[TYPO3-core] RFC #5205: pi_loadLL() + no language file == full path disclosure
Dmitry Dulepov [typo3]
dmitry at typo3.org
Tue Aug 19 11:09:24 CEST 2008
Hi!
This is SVN patch request.
Type: bug/no-brainer
BT reference: http://bugs.typo3.org/view.php?id=5205
Branches: 4.1, 4.2, trunk
Problem: corrupted or missing language file causes fatal error ("die" call) with a full path shown on the screen (like /var/www/sites/site5/typo3conf/ext/realurl/locallang_db.xml). It is not good to reveal the full path. Reproducing is simple: go to any ext with BE module and add <zzz> into its locallang.xml (non-closed tag). The problem may also happen if the file is corrupted for some reasons.
Solution: remove PATH_site from the path. This way message will tell that typo3conf/ext/realurl/locallang_db.xml is not a TYPO3 language file.
If no one objects, I will commit it in 24h.
--
Dmitry Dulepov
TYPO3 Core team
My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
In the blog: http://typo3bloke.net/post-details/should_abbreviations_be_used_in_the_code/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5205.diff
Type: text/x-diff
Size: 2187 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20080819/bb4c097b/attachment.diff
More information about the TYPO3-team-core
mailing list