[TYPO3-core] RFC #12324: Bug: Page tree will not be shown in the typo3 backend
Oliver Hader
oliver at typo3.org
Sun Nov 8 15:40:03 CET 2009
Hi again,
Oliver Hader schrieb:
> Hi,
>
> Oliver Klee schrieb:
>> This is an SVN patch request.
>>
>> Type: Bugfix
>>
>> Bugtracker references:
>> http://bugs.typo3.org/view.php?id=12324
>>
>> Branches:
>> TYPO3_4-1, TYPO3_4-2 & trunk
>>
>> Problem:
>> BE URLs like http://194.150.249.xxx/~mydomain/typo3 are blocked because
>> ~ and - are blocked in BE URLs.
>>
>> This is fallout from one of the security patches.
>>
>> Solution:
>> Allow ~ and - in the BE URL whitelisting.
>>
>> Notes:
>> The patch is by Marco Gilbert. I'm only the person posting this to the
>> Core list.
>
> After reading the discussion I considered to use an URL match:
> * absolute URL: URL must be on the host that is currently used
> * relative URL: URL must be in TYPO3 base (sub-)directory, e.g.
> base request to: http://domain.com/~goodUser/typo3/backend.php
> + good request/source: http://domain.com/~goodUser/whatever.php
> + bad request/source: http://domain.com/~badUser/webshell.php
>
> Besides that the test-cases were modified to use a data provider and all
> test-strings are checked against rawurlencoded stuff, too.
>
> The method got renamed from sanitizeBackEndUrl() to sanitizeLocalUrl().
> If it would be just for backend URLs (whatever that might be), it should
> be located in t3lib_BEfunc. However, "localUrl" fits better and could
> also be used in the frontend.
Forget about the patch, it's fine for the frame comparison but would
open other issues again.
Damn!
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list