[SECURITY] Enforce HTTP method assertions for backend modules

ohader · ohader · commit 1bb317cb2bc0 · 2025-01-14T10:47:47.000+01:00
Resolves: #104456 Releases: main, 13.4, 12.4 Change-Id: Ic679584a343b6d35e81325a03148b0cff81f1d27 Security-Bulletin: TYPO3-CORE-SA-2025-003 Security-Bulletin: TYPO3-CORE-SA-2025-004 Security-Bulletin: TYPO3-CORE-SA-2025-005 Security-Bulletin: TYPO3-CORE-SA-2025-006 Security-Bulletin: TYPO3-CORE-SA-2025-007 Security-Bulletin: TYPO3-CORE-SA-2025-008 Security-References: CVE-2024-55893 Security-References: CVE-2024-55894 Security-References: CVE-2024-55920 Security-References: CVE-2024-55921 Security-References: CVE-2024-55922 Security-References: CVE-2024-55923 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/87744 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/Classes/Controller/BackendUserController.php b/Classes/Controller/BackendUserController.php
@@ -34,6 +34,7 @@
 use TYPO3\CMS\Beuser\Service\UserInformationService;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Context\Context;
+use TYPO3\CMS\Core\Http\AllowedMethodsTrait;
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Imaging\IconSize;
 use TYPO3\CMS\Core\Page\PageRenderer;
@@ -55,6 +56,8 @@
  */
 class BackendUserController extends ActionController
 {
+    use AllowedMethodsTrait;
+
     protected ?ModuleData $moduleData = null;
     protected ModuleTemplate $moduleTemplate;
 
@@ -309,6 +312,11 @@ public function compareAction(): ResponseInterface
         return $this->moduleTemplate->renderResponse('BackendUser/Compare');
     }
 
+    protected function initializeInitiatePasswordResetAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Starts the password reset process for a selected user.
      */
@@ -335,7 +343,12 @@ public function initiatePasswordResetAction(int $user): ResponseInterface
                 LocalizationUtility::translate('LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:flashMessage.resetPassword.success.title', 'beuser') ?? ''
             );
         }
-        return new ForwardResponse('list');
+        return $this->redirect('list');
+    }
+
+    protected function initializeAddToCompareListAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
     }
 
     /**
@@ -344,7 +357,12 @@ public function initiatePasswordResetAction(int $user): ResponseInterface
     public function addToCompareListAction(int $uid): ResponseInterface
     {
         $this->addToCompareList('compareUserList', $uid);
-        return new ForwardResponse('list');
+        return $this->redirect('list');
+    }
+
+    protected function initializeRemoveFromCompareListAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
     }
 
     /**
@@ -359,6 +377,11 @@ public function removeFromCompareListAction(int $uid, int $redirectToCompare = 0
         return $this->redirect('list');
     }
 
+    protected function initializeRemoveAllFromCompareListAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Removes all backend users from the compare list
      */
@@ -368,6 +391,11 @@ public function removeAllFromCompareListAction(): ResponseInterface
         return $this->redirect('list');
     }
 
+    protected function initializeTerminateBackendUserSessionAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Terminate BackendUser session and logout corresponding client
      * Redirects to onlineAction with message
@@ -379,7 +407,7 @@ protected function terminateBackendUserSessionAction(string $sessionId): Respons
         if ($success) {
             $this->addFlashMessage(LocalizationUtility::translate('LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:backendUser.online.flashMessage.terminateSessionSuccess', 'beuser') ?? '');
         }
-        return new ForwardResponse('online');
+        return $this->redirect('online');
     }
 
     /**
@@ -475,6 +503,11 @@ public function compareGroupsAction(): ResponseInterface
         return $this->moduleTemplate->renderResponse('BackendUserGroup/Compare');
     }
 
+    protected function initializeAddGroupToCompareListAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Attaches one backend user group to the compare list
      */
@@ -484,6 +517,11 @@ public function addGroupToCompareListAction(int $uid): ResponseInterface
         return $this->redirect('groups');
     }
 
+    protected function initializeRemoveGroupFromCompareListAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Removes given backend user group to the compare list
      */
@@ -496,6 +534,11 @@ public function removeGroupFromCompareListAction(int $uid, int $redirectToCompar
         return $this->redirect('groups');
     }
 
