[TYPO3-core] RFC #12324: Bug: Page tree will not be shown in the typo3 backend

Oliver Hader oliver at typo3.org
Sun Nov 8 18:37:11 CET 2009


Hi,

Oliver Hader schrieb:
> Hi,
> 
> Oliver Klee schrieb:
>> This is an SVN patch request.
>>
>> Type: Bugfix
>>
>> Bugtracker references:
>> http://bugs.typo3.org/view.php?id=12324
>>
>> Branches:
>> TYPO3_4-1, TYPO3_4-2 & trunk
>>
>> Problem:
>> BE URLs like http://194.150.249.xxx/~mydomain/typo3 are blocked because
>> ~ and - are blocked in BE URLs.
>>
>> This is fallout from one of the security patches.
>>
>> Solution:
>> Allow ~ and - in the BE URL whitelisting.
>>
>> Notes:
>> The patch is by Marco Gilbert. I'm only the person posting this to the
>> Core list.
> 
> After reading the discussion I considered to use an URL match:
> * absolute URL: URL must be on the host that is currently used
> * relative URL: URL must be in TYPO3 base (sub-)directory, e.g.
>   base request to: http://domain.com/~goodUser/typo3/backend.php
>   + good request/source: http://domain.com/~goodUser/whatever.php
>   + bad request/source: http://domain.com/~badUser/webshell.php
> 
> Besides that the test-cases were modified to use a data provider and all
> test-strings are checked against rawurlencoded stuff, too.
> 
> The method got renamed from sanitizeBackEndUrl() to sanitizeLocalUrl().
> If it would be just for backend URLs (whatever that might be), it should
> be located in t3lib_BEfunc. However, "localUrl" fits better and could
> also be used in the frontend.

New approach, now with RemoveXSS.
Find attached patches for TYPO3 4.3 and 4.2.

olly
-- 
Oliver Hader
TYPO3 Release Manager 4.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0012324_v3_4-3.patch
Type: text/x-patch
Size: 6915 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20091108/8fa1c86c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0012324_v3_4-2.patch
Type: text/x-patch
Size: 4264 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20091108/8fa1c86c/attachment-0001.bin>


More information about the TYPO3-team-core mailing list