From cfda3f1edeea3c50034bce5c25393e297408c2b4 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Tue, 14 Jan 2025 10:47:38 +0100
Subject: [PATCH] [SECURITY] Enforce HTTP method assertions for backend modules

Resolves: #104456
Releases: main, 13.4, 12.4
Change-Id: Ic679584a343b6d35e81325a03148b0cff81f1d27
Security-Bulletin: TYPO3-CORE-SA-2025-003
Security-Bulletin: TYPO3-CORE-SA-2025-004
Security-Bulletin: TYPO3-CORE-SA-2025-005
Security-Bulletin: TYPO3-CORE-SA-2025-006
Security-Bulletin: TYPO3-CORE-SA-2025-007
Security-Bulletin: TYPO3-CORE-SA-2025-008
Security-References: CVE-2024-55893
Security-References: CVE-2024-55894
Security-References: CVE-2024-55920
Security-References: CVE-2024-55921
Security-References: CVE-2024-55922
Security-References: CVE-2024-55923
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/87744
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../Controller/AdministrationController.php   | 13 +++++++
 .../Templates/Administration/Statistic.html   | 37 ++++++++++++-------
 2 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/Classes/Controller/AdministrationController.php b/Classes/Controller/AdministrationController.php
index 373ce714..55f0f1f3 100644
--- a/Classes/Controller/AdministrationController.php
+++ b/Classes/Controller/AdministrationController.php
@@ -26,6 +26,7 @@
 use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
 use TYPO3\CMS\Core\Database\Connection;
 use TYPO3\CMS\Core\Database\ConnectionPool;
+use TYPO3\CMS\Core\Http\AllowedMethodsTrait;
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Imaging\IconSize;
 use TYPO3\CMS\Core\Localization\LanguageService;
@@ -44,6 +45,8 @@
  */
 class AdministrationController extends ActionController
 {
+    use AllowedMethodsTrait;
+
     protected int $pageUid = 0;
     protected array $indexerConfig = [];
 
@@ -300,6 +303,11 @@ protected function statisticDetailsAction(string $pageHash): ResponseInterface
         return $view->renderResponse('Administration/StatisticDetails');
     }
 
+    protected function initializeSaveStopwordsAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Save stop words
      */
@@ -391,6 +399,11 @@ protected function statisticAction(int $depth = 1, string $mode = 'overview'): R
         return $view->renderResponse('Administration/Statistic');
     }
 
+    protected function initializeDeleteIndexedItemAction(): void
+    {
+        $this->assertAllowedHttpMethod($this->request, 'POST');
+    }
+
     /**
      * Remove item from index
      */
diff --git a/Resources/Private/Templates/Administration/Statistic.html b/Resources/Private/Templates/Administration/Statistic.html
index e7fca4b6..31900213 100644
--- a/Resources/Private/Templates/Administration/Statistic.html
+++ b/Resources/Private/Templates/Administration/Statistic.html
@@ -128,7 +128,7 @@ <h1><f:translate key="administration.statistic.headline" /></h1>
                                                 </f:defaultCase>
                                             </f:switch>
                                             <td class="col-control">
-                                                <div class="btn-group btn-group-sm">
+                                                <f:form action="deleteIndexedItem" class="btn-group btn-group-sm">
                                                     <f:link.action
                                                         action="statisticDetails"
                                                         arguments="{pageHash:l.phash}"
@@ -137,14 +137,19 @@ <h1><f:translate key="administration.statistic.headline" /></h1>
                                                     >
                                                         <core:icon identifier="actions-options" />
                                                     </f:link.action>
-                                                    <a
-                                                        href="{f:uri.action(action:'deleteIndexedItem',arguments:'{itemId:l.phash,depth:depth,mode:mode}')}"
+
+                                                    <f:form.hidden name="itemId" value="{l.phash}" />
+                                                    <f:form.hidden name="depth" value="{depth}" />
+                                                    <f:form.hidden name="mode" value="{mode}" />
+
+                                                    <button
+                                                        type="submit"
                                                         title="{f:translate(key:'administration.removeEntry')}"
                                                         class="btn btn-default"
                                                     >
                                                         <core:icon identifier="actions-edit-delete" />
-                                                    </a>
-                                                </div>
+                                                    </button>
+                                                </f:form>
                                             </td>
                                         </tr>
                                     </f:for>
@@ -181,14 +186,20 @@ <h1><f:translate key="administration.statistic.headline" /></h1>
                     </tbody>
                 </table>
             </div>
-            <a
-                href="{f:uri.action(action:'deleteIndexedItem', arguments:'{itemId:\'ALL\', depth:depth, mode:mode}')}"
-                title="{f:translate(key:'administration.removeAllEntries')}"
-                class="btn btn-default"
-            >
-                <core:icon identifier="actions-edit-delete" />
-                <f:translate key="LLL:EXT:indexed_search/Resources/Private/Language/locallang.xlf:administration.removeAllEntries" />
-            </a>
+            <f:form action="deleteIndexedItem">
+                <f:form.hidden name="itemId" value="ALL" />
+                <f:form.hidden name="depth" value="{depth}" />
+                <f:form.hidden name="mode" value="{mode}" />
+
+                <button
+                    type="submit"
+                    title="{f:translate(key:'administration.removeAllEntries')}"
+                    class="btn btn-default"
+                >
+                    <core:icon identifier="actions-edit-delete" />
+                    <f:translate key="LLL:EXT:indexed_search/Resources/Private/Language/locallang.xlf:administration.removeAllEntries" />
+                </button>
+            </f:form>
         </f:then>
         <f:else>
             <f:be.infobox