Bug #29603
__toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
| Status: | Closed | Start date: | 2011-09-09 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | Core | |||
| Target version: | TYPO3 Flow Base Distribution - 1.0.5 | |||
| Has patch: | No | FLOW3 version affected: | FLOW3 1.0.0 | |
| Votes: | 0 |
Description
PHP does not allow to throw exceptions within a __toString() method. Therefore security exception don't work while rendering the Fluid template. We somehow have to call a method to render a node and not just concatenate the objects as string and use the interal __toString() functionality. This is a really stupid PHP behaviour, that is documented here: http://php.net/manual/en/migration52.incompatible.php
History
Updated by Andreas Förthner over 1 year ago
- Subject changed from __toString() usage for rendering in the compiled Fluid template breaks the concept of security exceptions to __toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
Updated by Bastian Waidelich over 1 year ago
Do you have an example where objects are concatenated in a compiled template?
Updated by Andreas Förthner over 1 year ago
Ah sorry ;-) This is done in line 322 of the TemplateCompiler.
$initializationPhpCode .= sprintf('%s .= %s;', $outputVariableName, $converted['execution']) . chr(10);
Updated by Karsten Dambekalns over 1 year ago
- Target version changed from 1.0.0 to 1.0.1
Updated by Karsten Dambekalns over 1 year ago
- FLOW3 version affected set to FLOW3 1.0.0
Updated by Karsten Dambekalns over 1 year ago
- Target version changed from 1.0.1 to 1.0.2
Updated by Karsten Dambekalns over 1 year ago
- Target version changed from 1.0.2 to 1.0.3
Updated by Karsten Dambekalns about 1 year ago
- Target version changed from 1.0.3 to 1.0.4
Updated by Karsten Dambekalns about 1 year ago
- Target version changed from 1.0.4 to 1.0.5
Updated by Sebastian Kurfuerst 12 months ago
- Status changed from New to Needs Feedback
I fear that I need more feedback in here.
Inside fluid, __toString is definitely never used.
Could it have something to do with the old TypoScript? If yes, that has been quite sure fixed with the new TS.
Updated by Andreas Förthner 12 months ago
Hi Sebastian,
I'm currently checking this, probably you are right, that this was only a problem with the old TS rendering.
I'll give you more feedback a soosn as I have verified this.
Updated by Andreas Förthner 12 months ago
- Status changed from Needs Feedback to Closed
After looking at it and discussing it once again with my colleague, this was probably fixed somewhen along the way. When I created the issue view helpers got rendered by an implicit cast of the VH object in a string concatenation. This seems not to be the case anymore, now initializeArgumentsAndReder() is called explicitly. Therefore I consider this issue not present anymore and close this ticket.