[SECURITY] Avoid ambiguous HMAC results

Cryptographic hashes being calculated from and for query parameters must only be used for a specific use-case or scope in order to avoid resulting hashes being ambiguous. Resolves: #91689 Releases: master, 10.4, 9.5 Change-Id: I59ca16fe71e27195b98a822607aab564425d248d Security-Bulletin: TYPO3-CORE-SA-2020-008 Security-References: CVE-2020-15098 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65125 Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
TYPO3 · Jul 28, 2020 · 85d3e70 · 85d3e70
1 parent 6069aa2
commit 85d3e70
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/typo3/sysext/backend/Classes/Controller/LinkBrowserController.php b/typo3/sysext/backend/Classes/Controller/LinkBrowserController.php
@@ -119,7 +119,7 @@ protected function areFieldChangeFunctionsValid($handleFlexformSections = false)
                 }
                 unset($value);
             }
-            $result = hash_equals(GeneralUtility::hmac(serialize($fieldChangeFunctions)), $this->parameters['fieldChangeFuncHash']);
+            $result = hash_equals(GeneralUtility::hmac(serialize($fieldChangeFunctions), 'backend-link-browser'), $this->parameters['fieldChangeFuncHash']);
         }
         return $result;
     }
@@ -135,7 +135,7 @@ protected function getBodyTagAttributes()
         $parameters = parent::getBodyTagAttributes();
 
         $formEngineParameters['fieldChangeFunc'] = $this->parameters['fieldChangeFunc'];
-        $formEngineParameters['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($this->parameters['fieldChangeFunc']));
+        $formEngineParameters['fieldChangeFuncHash'] = GeneralUtility::hmac(serialize($this->parameters['fieldChangeFunc']), 'backend-link-browser');
 
         $parameters['data-add-on-params'] .= HttpUtility::buildQueryString(['P' => $formEngineParameters], '&');
 

diff --git a/typo3/sysext/backend/Classes/Form/FieldControl/EditPopup.php b/typo3/sysext/backend/Classes/Form/FieldControl/EditPopup.php
@@ -78,7 +78,7 @@ public function render()
                 'flexFormDataStructurePath' => $flexFormDataStructurePath,
                 'hmac' => GeneralUtility::hmac('editform' . $itemName, 'wizard_js'),
                 'fieldChangeFunc' => $parameterArray['fieldChangeFunc'],
-                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc'])),
+                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc']), 'backend-link-browser'),
             ],
         ];
         $uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);

diff --git a/typo3/sysext/backend/Classes/Form/FieldControl/LinkPopup.php b/typo3/sysext/backend/Classes/Form/FieldControl/LinkPopup.php
@@ -63,7 +63,7 @@ public function render(): array
                 'itemName' => $itemName,
                 'hmac' => GeneralUtility::hmac('editform' . $itemName, 'wizard_js'),
                 'fieldChangeFunc' => $parameterArray['fieldChangeFunc'],
-                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc'])),
+                'fieldChangeFuncHash' => GeneralUtility::hmac(serialize($parameterArray['fieldChangeFunc']), 'backend-link-browser'),
             ],
         ];
         /** @var \TYPO3\CMS\Backend\Routing\UriBuilder $uriBuilder */