typo3typo3-10.x

TYPO3 10.4.36 Frontend Login doesn't find any user

After updating TYPO3 from 10.4.32 to 10.4.36, frontend login is not working anymore. We use a setup where the frontend users are stored on a separate storage folder. The pid of this folder is set as hidden value in the login form.

When using TYPO3 logging of the authentication class, it writes a AuthenticationService: Login-attempt from username '*' not found!.

Debugging the SQL query shows that it now ignores the pid value from the form and instead used a pid IN (0), which explains the user not found message.

Searching through the source code shows a single place where the checkPid_value is set. In version 10.4.32 it was a simple assignment.

# FrontendUserAuthenticator::process (v10.4.32)
        $pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
        if ($pid) {
            $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
        }

In version 10.4.36 a lot more is happening, and the checkPid_value is not set in my case.

# FrontendUserAuthenticator::process (v10.4.36)
        $pidValue = (string)($request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? '');
        $pidParts = GeneralUtility::trimExplode('@', $pidValue, true, 2);
        $pid = $pidParts[0] ?? '';
        $givenHash = $pidParts[1] ?? '';
        $expectedHash = GeneralUtility::hmac($pid, FrontendUserAuthentication::class);

        // List of page IDs where to look for frontend user records
        if ($pid && (!$this->shallEnforceLoginSigning() || hash_equals($expectedHash, $givenHash))) {
            $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
        }

The source code suggests that the pid form value should now be somehow signed. I didn't find a description of how to sign the pid value.

Solution

  • This change has been added with 10.4.33 to fix a security issue. this is described at typo3.org.

    If you set the pidlist manually, there are IMO 2 options:

    1. disable the security feature:

    Disable the check by disabling the feature security.frontend.enforceLoginSigning in the Install Tool. This should be avoided because then you are again affected by the security issue.

    1. Sign the pidlist

    Check out the code of TYPO3

    protected function getSignedStorageFolders(): string
    {
        $pidList = $this->getStorageFolders();
        return sprintf(
            '%s@%s',
            $pidList,
            GeneralUtility::hmac($pidList, FrontendUserAuthentication::class)
        );
    }

    this could be used in your own setup as well