[TYPO3-core] RFC #12324: Bug: Page tree will not be shown in the typo3 backend
Martin Kutschker
masi-no at spam-typo3.org
Mon Nov 2 12:25:56 CET 2009
Oliver Klee schrieb:
> Hi Martin,
>
> thanks for your comments.
>
> Martin Kutschker schrieb:
>>> Solution:
>>> Allow ~ and - in the BE URL whitelisting.
>> The white list lacks many of the characters allowd in IETF RFC 2396. See below for a short excerpt.
>
> I know. This patch isn't about making the whitelisting completely
> RFC-2396-compliant, but only about fixing the issues encountered by some
> users (who AFAIK had "~" or "-" in their paths).
A bit shortsited, isn't it? Do you intend to make a patch for every complaint.
>> Missing are: ;:@+$,-!~+*'()
>
> "~" and "-" are not missing - the patch added exactly those. :-)
Sorry, I copied from a post of mine in the "general" list.
>> If not all of them I suggest to add at least the plus sign "+", the comma ",", the semicolon ";" and
>> the colon ":" to the list.
>
> The colon ":" must absolutely not be added because that would allow what
> the original vulnerability was all about.
Aha. Interesting that a valid character makes such troubles.
What about "+,;" then?
Masi
PS: Where should be the documentation which tells devs and sysadmins which characters are allowed in
a BE URL?
More information about the TYPO3-team-core
mailing list