[TYPO3-core] RFC: cObj->getGlobal bug fix

Bernhard Kraft kraftb at kraftb.at
Mon Nov 21 15:56:18 CET 2005

Kasper Skårhøj wrote:
> +1 if works on php4

I tested on php4 and it works perfect.

But I and Michael discussed it a little bit and tought it would open a security leak. A non
system/db admin ... but TYPO3 admin could enter malicious TS Setup to display the installToolPassword
hash or the encryptionKey or the actually logged in BE/FE-User password in the FE.

Securing which values can get accesed through a "stdwrap.data = global :" construct by having an array
which defines restricted values/arrays (for example the complete extConf array is restricted as some
extensions might store sensitive information in it !)


"Freiheit ist immer auch die Freiheit des Andersdenkenden"
Rosa Luxemburg, 1871 - 1919
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug_getGlobal_2.patch
Type: text/x-patch
Size: 2075 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20051121/f63a51c6/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20051121/f63a51c6/attachment.pgp 

More information about the TYPO3-team-core mailing list