+    protected function initializeRemoveAllGroupsFromCompareListAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Removes all backend user groups from the compare list
      */
diff --git a/Resources/Private/Partials/BackendUser/PaginatedList.html b/Resources/Private/Partials/BackendUser/PaginatedList.html
@@ -135,16 +135,19 @@
                         <div class="btn-group" role="group">
                             <f:if condition="{backendUser.passwordResetEnabled}">
                                 <f:then>
-                                    <f:link.action
-                                        class="btn btn-default t3js-modal-trigger"
-                                        action="initiatePasswordReset"
-                                        arguments="{user: backendUser.uid}"
-                                        title="{f:translate(key: 'resetPassword.label')}"
-                                        role="button"
-                                        data="{severity: 'warning', title: '{f:translate(key: \'resetPassword.confirmation.header\')}', bs-content: '{f:translate(key: \'resetPassword.confirmation.text\', arguments: {0: \'{backendUser.email}\'})}', button-close-text: '{f:translate(key: \'LLL:EXT:core/Resources/Private/Language/locallang_common.xlf:cancel\')}'}"
-                                    >
+                                    <f:form.button
+                                            name="user"
+                                            value="{backendUser.uid}"
+                                            form="form-initiate-password-reset"
+                                            class="btn btn-default t3js-modal-trigger"
+                                            title="{f:translate(key: 'resetPassword.label')}"
+                                            type="submit"
+                                            data-severity="warning"
+                                            data-title="{f:translate(key: 'resetPassword.confirmation.header')}"
+                                            data-bs-content="{f:translate(key: 'resetPassword.confirmation.text', arguments: {0: '{backendUser.email}'})}"
+                                            data-button-close-text="{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_common.xlf:cancel')}">
                                         <core:icon identifier="actions-key" />
-                                    </f:link.action>
+                                    </f:form.button>
                                 </f:then>
                                 <f:else>
                                     <span class="btn btn-default disabled"><core:icon identifier="empty-empty" /></span>
@@ -173,28 +176,30 @@
                         <div class="btn-group" role="group">
                             <f:if condition="{compareUserUidList.{backendUser.uid}}">
                                 <f:then>
-                                    <f:link.action
-                                        action="removeFromCompareList"
-                                        arguments="{uid: backendUser.uid}"
+                                    <f:form.button
+                                        form="form-remove-from-compare-list"
+                                        name="uid"
+                                        value="{backendUser.uid}"
+                                        type="submit"
                                         class="btn btn-default"
                                         title="{f:translate(key: 'btn.removeFromCompareList')}"
-                                        role="button"
                                     >
                                         <core:icon identifier="actions-minus" size="small"/>
                                         <f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:btn.compare" />
-                                    </f:link.action>
+                                    </f:form.button>
                                 </f:then>
                                 <f:else>
-                                    <f:link.action
-                                        action="addToCompareList"
-                                        arguments="{uid: backendUser.uid}"
+                                    <f:form.button
+                                        form="form-add-to-compare-list"
+                                        name="uid"
+                                        value="{backendUser.uid}"
+                                        type="submit"
                                         class="btn btn-default"
                                         title="{f:translate(key: 'btn.addToCompareList')}"
-                                        role="button"
                                     >
                                         <core:icon identifier="actions-plus" size="small"/>
                                         <f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:btn.compare" />
-                                    </f:link.action>
+                                    </f:form.button>
                                 </f:else>
                             </f:if>
                             <beuser:SwitchUser class="btn btn-default" backendUser="{backendUser}" />
diff --git a/Resources/Private/Partials/BackendUserGroup/PaginatedList.html b/Resources/Private/Partials/BackendUserGroup/PaginatedList.html
@@ -105,27 +105,29 @@
                         <div class="btn-group" role="group">
                             <f:if condition="{compareGroupUidList.{backendUserGroup.uid}}">
                                 <f:then>
-                                    <f:link.action
-                                        action="removeGroupFromCompareList"
-                                        arguments="{uid: backendUserGroup.uid}"
+                                    <f:form.button
+                                        form="form-remove-group-from-compare-list"
+                                        name="uid"
+                                        value="{backendUserGroup.uid}"
+                                        type="submit"
                                         class="btn btn-default"
                                         title="{f:translate(key: 'btn.removeFromCompareList')}"
-                                        role="button"
                                     >
                                         <core:icon identifier="actions-minus" size="small"/>
                                         <f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:btn.compare" />
-                                    </f:link.action>
+                                    </f:form.button>
                                 </f:then>
                                 <f:else>
-                                    <f:link.action
-                                        action="addGroupToCompareList"
-                                        arguments="{uid: backendUserGroup.uid}"
+                                    <f:form.button
+                                        form="form-add-group-to-compare-list"
+                                        name="uid"
+                                        value="{backendUserGroup.uid}"
+                                        type="submit"
                                         class="btn btn-default"
                                         title="{f:translate(key: 'btn.addToCompareList')}"
-                                        role="button"
                                     >
                                         <core:icon identifier="actions-plus" size="small"/> <f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:btn.compare" />
-                                    </f:link.action>
+                                    </f:form.button>
                                 </f:else>
                             </f:if>
                         </div>
diff --git a/Resources/Private/Templates/BackendUser/Compare.html b/Resources/Private/Templates/BackendUser/Compare.html
@@ -55,14 +55,17 @@ <h1><f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:ba
                                     >
                                         <core:icon identifier="actions-open" />
                                     </backend:link.editRecord>
-                                    <f:link.action
-                                        action="removeFromCompareList"
-                                        arguments="{uid: compareData.user.uid, redirectToCompare: 1}"
+
+                                    <f:form.button
+                                        form="form-remove-from-compare-list"
+                                        name="uid"
+                                        value="{compareData.user.uid}"
+                                        type="submit"
                                         class="btn btn-default btn-sm"
                                         title="{f:translate(key:'LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:btn.removeFromCompareList')}"
                                     >
                                         <core:icon identifier="actions-minus" size="small" />
-                                    </f:link.action>
+                                    </f:form.button>
                                 </div>
                             </div>
                         </th>
@@ -287,6 +290,9 @@ <h1><f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:ba
         </table>
     </div>
 
