[SECURITY] Enforce HTTP method assertions for backend modules

Resolves: #104456
Releases: main, 13.4, 12.4
Change-Id: Ic679584a343b6d35e81325a03148b0cff81f1d27
Security-Bulletin: TYPO3-CORE-SA-2025-003
Security-Bulletin: TYPO3-CORE-SA-2025-004
Security-Bulletin: TYPO3-CORE-SA-2025-005
Security-Bulletin: TYPO3-CORE-SA-2025-006
Security-Bulletin: TYPO3-CORE-SA-2025-007
Security-Bulletin: TYPO3-CORE-SA-2025-008
Security-References: CVE-2024-55893
Security-References: CVE-2024-55894
Security-References: CVE-2024-55920
Security-References: CVE-2024-55921
Security-References: CVE-2024-55922
Security-References: CVE-2024-55923
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/87744
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

Classes/Controller/DashboardController.php

@@ -20,9 +20,12 @@
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use TYPO3\CMS\Backend\Attribute\AsController;
+use TYPO3\CMS\Backend\Domain\Model\Element\ImmediateActionElement;
 use TYPO3\CMS\Backend\Routing\UriBuilder;
 use TYPO3\CMS\Backend\Template\ModuleTemplateFactory;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+use TYPO3\CMS\Core\Http\AllowedMethodsTrait;
+use TYPO3\CMS\Core\Http\HtmlResponse;
 use TYPO3\CMS\Core\Http\RedirectResponse;
 use TYPO3\CMS\Core\Localization\LanguageService;
 use TYPO3\CMS\Core\Page\PageRenderer;
@@ -40,6 +43,8 @@
 #[AsController]
 class DashboardController
 {
+    use AllowedMethodsTrait;
+
     protected Dashboard $currentDashboard;
 
     public function __construct(
@@ -90,6 +95,7 @@ protected function mainAction(ServerRequestInterface $request): ResponseInterfac
 
     protected function configureDashboardAction(ServerRequestInterface $request): ResponseInterface
     {
+        $this->assertAllowedHttpMethod($request, 'POST');
         $parameters = $request->getParsedBody();
         $currentDashboard = $parameters['currentDashboard'] ?? '';
         $route = $this->uriBuilder->buildUriFromRoute('dashboard', ['action' => 'main'], UriBuilder::ABSOLUTE_URL);
@@ -101,13 +107,15 @@ protected function configureDashboardAction(ServerRequestInterface $request): Re
 
     protected function setActiveDashboardAction(ServerRequestInterface $request): ResponseInterface
     {
-        $this->saveCurrentDashboard((string)($request->getQueryParams()['currentDashboard'] ?? ''));
+        $this->assertAllowedHttpMethod($request, 'POST');
+        $this->saveCurrentDashboard((string)($request->getParsedBody()['currentDashboard'] ?? ''));
         $route = $this->uriBuilder->buildUriFromRoute('dashboard', ['action' => 'main']);
         return new RedirectResponse($route);
     }
 
     protected function addDashboardAction(ServerRequestInterface $request): ResponseInterface
     {
+        $this->assertAllowedHttpMethod($request, 'POST');
         $parameters = $request->getParsedBody();
         $dashboardIdentifier = (string)($parameters['dashboard'] ?? '');
         $dashboardPreset = $this->dashboardPresetRepository->getDashboardPresets()[$dashboardIdentifier] ?? null;
@@ -124,14 +132,16 @@ protected function addDashboardAction(ServerRequestInterface $request): Response
         return new RedirectResponse($this->uriBuilder->buildUriFromRoute('dashboard', ['action' => 'main']));
     }
 
