[TYPO3-core] RFC #14313: Class prefix problem in getUserObj and callUserFunction (t3lib_div)
Bjoern Pedersen
bjoern.pedersen at frm2.tum.de
Wed Jan 26 13:09:33 CET 2011
Am 26.01.2011 11:33, schrieb Andreas Kiessling:
> Hi Björn,
>
>>
>> there is TYPO§_CONF_VARS['FE']['userFuncClassPrefix'] that defaults to
>> user_, but can be changed. That should be taken care of in
>> hasValidClassPrefix.
>>
>
> i had implemented that in v3 (from 21.01), but problem is, that you you
> can change it for the FE, but for the BE it is hardcoded at some places
> to "user_".
Ok, that is an inconsitency in core. So the current patch should be OK
for 4.5 in this respect. Maybe just add a note that this should be
rethought in 4.6
> An extension class usually has a prefix of tx_, whereas i only use user_
> for conditions or independent scripts. Goal of the RFC is, to allow Tx_
> as a prefix when e.g. hooks are called.
Correct. Adn it achieves it.
> Sidenote: when a service is registered, that check is negated, so a
> service key must not be prepended with tx_ (or Tx_), so this could be a
> breaking change, if the userFuncClassPrefix was checked here.
>
> Regards,
> Andreas
>
> PS: Have you ever changed the userFuncClassPrefix to something
> different? I'd almost say, deprecate that setting with 4.6 and always
> allow tx_, Tx_, user_, User_
No, as I don't see a real security gain as long as other fixed prefixes
exist.
So now a +1 by reading from me.
Björn
More information about the TYPO3-team-core
mailing list