[TYPO3-core] RFC #5205: pi_loadLL() + no language file == full path disclosure
Steffen Kamper
info at sk-typo3.de
Tue Aug 19 11:42:17 CEST 2008
Dmitry Dulepov [typo3] schrieb:
> Hi!
>
> This is SVN patch request.
>
> Type: bug/no-brainer
>
> BT reference: http://bugs.typo3.org/view.php?id=5205
>
> Branches: 4.1, 4.2, trunk
>
> Problem: corrupted or missing language file causes fatal error ("die"
> call) with a full path shown on the screen (like
> /var/www/sites/site5/typo3conf/ext/realurl/locallang_db.xml). It is not
> good to reveal the full path. Reproducing is simple: go to any ext with
> BE module and add <zzz> into its locallang.xml (non-closed tag). The
> problem may also happen if the file is corrupted for some reasons.
>
> Solution: remove PATH_site from the path. This way message will tell
> that typo3conf/ext/realurl/locallang_db.xml is not a TYPO3 language file.
>
> If no one objects, I will commit it in 24h.
>
Hi Dmitry,
+1 on that. I fear that this is not the only part where full path is
displayed, IIRC full path is used with every file error
vg Steffen
More information about the TYPO3-team-core
mailing list