[TYPO3-core] RFC #12324: Bug: Page tree will not be shown in the typo3 backend
Oliver Hader
oliver at typo3.org
Sun Nov 8 15:21:14 CET 2009
Hi,
Oliver Klee schrieb:
> This is an SVN patch request.
>
> Type: Bugfix
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=12324
>
> Branches:
> TYPO3_4-1, TYPO3_4-2 & trunk
>
> Problem:
> BE URLs like http://194.150.249.xxx/~mydomain/typo3 are blocked because
> ~ and - are blocked in BE URLs.
>
> This is fallout from one of the security patches.
>
> Solution:
> Allow ~ and - in the BE URL whitelisting.
>
> Notes:
> The patch is by Marco Gilbert. I'm only the person posting this to the
> Core list.
After reading the discussion I considered to use an URL match:
* absolute URL: URL must be on the host that is currently used
* relative URL: URL must be in TYPO3 base (sub-)directory, e.g.
base request to: http://domain.com/~goodUser/typo3/backend.php
+ good request/source: http://domain.com/~goodUser/whatever.php
+ bad request/source: http://domain.com/~badUser/webshell.php
Besides that the test-cases were modified to use a data provider and all
test-strings are checked against rawurlencoded stuff, too.
The method got renamed from sanitizeBackEndUrl() to sanitizeLocalUrl().
If it would be just for backend URLs (whatever that might be), it should
be located in t3lib_BEfunc. However, "localUrl" fits better and could
also be used in the frontend.
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0012324_v2.patch
Type: text/x-patch
Size: 6073 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20091108/2716a22e/attachment.bin>
More information about the TYPO3-team-core
mailing list