[TYPO3-core] RFC: Feature Request #6882: Enable stdWrapfor select.where

JoH asenau info at cybercraft.de
Thu Oct 1 07:09:40 CEST 2009 

> main problem is that option select as part of stdWrap gives a tool
> that allows everything.
>
> On the one hand I can't understand every point of the discussion
> because templates are restricted to admins anyhow.
> On the other hand it's right to have a look on security and to keep
> optional vulnerabilities as small as possible.
> The point that templates can be allowed for editors is important but I
> omit it here because I don't want to integrate any whols anyway.

It seems that you (and some others as well) still don't get the point here.
It's not about the risk of being "hacked" by backend users, who "exploit"
this security hole on purpose by using  "bad values" for a select, which
would be ridiculous because as an admin there would be easier ways to get
the stuff they want.

It's about the fact that you can use GPvars with a select without being able
to escape them properly unless they are expected to be integers. An admin
who will use something like select.andWhere.data = GPvar:blah will open a
hole for any hacker without even noticing it, because usually one would
expect the core to take care of that, which is not the case yet.

Of course it's the admin who will kind of "create" this security hole in the
TS template, so this is nothing the security team has to worry about and
it's not a must have to change this behaviour. But it still would be more
than just a "nice to have", if the core simply would make it impossible to
open up this hole by accident.

So my proposal is:
We should secure any select that can be triggered directly by TypoScript.
stdWrap can of course be applied to almost any property of TS select, but it
must be sure that any value generated by this stdWrap will be escaped
properly before it gets returned.

Got the point?

Joey

-- 
Wenn man keine Ahnung hat: Einfach mal Fresse halten!
(If you have no clues: simply shut your gob sometimes!)
Dieter Nuhr, German comedian
Xing: http://contact.cybercraft.de
Twitter: http://twitter.com/bunnyfield
TYPO3 cookbook (2nd edition): http://www.typo3experts.com
TYPO3 workshops: http://workshops.eqony.com

More information about the TYPO3-team-core mailing list