[TYPO3-core] RFC: #10040: define Default GET-vars
Marcus Krause
marcus#exp2009 at t3sec.info
Fri Aug 28 11:20:33 CEST 2009
Michael Stucki schrieb am 08/17/2009 12:46 PM Uhr:
> Hi Steffen,
>
> [...]
>
>>> 2. He also mentions an eventual security problem. Therefore, please send
>>> this change to the security team before you commit it no matter of
>>> the feedbacks on this list.
>> i will do, but _DEFAULT_PI_VARS also writes to GET.
>
> Thanks. Better safe than sorry.
There are no objections from the Security Team against this feature.
Reasons:
It uses the same API default piVars already uses. Additionally, with
exposing this feature via TS, TS is only a wrapper for the PHP method
t3lib_div::_GETset(). So this "feature" was already available to
extension developers using t3lib_div. Setting default GET vars was
requiring and will still require admin rights.
Keep in mind that default parameters means nothing but adding a query
parameter. Any website user is able to do that. We're of the opinion
that this feature does not affect security of TYPO3.
Apart from that, merging real existing GET parameters with default ones
means putting them all again back in global HTTP_GET_VARS. This is
something we should reconsider and better use a custom TYPO3 variable.
But this is a different story.
Marcus.
--
TYPO3 Security blog: http://secure.t3sec.info/
More information about the TYPO3-team-core
mailing list