+    <f:form action="removeFromCompareList" method="post" id="form-remove-from-compare-list" class="hidden">
+        <f:form.hidden name="redirectToCompare" value="1"/>
+    </f:form>
 </f:section>
 
 </html>
diff --git a/Resources/Private/Templates/BackendUser/List.html b/Resources/Private/Templates/BackendUser/List.html
@@ -65,15 +65,16 @@ <h2><f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:ba
                                 >
                                     <core:icon identifier="actions-open" />
                                 </backend:link.editRecord>
-                                <f:link.action
-                                    action="removeFromCompareList"
-                                    arguments="{uid: compareUser.uid}"
+                                <f:form.button
+                                    form="form-remove-from-compare-list"
+                                    name="uid"
+                                    value="{compareUser.uid}"
+                                    type="submit"
                                     class="btn btn-default"
                                     title="{f:translate(key: 'btn.removeFromCompareList')}"
-                                    role="button"
                                 >
                                     <core:icon identifier="actions-minus" />
-                                </f:link.action>
+                                </f:form.button>
                             </td>
                         </tr>
                     </f:for>
@@ -94,16 +95,20 @@ <h2><f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:ba
             <core:icon identifier="actions-code-compare" />
             <f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:backendUser.list.btn.compareList" />
         </f:link.action>
-        <f:link.action action="removeAllFromCompareList" class="btn btn-default">
+        <f:form.button type="submit" class="btn btn-default" form="form-remove-all-from-compare-list">
             <core:icon identifier="actions-selection-delete" />
             <f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:btn.clearCompareList" />
-        </f:link.action>
+        </f:form.button>
 
         <h2><f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:backendUser.list.section.allUsers" /></h2>
     </f:if>
     <f:render partial="BackendUser/Filter" arguments="{demand: demand, backendUserGroups: backendUserGroups}" />
     <f:render partial="BackendUser/PaginatedList" arguments="{_all}" />
 
+    <f:form action="initiatePasswordReset" method="post" id="form-initiate-password-reset" class="hidden"/>
+    <f:form action="removeFromCompareList" method="post" id="form-remove-from-compare-list" class="hidden"/>
+    <f:form action="addToCompareList" method="post" id="form-add-to-compare-list" class="hidden"/>
+    <f:form action="removeAllFromCompareList" method="post" id="form-remove-all-from-compare-list" class="hidden"/>
 </f:section>
 
 </html>
diff --git a/Resources/Private/Templates/BackendUser/Online.html b/Resources/Private/Templates/BackendUser/Online.html
@@ -67,17 +67,21 @@ <h1><f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:ba
                             <td class="col-control">
                                 <f:if condition="{currentSessionId} == {session.id}">
                                     <f:else>
-                                        <f:link.action
+                                        <f:form.button
+                                            name="sessionId"
+                                            value="{session.id}"
+                                            form="form-terminate-backend-user-session"
                                             class="btn btn-default t3js-modal-trigger"
-                                            action="terminateBackendUserSession"
-                                            controller="BackendUser"
-                                            arguments="{sessionId: session.id}"
-                                            data="{severity: 'warning', title: '{f:translate(key: \'backendUser.online.endSession\')}', bs-content: '{f:translate(key: \'backendUser.online.reallyLogout\')} {onlineUser.backendUser.userName}?', button-close-text: '{f:translate(key: \'LLL:EXT:core/Resources/Private/Language/locallang_common.xlf:cancel\')}'}"
-                                            role="button"
+                                            title="{f:translate(key: 'resetPassword.label')}"
+                                            type="submit"
+                                            data-severity="warning"
+                                            data-title="{f:translate(key: 'backendUser.online.endSession')}"
+                                            data-bs-content="{f:translate(key: 'backendUser.online.reallyLogout')} {onlineUser.backendUser.userName}?"
+                                            data-button-close-text="{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_common.xlf:cancel')}"
                                         >
                                             <core:icon identifier="actions-close" />
                                             <f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:backendUser.online.endSession" />
-                                        </f:link.action>
+                                        </f:form.button>
                                     </f:else>
                                 </f:if>
                                 <a
@@ -108,6 +112,8 @@ <h1><f:translate key="LLL:EXT:beuser/Resources/Private/Language/locallang.xlf:ba
         </table>
     </div>
 
+    <f:form id="form-terminate-backend-user-session" action="terminateBackendUserSession" controller="BackendUser" method="post"class="hidden" />
+
 </f:section>
 
 </html>
diff --git a/Resources/Private/Templates/BackendUserGroup/Compare.html b/Resources/Private/Templates/BackendUserGroup/Compare.html
diff --git a/Resources/Private/Templates/BackendUserGroup/List.html b/Resources/Private/Templates/BackendUserGroup/List.html