-    protected function deleteDashboardAction(): ResponseInterface
+    protected function deleteDashboardAction(ServerRequestInterface $request): ResponseInterface
     {
+        $this->assertAllowedHttpMethod($request, 'POST');
         $this->dashboardRepository->delete($this->currentDashboard);
         return new RedirectResponse($this->uriBuilder->buildUriFromRoute('dashboard', ['action' => 'main']));
     }
 
     protected function addWidgetAction(ServerRequestInterface $request): ResponseInterface
     {
+        $this->assertAllowedHttpMethod($request, 'POST');
         $widgetKey = (string)($request->getQueryParams()['widget'] ?? '');
         if ($widgetKey === '') {
             throw new RequiredArgumentMissingException('Argument "widget" not set.', 1624436360);
@@ -140,13 +150,13 @@ protected function addWidgetAction(ServerRequestInterface $request): ResponseInt
         $hash = sha1($widgetKey . '-' . time());
         $widgets[$hash] = ['identifier' => $widgetKey];
         $this->dashboardRepository->updateWidgetConfig($this->currentDashboard, $widgets);
-        $route = $this->uriBuilder->buildUriFromRoute('dashboard', ['action' => 'main']);
-        return new RedirectResponse($route);
+        return new HtmlResponse((string)ImmediateActionElement::dispatchCustomEvent('typo3.dashboard.addWidgetDone'));
     }
 
     protected function removeWidgetAction(ServerRequestInterface $request): ResponseInterface
     {
-        $parameters = $request->getQueryParams();
+        $this->assertAllowedHttpMethod($request, 'POST');
+        $parameters = $request->getParsedBody();
         $widgetHash = $parameters['widgetHash'] ?? '';
         $widgets = $this->currentDashboard->getWidgetConfig();
         if ($widgetHash !== '' && array_key_exists($widgetHash, $widgets)) {

Classes/WidgetGroupInitializationService.php

@@ -51,7 +51,9 @@ public function buildWidgetGroupsConfiguration(): array
                     'label' => $this->getLanguageService()->sL($widgetConfiguration->getTitle()),
                     'description' => $this->getLanguageService()->sL($widgetConfiguration->getDescription()),
                     'url' => (string)$this->uriBuilder->buildUriFromRoute('dashboard', ['action' => 'addWidget', 'widget' => $widgetIdentifier]),
-                    'requestType' => 'location',
+                    'requestType' => 'ajax',
+                    'defaultValues' => [],
+                    'saveAndClose' => true,
                 ];
             }
 

Resources/Private/Layouts/Module.html

@@ -20,13 +20,13 @@ <h1 class="visually-hidden">
                     <ul class="dashboard-tabs-menu" role="menubar">
                         <f:for each="{availableDashboards}" as="dashboard" key="dashboardKey">
                             <li class="dashboard-tabs-menuitem" role="menuitem">
-                                <f:be.link
-                                    route="dashboard"
-                                    parameters="{action: 'setActiveDashboard', currentDashboard: dashboardKey}"
-                                    class="dashboard-tab {f:if(condition: '{dashboardKey} == {currentDashboard.identifier}', then: 'dashboard-tab--active')}"
-                                >
+                                <button
+                                    name="currentDashboard"
+                                    value="{dashboardKey}"
+                                    form="form-set-active-dashboard"
+                                    class="dashboard-tab {f:if(condition: '{dashboardKey} == {currentDashboard.identifier}', then: 'dashboard-tab--active')}">
                                     {dashboard.title}
-                                </f:be.link>
+                                </button>
                             </li>
                         </f:for>
                     </ul>
@@ -42,6 +42,7 @@ <h1 class="visually-hidden">
                     >
                         <core:icon identifier="actions-plus" alternativeMarkupIdentifier="inline" /><span class="visually-hidden"><f:translate key="dashboard.add" extensionName="dashboard"/></span>
                     </a>
+                    <form id="form-set-active-dashboard" class="hidden" action="{f:be.uri(route: 'dashboard', parameters: '{action: \'setActiveDashboard\'}')}" method="post"></form>
                 </div>
 
