Bug #23178
Wrong HTTP headers sent when trying to access pages that require login
| Status: | Under Review | Start date: | 2010-07-14 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assignee: | Ingo Renner | % Done: | 0% |
|
| Category: | - | |||
| Target version: | 6.0.0 | |||
| TYPO3 Version: | 4.4 | Complexity: | ||
| PHP Version: | 5.2 | |||
| Votes: | 0 |
Description
When trying to access a login protected page while not being logged in it may happen that a wrong header is sent.
The install tool allows to set a header for the page not found handling: [FE][pageNotFound_handling_statheader]
The default value for this setting is "HTTP/1.0 404 Not Found"
In a case where access is denied because the user is not logged in, this is the wrong header of course, it should be 401 instead.
Proposed solution: In case where access is denied because of missing privileges, TYPO3 should ignore the mentioned setting and send a 401 instead.
(issue imported from #M15114)
History
Updated by Ingo Renner almost 3 years ago
The solution for this issue may result in being able to remove the $TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'] option if we are always sending the correct headers.
Need to check whether there are more places where this option is used...
Updated by Dmitry Dulepov almost 3 years ago
TYPO3 treats such cases as "not found", not as "access denied". I am not sure why but it is historical (since 3.x I think). It makes sense from security point of view because "access denied" tells that something is there but "page not found" does not reveal that protected content exists. This is called "security by obscurity".
Updated by Hassan Ait over 2 years ago
Thanks Ingo, I've just tested your fix and it works fine for me (TYPO3 Version: 4.3). What about the fact to add a different page error for unauthorized pages. I made a test with the following code and it works for me. It supposes to add a new parameter [FE][pageUnauthorized_handling]
Index: typo3/sysext/cms/tslib/class.tslib_fe.php
function pageNotFoundAndExit($reason='', $header='') {
$header = $header ? $header : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'];
if ($this->pageNotFound === 1 || $this->pageNotFound === 2) {
$code=($this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling']) ? $this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling'] : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
else {
$code=$this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
$this->pageNotFoundHandler($code, $header, $reason);
exit;
}
Updated by Ingo Renner about 1 year ago
- Category deleted (
Communication) - Assignee set to Ingo Renner
- Target version deleted (
0)
Updated by Gerrit Code Review about 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281
Updated by Gerrit Code Review about 1 year ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281
Updated by Ingo Renner about 1 year ago
- Target version set to 6.0.0
Updated by Gerrit Code Review about 1 year ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281
Updated by Gerrit Code Review about 1 year ago
Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281