[TYPO3-core] RFC #12324: Bug: Page tree will not be shown in the typo3 backend
Oliver Hader
oliver at typo3.org
Sun Nov 8 18:38:46 CET 2009
Oliver Hader schrieb:
> Hi,
>
> Oliver Hader schrieb:
>> Hi,
>>
>> Oliver Klee schrieb:
>>> This is an SVN patch request.
>>>
>>> Type: Bugfix
>>>
>>> Bugtracker references:
>>> http://bugs.typo3.org/view.php?id=12324
>>>
>>> Branches:
>>> TYPO3_4-1, TYPO3_4-2 & trunk
>>>
>>> Problem:
>>> BE URLs like http://194.150.249.xxx/~mydomain/typo3 are blocked because
>>> ~ and - are blocked in BE URLs.
>>>
>>> This is fallout from one of the security patches.
>>>
>>> Solution:
>>> Allow ~ and - in the BE URL whitelisting.
>>>
>>> Notes:
>>> The patch is by Marco Gilbert. I'm only the person posting this to the
>>> Core list.
>> After reading the discussion I considered to use an URL match:
>> * absolute URL: URL must be on the host that is currently used
>> * relative URL: URL must be in TYPO3 base (sub-)directory, e.g.
>> base request to: http://domain.com/~goodUser/typo3/backend.php
>> + good request/source: http://domain.com/~goodUser/whatever.php
>> + bad request/source: http://domain.com/~badUser/webshell.php
>>
>> Besides that the test-cases were modified to use a data provider and all
>> test-strings are checked against rawurlencoded stuff, too.
>>
>> The method got renamed from sanitizeBackEndUrl() to sanitizeLocalUrl().
>> If it would be just for backend URLs (whatever that might be), it should
>> be located in t3lib_BEfunc. However, "localUrl" fits better and could
>> also be used in the frontend.
>
> New approach, now with RemoveXSS.
> Find attached patches for TYPO3 4.3 and 4.2.
The patch removes an onLoadHandler that was integrated in rev. 238 and
is not required anymore for the situation pointed out in the comments.
I've tested this again with Safari 4 and 3.2 on Mac.
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list