[TYPO3-core] RFC: cObj->getGlobal bug fix
Bernhard Kraft
kraftb at kraftb.at
Mon Nov 21 15:56:18 CET 2005
Kasper Skårhøj wrote:
> +1 if works on php4
I tested on php4 and it works perfect.
But I and Michael discussed it a little bit and tought it would open a security leak. A non
system/db admin ... but TYPO3 admin could enter malicious TS Setup to display the installToolPassword
hash or the encryptionKey or the actually logged in BE/FE-User password in the FE.
Solution:
Securing which values can get accesed through a "stdwrap.data = global :" construct by having an array
which defines restricted values/arrays (for example the complete extConf array is restricted as some
extensions might store sensitive information in it !)
File:
bug_getGlobal_2.patch
greets,
Bernhard
--
----------------------------------------------------------------------
"Freiheit ist immer auch die Freiheit des Andersdenkenden"
Rosa Luxemburg, 1871 - 1919
----------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug_getGlobal_2.patch
Type: text/x-patch
Size: 2075 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20051121/f63a51c6/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20051121/f63a51c6/attachment.pgp
More information about the TYPO3-team-core
mailing list