[TYPO3-core] RFC #12324: Bug: Page tree will not be shown in the typo3 backend
Martin Kutschker
masi-no at spam-typo3.org
Mon Nov 2 09:30:57 CET 2009
Oliver Klee schrieb:
> This is an SVN patch request.
>
> Type: Bugfix
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=12324
>
> Branches:
> TYPO3_4-1, TYPO3_4-2 & trunk
>
> Problem:
> BE URLs like http://194.150.249.xxx/~mydomain/typo3 are blocked because
> ~ and - are blocked in BE URLs.
>
> This is fallout from one of the security patches.
>
> Solution:
> Allow ~ and - in the BE URL whitelisting.
The white list lacks many of the characters allowd in IETF RFC 2396. See below for a short excerpt.
Missing are: ;:@+$,-!~+*'()
If not all of them I suggest to add at least the plus sign "+", the comma ",", the semicolon ";" and
the colon ":" to the list.
The RFC thinks that a few characters are "unwise" of use in URLs. Of them I think it is ok to use
the pipe "|". So it may be included in the white list as well.
Masi
RFC 2396:
These characters are allowed.
uric = reserved | unreserved | escaped
reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
"$" | ","
unreserved = alphanum | mark
alphanum = alpha | digit
alpha = lowalpha | upalpha
lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" |
"j" | "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" |
"s" | "t" | "u" | "v" | "w" | "x" | "y" | "z"
upalpha = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" |
"J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" |
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
"8" | "9"
mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
The following characters are discouraged:
unwise = "{" | "}" | "|" | "\" | "^" | "[" | "]" | "`"
More information about the TYPO3-team-core
mailing list