
@@ -264,9 +269,9 @@ class ExtensionManager {
           btnClass: 'btn-warning',
           trigger: (e: Event, modal: ModalElement): void => {
             NProgress.start();
-            new AjaxRequest(data.url).withQueryArguments({
+            new AjaxRequest(data.url).post({
               version: (modal.querySelector('input[name="version"]:checked') as HTMLInputElement)?.value,
-            }).get().finally((): void => {
+            }).finally((): void => {
               location.reload();
             });
             modal.hideModal();

Build/Sources/TypeScript/extensionmanager/repository.ts

@@ -99,7 +99,7 @@ class Repository {
 
   private getResolveDependenciesAndInstallResult(url: string): void {
     NProgress.start();
-    new AjaxRequest(url).get().then(async (response: AjaxResponse): Promise<void> => {
+    new AjaxRequest(url).post({}).then(async (response: AjaxResponse): Promise<void> => {
       try {
         // FIXME: As of now, the endpoint doesn't set proper headers, thus we have to parse the response text
         // https://review.typo3.org/c/Packages/TYPO3.CMS/+/63438
@@ -165,6 +165,11 @@ class Repository {
           TYPO3.lang['extensionList.dependenciesResolveInstallError.message'] || 'Your installation failed while resolving dependencies.'
         );
       }
+    }, (): void => {
+      Notification.error(
+        TYPO3.lang['extensionList.dependenciesResolveInstallError.title'] || 'Install error',
+        TYPO3.lang['extensionList.dependenciesResolveInstallError.message'] || 'Your installation failed while resolving dependencies.'
+      );
     }).finally((): void => {
       NProgress.done();
     });

Build/Sources/TypeScript/extensionmanager/update.ts

@@ -64,7 +64,7 @@ class ExtensionManagerUpdate {
     let reload = false;
 
     NProgress.start();
-    new AjaxRequest(url).get().then(async (response: AjaxResponse): Promise<void> => {
+    new AjaxRequest(url).post({}).then(async (response: AjaxResponse): Promise<void> => {
       const data = await response.resolve();
       // Something went wrong, show message
       if (data.errorMessage.length) {

Build/Sources/TypeScript/form/backend/form-manager/view-model.ts

@@ -473,8 +473,16 @@ function removeFormSetup(formManagerApp: FormManager): void {
       btnClass: 'btn-danger',
       name: 'createform',
       trigger: function(e: Event, modal: ModalElement) {
-        document.location = formManagerApp.getAjaxEndpoint('delete') + '&formPersistenceIdentifier=' + that.data('formPersistenceIdentifier');
-        modal.hideModal();
+        $.post(formManagerApp.getAjaxEndpoint('delete'), {
+          formPersistenceIdentifier: that.data('formPersistenceIdentifier'),
+        }, function(data) {
+          if (data.status === 'success') {
+            document.location = data.url;
+          } else {
+            Notification.error(data.title, data.message);
+          }
+          modal.hideModal();
+        });
       }
     });
 

typo3/sysext/backend/Classes/Http/RouteDispatcher.php

@@ -31,6 +31,7 @@
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
 use TYPO3\CMS\Core\Http\Dispatcher;
+use TYPO3\CMS\Core\Http\Error\MethodNotAllowedException;
 use TYPO3\CMS\Core\Http\Security\ReferrerEnforcer;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
@@ -74,7 +75,11 @@ public function dispatch(ServerRequestInterface $request): ResponseInterface
         $targetIdentifier = $route->getOption('target');
         $target = $this->getCallableFromTarget($targetIdentifier);
         $arguments = [$request];
-        return $target(...$arguments);
+        try {
+            return $target(...$arguments);
+        } catch (MethodNotAllowedException $exception) {
+            return $exception->createResponse();
+        }
     }
 
     /**

typo3/sysext/belog/Classes/Controller/BackendLogController.php

@@ -25,6 +25,7 @@
 use TYPO3\CMS\Belog\Domain\Repository\LogEntryRepository;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Database\ConnectionPool;
+use TYPO3\CMS\Core\Http\AllowedMethodsTrait;
 use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Type\ContextualFeedbackSeverity;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
@@ -39,6 +40,8 @@
  */
 class BackendLogController extends ActionController
 {
+    use AllowedMethodsTrait;
+
     public function __construct(
         protected readonly ModuleTemplateFactory $moduleTemplateFactory,
         protected readonly LogEntryRepository $logEntryRepository,
@@ -124,6 +127,11 @@ public function listAction(?Constraint $constraint = null, string $operation = '
             ->renderResponse('BackendLog/List');
     }
 
+    public function initializeDeleteMessageAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Delete all log entries that share the same message with the log entry given
      * in $errorUid