                 <div class="dashboard-configuration btn-toolbar" role="toolbar">
@@ -57,18 +58,19 @@ <h1 class="visually-hidden">
                     >
                         <core:icon identifier="actions-cog" alternativeMarkupIdentifier="inline" /><span class="visually-hidden"><f:translate key="dashboard.configure" extensionName="dashboard"/></span>
                     </a>
-                    <a
-                        href="{deleteDashboardUri}"
-                        class="js-dashboard-delete btn btn-default btn-sm"
-                        title="{f:translate(key: 'dashboard.delete', extensionName: 'dashboard')}"
-                        data-modal-title="{f:translate(key: 'dashboard.delete', extensionName: 'dashboard')}"
-                        data-modal-question="{f:translate(key: 'dashboard.delete.sure', extensionName: 'dashboard')}"
-                        data-modal-ok="{f:translate(key: 'dashboard.delete.ok', extensionName: 'dashboard')}"
-                        data-modal-cancel="{f:translate(key: 'dashboard.delete.cancel', extensionName: 'dashboard')}"
-                        role="button"
-                    >
-                        <core:icon identifier="actions-delete" alternativeMarkupIdentifier="inline" /><span class="visually-hidden"><f:translate key="dashboard.delete" extensionName="dashboard"/></span>
-                    </a>
+                    <form action="{deleteDashboardUri}" method="post" class="form-inline">
+                        <button
+                            class="js-dashboard-delete btn btn-default btn-sm"
+                            title="{f:translate(key: 'dashboard.delete', extensionName: 'dashboard')}"
+                            data-modal-title="{f:translate(key: 'dashboard.delete', extensionName: 'dashboard')}"
+                            data-modal-question="{f:translate(key: 'dashboard.delete.sure', extensionName: 'dashboard')}"
+                            data-modal-ok="{f:translate(key: 'dashboard.delete.ok', extensionName: 'dashboard')}"
+                            data-modal-cancel="{f:translate(key: 'dashboard.delete.cancel', extensionName: 'dashboard')}"
+                            role="button"
+                        >
+                            <core:icon identifier="actions-delete" alternativeMarkupIdentifier="inline" /><span class="visually-hidden"><f:translate key="dashboard.delete" extensionName="dashboard"/></span>
+                        </button>
+                    </form>
                 </div>
             </div>
         </div>

Resources/Private/Templates/Dashboard/Main.html

@@ -41,18 +41,18 @@
                                             <core:icon identifier="actions-refresh" alternativeMarkupIdentifier="inline"/>
                                         </typo3-dashboard-widget-refresh>
                                     </f:if>
-                                    <f:be.link
-                                        class="widget-action widget-action-remove js-dashboard-remove-widget"
-                                        route="dashboard" parameters="{action: 'removeWidget', widgetHash: widgetHash}"
-                                        data="{
-                                            modal-title: '{f:translate(key: \'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.confirm.title\')}',
-                                            modal-question: '{f:translate(key: \'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.confirm.message\')}',
-                                            modal-ok: '{f:translate(key: \'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.button.ok\')}',
-                                            modal-cancel: '{f:translate(key: \'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.button.close\')}'
-                                        }"
-                                    >
-                                        <core:icon identifier="actions-delete" alternativeMarkupIdentifier="inline"/>
-                                    </f:be.link>
+                                    <form action="{f:be.uri(route: 'dashboard', parameters: '{action: \'removeWidget\'}')}" method="post" class="form-inline">
+                                        <input type="hidden" name="widgetHash" value="{widgetHash}">
+                                        <button
+                                            class="widget-action widget-action-remove js-dashboard-remove-widget"
+                                            data-modal-title="{f:translate(key: 'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.confirm.title')}"
+                                            data-modal-question="{f:translate(key: 'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.confirm.message')}"
+                                            data-modal-ok="{f:translate(key: 'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.button.ok')}"
+                                            data-modal-cancel="{f:translate(key: 'LLL:EXT:dashboard/Resources/Private/Language/locallang.xlf:widget.remove.button.close')}"
+                                        >
+                                            <core:icon identifier="actions-delete" alternativeMarkupIdentifier="inline"/>
+                                        </button>
+                                    </form>
                                 </div>
                             </div>
                         </div>

