[TYPO3-core] RFC #12324: Bug: Page tree will not be shown in the typo3 backend
Oliver Klee
typo3-german-02 at oliverklee.de
Mon Nov 2 11:48:09 CET 2009
Hi Martin,
thanks for your comments.
Martin Kutschker schrieb:
>> Solution:
>> Allow ~ and - in the BE URL whitelisting.
>
> The white list lacks many of the characters allowd in IETF RFC 2396. See below for a short excerpt.
I know. This patch isn't about making the whitelisting completely
RFC-2396-compliant, but only about fixing the issues encountered by some
users (who AFAIK had "~" or "-" in their paths).
> Missing are: ;:@+$,-!~+*'()
"~" and "-" are not missing - the patch added exactly those. :-)
> If not all of them I suggest to add at least the plus sign "+", the comma ",", the semicolon ";" and
> the colon ":" to the list.
The colon ":" must absolutely not be added because that would allow what
the original vulnerability was all about.
Oli
More information about the TYPO3-team-core
mailing list