From 91015da289111b86b8dbcb2553d5a722b944231e Mon Sep 17 00:00:00 2001
From: Marcus Schwemer <marcus.schwemer@in2code.de>
Date: Wed, 11 Sep 2024 12:00:42 +0200
Subject: [PATCH] [SECURITY] Fix IDOR vulnaribility in createAction

Please see TYPO3 Security Announcement for details.
---
 Classes/Controller/FormController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Classes/Controller/FormController.php b/Classes/Controller/FormController.php
index cbb9d6894..e0308b6de 100644
--- a/Classes/Controller/FormController.php
+++ b/Classes/Controller/FormController.php
@@ -197,6 +197,9 @@ public function initializeCreateAction(): void
      */
     public function createAction(Mail $mail, string $hash = ''): ResponseInterface
     {
+        if ($mail->getUid() !== null && !HashUtility::isHashValid($hash, $mail)) {
+            return (new ForwardResponse('form'))->withoutArguments();
+        }
         $isSavingOfMailAllowed = false;
         $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $hash, $this]);
         /** @noinspection PhpUnhandledExceptionInspection */