TYPO3 10.4.36前端登录无法找到任何用户。

huangapple go评论61阅读模式
英文:

TYPO3 10.4.36 Frontend Login doesn't find any user

问题

在TYPO3从10.4.32升级到10.4.36之后,前端登录不再工作。我们使用的设置是前端用户存储在一个单独的存储文件夹中,该文件夹的pid设置为登录表单中的隐藏值。

当使用TYPO3身份验证类的日志记录时,它会写入AuthenticationService: Login-attempt from username '*' not found!

调试SQL查询显示,现在它忽略了表单中的pid值,而是使用了pid IN (0),这解释了用户未找到的消息。

通过查看源代码,我发现了一个设置checkPid_value的地方。在10.4.32版本中,它只是一个简单的赋值。

# FrontendUserAuthenticator::process (v10.4.32)
$pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
if ($pid) {
    $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}

而在10.4.36版本中,发生了更多的变化,而在我的情况下,checkPid_value没有被设置。

# FrontendUserAuthenticator::process (v10.4.36)
$pidValue = (string)($request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? '');
$pidParts = GeneralUtility::trimExplode('@', $pidValue, true, 2);
$pid = $pidParts[0] ?? '';
$givenHash = $pidParts[1] ?? '';
$expectedHash = GeneralUtility::hmac($pid, FrontendUserAuthentication::class);

// 寻找前端用户记录的页面ID列表
if ($pid && (!$this->shallEnforceLoginSigning() || hash_equals($expectedHash, $givenHash))) {
    $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}

源代码表明,pid表单值现在应该以某种方式进行签名。我没有找到如何签名pid值的描述。

英文:

After updating TYPO3 from 10.4.32 to 10.4.36, frontend login is not working anymore. We use a setup where the frontend users are stored on a separate storage folder. The pid of this folder is set as hidden value in the login form.

When using TYPO3 logging of the authentication class, it writes a AuthenticationService: Login-attempt from username '*' not found!.

Debugging the SQL query shows that it now ignores the pid value from the form and instead used a pid IN (0), which explains the user not found message.

Searching through the source code shows a single place where the checkPid_value is set. In version 10.4.32 it was a simple assignment.

# FrontendUserAuthenticator::process (v10.4.32)
        $pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
        if ($pid) {
            $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
        }

In version 10.4.36 a lot more is happening, and the checkPid_value is not set in my case.

# FrontendUserAuthenticator::process (v10.4.36)
        $pidValue = (string)($request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? '');
        $pidParts = GeneralUtility::trimExplode('@', $pidValue, true, 2);
        $pid = $pidParts[0] ?? '';
        $givenHash = $pidParts[1] ?? '';
        $expectedHash = GeneralUtility::hmac($pid, FrontendUserAuthentication::class);

        // List of page IDs where to look for frontend user records
        if ($pid && (!$this->shallEnforceLoginSigning() || hash_equals($expectedHash, $givenHash))) {
            $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
        }

The source code suggests that the pid form value should now be somehow signed. I didn't find a description of how to sign the pid value.

答案1

得分: 2

这个更改已经添加到 10.4.33 版本中,用于修复一个安全问题。详细描述请参见 typo3.org

如果你手动设置 pidlist,我认为有两种选择:

  1. 禁用安全特性:

在安装工具中禁用特性 security.frontend.enforceLoginSigning 以禁用检查。但这应该尽量避免,因为这样你又会受到安全问题的影响。

  1. 对 pidlist 进行签名:

查看 TYPO3 的代码

protected function getSignedStorageFolders(): string
{
    $pidList = $this->getStorageFolders();
    return sprintf(
        '%s@%s',
        $pidList,
        GeneralUtility::hmac($pidList, FrontendUserAuthentication::class)
    );
}

这也可以在你自己的设置中使用。

英文:

This change has been added with 10.4.33 to fix a security issue. this is described at typo3.org.

If you set the pidlist manually, there are IMO 2 options:

  1. disable the security feature:

Disable the check by disabling the feature security.frontend.enforceLoginSigning in the Install Tool. This should be avoided because then you are again affected by the security issue.

  1. Sign the pidlist

Check out the code of TYPO3

protected function getSignedStorageFolders(): string
    {
        $pidList = $this->getStorageFolders();
        return sprintf(
            '%s@%s',
            $pidList,
            GeneralUtility::hmac($pidList, FrontendUserAuthentication::class)
        );
    }

this could be used in your own setup as well

huangapple
  • 本文由 发表于 2023年3月15日 19:02:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/75743837.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定