Resources/Public/Css/dashboard.css

@@ -10,4 +10,4 @@
  *
  * The TYPO3 project - inspiring people to share!
  */
-import Modal from"@typo3/backend/modal.js";import{SeverityEnum}from"@typo3/backend/enum/severity.js";import RegularEvent from"@typo3/core/event/regular-event.js";class DashboardDelete{constructor(){this.selector=".js-dashboard-delete",this.initialize()}initialize(){new RegularEvent("click",(function(e){e.preventDefault();Modal.confirm(this.dataset.modalTitle,this.dataset.modalQuestion,SeverityEnum.warning,[{text:this.dataset.modalCancel,active:!0,btnClass:"btn-default",name:"cancel"},{text:this.dataset.modalOk,btnClass:"btn-warning",name:"delete"}]).addEventListener("button.clicked",(e=>{"delete"===e.target.getAttribute("name")&&(window.location.href=this.getAttribute("href")),Modal.dismiss()}))})).delegateTo(document,this.selector)}}export default new DashboardDelete;
+import Modal from"@typo3/backend/modal.js";import{SeverityEnum}from"@typo3/backend/enum/severity.js";import RegularEvent from"@typo3/core/event/regular-event.js";class DashboardDelete{constructor(){this.selector=".js-dashboard-delete",this.initialize()}initialize(){new RegularEvent("click",(function(e){e.preventDefault();const t=this.form;Modal.confirm(this.dataset.modalTitle,this.dataset.modalQuestion,SeverityEnum.warning,[{text:this.dataset.modalCancel,active:!0,btnClass:"btn-default",name:"cancel"},{text:this.dataset.modalOk,btnClass:"btn-warning",name:"delete"}]).addEventListener("button.clicked",(e=>{"delete"===e.target.getAttribute("name")&&t.requestSubmit(),Modal.dismiss()}))})).delegateTo(document,this.selector)}}export default new DashboardDelete;

Resources/Public/JavaScript/dashboard-delete.js

@@ -10,4 +10,4 @@
  *
  * The TYPO3 project - inspiring people to share!
  */
-import Modal from"@typo3/backend/modal.js";import{SeverityEnum}from"@typo3/backend/enum/severity.js";import RegularEvent from"@typo3/core/event/regular-event.js";class WidgetRemover{constructor(){this.selector=".js-dashboard-remove-widget",this.initialize()}initialize(){new RegularEvent("click",(function(e){e.preventDefault();const t=Modal.confirm(this.dataset.modalTitle,this.dataset.modalQuestion,SeverityEnum.warning,[{text:this.dataset.modalCancel,active:!0,btnClass:"btn-default",name:"cancel"},{text:this.dataset.modalOk,btnClass:"btn-warning",name:"delete"}]);t.addEventListener("button.clicked",(e=>{"delete"===e.target.getAttribute("name")&&(window.location.href=this.getAttribute("href")),t.hideModal()}))})).delegateTo(document,this.selector)}}export default new WidgetRemover;
+import Modal from"@typo3/backend/modal.js";import{SeverityEnum}from"@typo3/backend/enum/severity.js";import RegularEvent from"@typo3/core/event/regular-event.js";class WidgetRemover{constructor(){this.selector=".js-dashboard-remove-widget",this.initialize()}initialize(){new RegularEvent("click",(function(e){e.preventDefault();const t=this.form,a=Modal.confirm(this.dataset.modalTitle,this.dataset.modalQuestion,SeverityEnum.warning,[{text:this.dataset.modalCancel,active:!0,btnClass:"btn-default",name:"cancel"},{text:this.dataset.modalOk,btnClass:"btn-warning",name:"delete"}]);a.addEventListener("button.clicked",(e=>{"delete"===e.target.getAttribute("name")&&t.requestSubmit(),a.hideModal()}))})).delegateTo(document,this.selector)}}export default new WidgetRemover;