英文:
TYPO3 10.4.36 Frontend Login doesn't find any user
问题
在TYPO3从10.4.32升级到10.4.36之后,前端登录不再工作。我们使用的设置是前端用户存储在一个单独的存储文件夹中,该文件夹的pid设置为登录表单中的隐藏值。
当使用TYPO3身份验证类的日志记录时,它会写入AuthenticationService: Login-attempt from username '*' not found!。
调试SQL查询显示,现在它忽略了表单中的pid值,而是使用了pid IN (0),这解释了用户未找到的消息。
通过查看源代码,我发现了一个设置checkPid_value的地方。在10.4.32版本中,它只是一个简单的赋值。
# FrontendUserAuthenticator::process (v10.4.32)
$pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
if ($pid) {
$frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}
而在10.4.36版本中,发生了更多的变化,而在我的情况下,checkPid_value没有被设置。
# FrontendUserAuthenticator::process (v10.4.36)
$pidValue = (string)($request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? '');
$pidParts = GeneralUtility::trimExplode('@', $pidValue, true, 2);
$pid = $pidParts[0] ?? '';
$givenHash = $pidParts[1] ?? '';
$expectedHash = GeneralUtility::hmac($pid, FrontendUserAuthentication::class);
// 寻找前端用户记录的页面ID列表
if ($pid && (!$this->shallEnforceLoginSigning() || hash_equals($expectedHash, $givenHash))) {
$frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}
源代码表明,pid表单值现在应该以某种方式进行签名。我没有找到如何签名pid值的描述。
英文:
After updating TYPO3 from 10.4.32 to 10.4.36, frontend login is not working anymore. We use a setup where the frontend users are stored on a separate storage folder. The pid of this folder is set as hidden value in the login form.
When using TYPO3 logging of the authentication class, it writes a AuthenticationService: Login-attempt from username '*' not found!.
Debugging the SQL query shows that it now ignores the pid value from the form and instead used a pid IN (0), which explains the user not found message.
Searching through the source code shows a single place where the checkPid_value is set. In version 10.4.32 it was a simple assignment.
# FrontendUserAuthenticator::process (v10.4.32)
$pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
if ($pid) {
$frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}
In version 10.4.36 a lot more is happening, and the checkPid_value is not set in my case.
# FrontendUserAuthenticator::process (v10.4.36)
$pidValue = (string)($request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? '');
$pidParts = GeneralUtility::trimExplode('@', $pidValue, true, 2);
$pid = $pidParts[0] ?? '';
$givenHash = $pidParts[1] ?? '';
$expectedHash = GeneralUtility::hmac($pid, FrontendUserAuthentication::class);
// List of page IDs where to look for frontend user records
if ($pid && (!$this->shallEnforceLoginSigning() || hash_equals($expectedHash, $givenHash))) {
$frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
}
The source code suggests that the pid form value should now be somehow signed. I didn't find a description of how to sign the pid value.
答案1
得分: 2
这个更改已经添加到 10.4.33 版本中,用于修复一个安全问题。详细描述请参见 typo3.org。
如果你手动设置 pidlist,我认为有两种选择:
- 禁用安全特性:
在安装工具中禁用特性 security.frontend.enforceLoginSigning 以禁用检查。但这应该尽量避免,因为这样你又会受到安全问题的影响。
- 对 pidlist 进行签名:
查看 TYPO3 的代码
protected function getSignedStorageFolders(): string
{
$pidList = $this->getStorageFolders();
return sprintf(
'%s@%s',
$pidList,
GeneralUtility::hmac($pidList, FrontendUserAuthentication::class)
);
}
这也可以在你自己的设置中使用。
英文:
This change has been added with 10.4.33 to fix a security issue. this is described at typo3.org.
If you set the pidlist manually, there are IMO 2 options:
- disable the security feature:
Disable the check by disabling the feature security.frontend.enforceLoginSigning in the Install Tool. This should be avoided because then you are again affected by the security issue.
- Sign the pidlist
Check out the code of TYPO3
protected function getSignedStorageFolders(): string
{
$pidList = $this->getStorageFolders();
return sprintf(
'%s@%s',
$pidList,
GeneralUtility::hmac($pidList, FrontendUserAuthentication::class)
);
}
this could be used in your own setup as well
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论