[Typo3-dev] TYPO3 backend "Directory Traversal Attack"
Sven Wilhelm
wilhelm at icecrash.com
Wed Nov 2 11:53:20 CET 2005
Hi,
> Another solution is this;
> Inside init.php we start output buffering.
> In the end of each backend script AFTER the function call typically seen as
> "$SOBE->printContent()" we call something like
> "t3lib_BEfunc::convRelUrls2AbsAndFlushBuffer()" which will parse all the HTML
> of the backend module. This solution still requires that we insert a line in
> every single backend script but it is a very systematic change (always end of
> script) but it will work with 100% certainty and not mess up the internal use
> of BACK_PATH. On the other hand it will be slow.
it's also the fastest way to implement.
Possible a "ob_get_contents" and a preg_replace over it?
Second solution (not yet used) "output_add_rewrite_var -- Add URL
rewriter values"?
> Finally, one could imagine that an Apache module exists that will do the
> rel2abs conversion of URLs in the output HTML code with lightening-speed
> C-code?
As I know output filters in Apache2 can be implemented in any language
that has a deeper Apache access like mod_perl. But implementing a filter
will not solve the problem for all instances and the work is double.
Sven
More information about the TYPO3-dev
mailing list