[TYPO3-core] RFC #5205: pi_loadLL() + no language file == full path disclosure

Moreno Feltscher moreno.feltscher at gmail.com
Tue Aug 19 13:27:29 CEST 2008


+1 on reading.

Cheers

On Tue, Aug 19, 2008 at 11:09 AM, Dmitry Dulepov [typo3]
<dmitry at typo3.org> wrote:
> Hi!
>
> This is SVN patch request.
>
> Type: bug/no-brainer
>
> BT reference: http://bugs.typo3.org/view.php?id=5205
>
> Branches: 4.1, 4.2, trunk
>
> Problem: corrupted or missing language file causes fatal error ("die" call)
> with a full path shown on the screen (like
> /var/www/sites/site5/typo3conf/ext/realurl/locallang_db.xml). It is not good
> to reveal the full path. Reproducing is simple: go to any ext with BE module
> and add <zzz> into its locallang.xml (non-closed tag). The problem may also
> happen if the file is corrupted for some reasons.
>
> Solution: remove PATH_site from the path. This way message will tell that
> typo3conf/ext/realurl/locallang_db.xml is not a TYPO3 language file.
>
> If no one objects, I will commit it in 24h.
>
> --
> Dmitry Dulepov
> TYPO3 Core team
> My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
> In the blog:
> http://typo3bloke.net/post-details/should_abbreviations_be_used_in_the_code/
>
> _______________________________________________
> Before posting to this list, please have a look to the posting rules
> on the following websites:
>
> http://typo3.org/teams/core/core-mailinglist-rules/
> http://typo3.org/development/bug-fixing/diff-and-patch/
> _______________________________________________
> TYPO3-team-core mailing list
> TYPO3-team-core at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-core
>


More information about the TYPO3-team-core mailing list