[TYPO3-core] RFC: cObj->getGlobal bug fix

Ingmar Schlecht ingmar at typo3.org
Sun Nov 27 03:37:21 CET 2005

Bernhard Kraft wrote:
> I tested on php4 and it works perfect.
> But I and Michael discussed it a little bit and tought it would open a security leak. A non
> system/db admin ... but TYPO3 admin could enter malicious TS Setup to display the installToolPassword
> hash or the encryptionKey or the actually logged in BE/FE-User password in the FE.

Doesn't seem like a real security issue to me because because admins can 
install extensions (i.e. PHP code) anyway and could also include scripts 
using .inc PHP resources included by TS.

So: Please remove the "restrictPaths" array for making it possible to 
display things like $TYPO3_CONF_VARS['SYS']['sitename'].


More information about the TYPO3-team-core mailing list