[SECURITY] Avoid unintended persistence

You can disable logging function of femanager or update to the latest version.

https://projekte.in2code.de/issues/72776

Author: sbusemann

Classes/Controller/EditController.php

@@ -57,16 +57,16 @@ public function editAction(): ResponseInterface
     public function updateAction(User $user, string $captcha = null)
     {
         $currentUser = UserUtility::getCurrentUser();
-        $userValues = $this->request->hasArgument('user') ? $this->request->getArgument('user') : null;
-        $token = $this->request->hasArgument('token') ? $this->request->getArgument('token') : null;
+        $userValues = $this->request->getArgument('user') ?? [];
+        $token = $this->request->getArgument('token') ?? null;
+        $identity = (int)($userValues['__identity'] ?? 0);
+        $isSpoof = $this->isSpoof($currentUser, $identity, $token);
+
+        if (!$currentUser instanceof User || $identity === 0 || $token === null || $isSpoof) {
+            $logStatus = $isSpoof ? Log::STATUS_PROFILEUPDATEATTEMPTEDSPOOF : Log::STATUS_PROFILEUPDATEREFUSEDSECURITY;
+            $logContext = $isSpoof ? $currentUser : $user;
+            $this->logUtility->log($logStatus, $logContext);
 
-        if ($currentUser === null ||
-            empty($userValues['__identity']) ||
-            (int)$userValues['__identity'] === null ||
-            $token === null ||
-            $this->isSpoof($currentUser, (int)$userValues['__identity'], $token)
-        ) {
-            $this->logUtility->log(Log::STATUS_PROFILEUPDATEREFUSEDSECURITY, $user);
             $this->addFlashMessage(
                 LocalizationUtility::translateByState(Log::STATUS_PROFILEUPDATEREFUSEDSECURITY),
                 '',

Classes/Domain/Model/Log.php

@@ -23,6 +23,7 @@ class Log extends AbstractEntity
     final public const STATUS_PROFILEUPDATEREQUEST = 204;
     final public const STATUS_PROFILEUPDATEREFUSEDSECURITY = 205;
     final public const STATUS_PROFILEUPDATEIMAGEDELETE = 206;
+    final public const STATUS_PROFILEUPDATEATTEMPTEDSPOOF = 207;
     final public const STATUS_PROFILEDELETE = 301;
     final public const STATUS_INVITATIONPROFILECREATED = 401;
     final public const STATUS_INVITATIONPROFILEDELETEDUSER = 402;

Configuration/TCA/tx_femanager_domain_model_log.php

@@ -208,6 +208,11 @@
                         'tx_femanager_domain_model_log.state.206',
                         Log::STATUS_PROFILEUPDATEIMAGEDELETE,
                     ],
+                    [
+                        'LLL:EXT:femanager/Resources/Private/Language/locallang_db.xlf:' .
+                        'tx_femanager_domain_model_log.state.207',
+                        Log::STATUS_PROFILEUPDATEATTEMPTEDSPOOF,
+                    ],
                     [
                         'LLL:EXT:femanager/Resources/Private/Language/locallang_db.xlf:' .
                         'tx_femanager_domain_model_log.state.300',

Resources/Private/Language/locallang.xlf

@@ -162,6 +162,9 @@
 			<trans-unit id="tx_femanager_domain_model_log.state.206">
 				<source>Image deleted</source>
 			</trans-unit>
+			<trans-unit id="tx_femanager_domain_model_log.state.207">
+				<source>Attempted to spoof profile</source>
+			</trans-unit>
 			<trans-unit id="tx_femanager_domain_model_log.state.300">
 				<source>Delete</source>
 			</trans-unit>

Resources/Private/Language/locallang_db.xlf

@@ -174,6 +174,9 @@
 			<trans-unit id="tx_femanager_domain_model_log.state.206">
 				<source>Image deleted</source>
 			</trans-unit>
+			<trans-unit id="tx_femanager_domain_model_log.state.207">
+				<source>Attempted to spoof profile</source>
+			</trans-unit>
 			<trans-unit id="tx_femanager_domain_model_log.state.300">
 				<source>Delete</source>
 			</trans-unit>