[SECURITY] Enforce HTTP method assertions for backend modules

Resolves: #104456 Releases: main, 13.4, 12.4 Change-Id: Ic679584a343b6d35e81325a03148b0cff81f1d27 Security-Bulletin: TYPO3-CORE-SA-2025-003 Security-Bulletin: TYPO3-CORE-SA-2025-004 Security-Bulletin: TYPO3-CORE-SA-2025-005 Security-Bulletin: TYPO3-CORE-SA-2025-006 Security-Bulletin: TYPO3-CORE-SA-2025-007 Security-Bulletin: TYPO3-CORE-SA-2025-008 Security-References: CVE-2024-55893 Security-References: CVE-2024-55894 Security-References: CVE-2024-55920 Security-References: CVE-2024-55921 Security-References: CVE-2024-55922 Security-References: CVE-2024-55923 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/87744 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3-CMS · Jan 14, 2025 · cfda3f1 · cfda3f1
1 parent 01604cd
commit cfda3f1
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 13 deletions.
diff --git a/Classes/Controller/AdministrationController.php b/Classes/Controller/AdministrationController.php
@@ -26,6 +26,7 @@
 use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
 use TYPO3\CMS\Core\Database\Connection;
 use TYPO3\CMS\Core\Database\ConnectionPool;
+use TYPO3\CMS\Core\Http\AllowedMethodsTrait;
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Imaging\IconSize;
 use TYPO3\CMS\Core\Localization\LanguageService;
@@ -44,6 +45,8 @@
  */
 class AdministrationController extends ActionController
 {
+    use AllowedMethodsTrait;
+
     protected int $pageUid = 0;
     protected array $indexerConfig = [];
 
@@ -300,6 +303,11 @@ protected function statisticDetailsAction(string $pageHash): ResponseInterface
         return $view->renderResponse('Administration/StatisticDetails');
     }
 
+    protected function initializeSaveStopwordsAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Save stop words
      */
@@ -391,6 +399,11 @@ protected function statisticAction(int $depth = 1, string $mode = 'overview'): R
         return $view->renderResponse('Administration/Statistic');
     }
 
+    protected function initializeDeleteIndexedItemAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Remove item from index
      */

diff --git a/Resources/Private/Templates/Administration/Statistic.html b/Resources/Private/Templates/Administration/Statistic.html
@@ -128,7 +128,7 @@ <h1><f:translate key="administration.statistic.headline" /></h1>
                                                 </f:defaultCase>
                                             </f:switch>
                                             <td class="col-control">
-                                                <div class="btn-group btn-group-sm">
+                                                <f:form action="deleteIndexedItem" class="btn-group btn-group-sm">
                                                     <f:link.action
                                                         action="statisticDetails"
                                                         arguments="{pageHash:l.phash}"
@@ -137,14 +137,19 @@ <h1><f:translate key="administration.statistic.headline" /></h1>
                                                     >
                                                         <core:icon identifier="actions-options" />
                                                     </f:link.action>
-                                                    <a
-                                                        href="{f:uri.action(action:'deleteIndexedItem',arguments:'{itemId:l.phash,depth:depth,mode:mode}')}"
+
+                                                    <f:form.hidden name="itemId" value="{l.phash}" />
+                                                    <f:form.hidden name="depth" value="{depth}" />
+                                                    <f:form.hidden name="mode" value="{mode}" />
+
+                                                    <button
+                                                        type="submit"
                                                         title="{f:translate(key:'administration.removeEntry')}"
                                                         class="btn btn-default"
                                                     >
                                                         <core:icon identifier="actions-edit-delete" />
-                                                    </a>
-                                                </div>
+                                                    </button>
+                                                </f:form>
                                             </td>
                                         </tr>
                                     </f:for>
@@ -181,14 +186,20 @@ <h1><f:translate key="administration.statistic.headline" /></h1>
                     </tbody>
                 </table>
             </div>
-            <a
-                href="{f:uri.action(action:'deleteIndexedItem', arguments:'{itemId:\'ALL\', depth:depth, mode:mode}')}"
-                title="{f:translate(key:'administration.removeAllEntries')}"
-                class="btn btn-default"
-            >
-                <core:icon identifier="actions-edit-delete" />
-                <f:translate key="LLL:EXT:indexed_search/Resources/Private/Language/locallang.xlf:administration.removeAllEntries" />
-            </a>
+            <f:form action="deleteIndexedItem">
+                <f:form.hidden name="itemId" value="ALL" />
+                <f:form.hidden name="depth" value="{depth}" />
+                <f:form.hidden name="mode" value="{mode}" />
+
+                <button
+                    type="submit"
+                    title="{f:translate(key:'administration.removeAllEntries')}"
+                    class="btn btn-default"
+                >
+                    <core:icon identifier="actions-edit-delete" />
+                    <f:translate key="LLL:EXT:indexed_search/Resources/Private/Language/locallang.xlf:administration.removeAllEntries" />
+                </button>
+            </f:form>
         </f:then>
         <f:else>
             <f:be.infobox