[TYPO3-mvc] Upgrading an application from Extbase 1.3
Helmut Hummel
helmut.hummel at typo3.org
Thu Apr 26 20:14:30 CEST 2012
Hi François,
On 26.04.12 14:25, François Suter wrote:
> Is it really as
> bad as it sounds (i.e. anyone sending a properly crafted request can
> change any property of any object?).
Exactly that.
This might be tackled in future versions of extbase and is transparently
handled by the FLOW3 security framework (if properly configured), but
especially with the new property mapper the developer needs to know and
take care of potential problems with that fact.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-typo3v4mvc
mailing list