[SECURITY] Don't pass User to newAction

sbusemann · sbusemann · commit 0a64917a9524 · 2025-05-16T16:47:37.000+02:00
This prevents information disclosure by passing an argument to this controlling
diff --git a/Classes/Controller/NewController.php b/Classes/Controller/NewController.php
@@ -35,13 +35,11 @@ class NewController extends AbstractFrontendController
     /**
      * Render registration form
      *
-     * @param User|null $user
      */
-    public function newAction(User $user = null): ResponseInterface
+    public function newAction(): ResponseInterface
     {
         $this->view->assignMultiple(
             [
-                'user' => $user,
                 'allUserGroups' => $this->allUserGroups
             ]
         );
diff --git a/Documentation/Changelog/Index.rst b/Documentation/Changelog/Index.rst
@@ -4,6 +4,12 @@
 Changelog
 =========
 
+-
+      :Version: 7.4.2
+      :Date: 2025-05-20
+      :Changes:
+      * [BUGFIX] Security: Missing Hash Check for invitation controller - Invitation Templates must be updated (if a custom template is used)
+
 -
       :Version: 7.4.1
       :Date: 2024-11-11
diff --git a/ext_emconf.php b/ext_emconf.php
@@ -13,7 +13,7 @@
     'author_email' => 'info@in2code.de',
     'author_company' => 'in2code.de - Wir leben TYPO3',
     'state' => 'stable',
-    'version' => '7.4.1',
+    'version' => '7.4.2',
     'constraints' => [
         'depends' => [
             'typo3' => '11.5.0-11.5.99',

Original file line number	Diff line number	Diff line change
`@@ -35,13 +35,11 @@ class NewController extends AbstractFrontendController`
`35`	`35`	`/**`
`36`	`36`	`* Render registration form`
`37`	`37`	`*`
`38`		`- * @param User\|null $user`
`39`	`38`	`*/`
`40`		`- public function newAction(User $user = null): ResponseInterface`
	`39`	`+ public function newAction(): ResponseInterface`
`41`	`40`	`{`
`42`	`41`	`$this->view->assignMultiple(`
`43`	`42`	`[`
`44`		`- 'user' => $user,`
`45`	`43`	`'allUserGroups' => $this->allUserGroups`
`46`	`44`	`]`
`47`	`45`	`);`