[TYPO3-mvc] Can forms be easily manipulated?
Helmut Hummel
helmut.hummel at typo3.org
Fri Dec 19 21:34:06 CET 2014
Hi!,
On 15.12.14 11:43, Jan Kornblum wrote:
>> im not quite shure what you mean by property id.
>
> didn't i write "pid"?
You did. It is not possible to set any property that is not rendered
with Fluid, or is explicitely allowed by a custom property mapper
configuration in your controller.
This is a framework feature to avoid "mass assignment" vulnerabilities
(which is exactly the vulnerability you described).
>> To your question. Is it possible to replace the uid of an object. To alter
>> another Object instead the one given to you.
This is indeed possible and you have to check in your controller if the
user is allowed to modify the entity that is mapped to an action argument.
Kind regards,
Helmut
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 CMS Active Contributor, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-typo3v4mvc
mailing list