TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692018-12-14T18:13:13ZTYPO3 Forge
Redmine TYPO3 Core - Bug #87165 (Closed): \TYPO3\CMS\Core\Authentication\BackendUserAuthentication::isInW...http://forge.typo3.org/issues/871652018-12-14T18:13:13ZAlexander Bohndorfbohndorf@web.de
<p>Editors are never allowed to create or edit translations of the root page of a webmount due to wrong calculation of the rootline for translated pages.<br />For the root of the rootline the uid of the translated page record is used instead of the uid of the corresponding page in default language.<br />This uid is not found in the associated web mounts of the user or his user groups.</p> TYPO3 Core - Bug #87038 (Closed): Unique evaluation does not work with l10n_mode=exclude after ed...http://forge.typo3.org/issues/870382018-11-29T13:19:41ZAlexander Bohndorfbohndorf@web.de
<p>Translation handling with l10n_mode=exclude:<br />the field is copied from default language to language children. In combination with eval=unique the language children get a unique value too like “fieldvalue”.<br />If you edit and save the original record afterwards then "fieldvalue" turns into "fieldvalue0" because the uniqueness is also checked in translated records.<br />My expected behaviour is: uniqueness should be ignored for fields with l10n_mode=exclude in translated records.</p>
<p>Related to <a class="issue tracker-1 status-5 priority-3 priority-lowest closed" title="Bug: Unique evaluation does not work with l10n_mode=exclude (Closed)" href="http://forge.typo3.org/issues/84267">#84267</a><br />Related to <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Changed behaviour for uniqueInPid/unique in translated records (Closed)" href="http://forge.typo3.org/issues/83572">#83572</a></p> TYPO3 Core - Bug #81361 (New): File dump in TYPO3 BE insecure because login status is not checkedhttp://forge.typo3.org/issues/813612017-05-29T11:06:38ZAlexander Bohndorfbohndorf@web.de
<p>Dear TYPO3 team,</p>
<p>we found a security issue in the Filelist module in TYPO3 BE in all TYPO3 versions from 6.2 to 7.x and 8.6:</p>
<p>You can create a File Storage with "Path type" set to "absolute" and "Base path" pointing to a secure directory outside of docroot, "Is publicly available?" left unchecked.<br />You can upload files in File list module, f.e. a csv file with sensitive data.<br />When you preview this file with with a click on the "Show" icon, a new browser tab opens with an URL like: "/index.php?eID=dumpFile&t=f&f=2&token=ea0aa41c84835250308254959470650ac4d66bbf", dumping your file contents.</p>
<p>The security issue is that you can also open this URL without being logged in as TYPO3 BE user without any authentication process.</p>
<p>That means, that a TYPO3 BE user could unsuspectingly preview this sensitive file f.e. with a Google Chrome browser which will potentially index this file just because the URL is entered into Chrome and suddenly it becomes publicly available.<br />Imagine, this could be personal data as credit card informations, account details etc.</p>
<p>The issue could be solved in two ways:<br />a) use a separate dump script for TYPO3 BE with authentication check<br />b) use a hook to add authentication if the exising dump script is called in TYPO3 BE.</p>
<p>I implemented an extension for variant b) and attached it. This will fix this issue as it checks if a BE-User is logged in and if he has access to the file storage and if the file storage is browsable and active before dumping the file.</p>
<p>Best regards,</p>
<p>Alexander</p> TYPO3 Core - Bug #61749 (Closed): SystemEnvironmentBuilder reports "Unable to determine path to e...http://forge.typo3.org/issues/617492014-09-19T18:04:41ZAlexander Bohndorfbohndorf@web.de
<p>tested on Windows 2012 Server R2 with php 5.4.22 in TYPO3 CMS 6.1.9 on CLI:</p>
<code><pre>
> C:\php-cli\php.exe -f c:\Apache2.2\intranet\typo3\cli_dispatch.phpsh
</code></pre>
<p>results in error message "Unable to determine path to entry script".</p>
<p>Caused by a regular expression with missing /i in <br />typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php:411</p>
<p>Replace</p>
<pre><code class="php syntaxhl" data-language="php"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">preg_match</span><span class="p">(</span><span class="s1">'/^([A-Z]:)?\\\\/'</span><span class="p">,</span> <span class="nv">$scriptPath</span><span class="p">))</span> <span class="p">{</span>
</code></pre>
<p>with</p>
<pre><code class="php syntaxhl" data-language="php"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">preg_match</span><span class="p">(</span><span class="s1">'/^([A-Z]:)?\\\\/i'</span><span class="p">,</span> <span class="nv">$scriptPath</span><span class="p">))</span> <span class="p">{</span>
</code></pre>
<p>Workaround: Use capitalized drive letters, f.e.</p>
<pre><code>
> C:\php-cli\php.exe -f C:\Apache2.2\intranet\typo3\cli_dispatch.phpsh
</code></pre>
<p>Patchfile is attached.</p></code> TYPO3 Core - Bug #59365 (Closed): Session Lifetime for FE-Users can not be less than 6000 secshttp://forge.typo3.org/issues/593652014-06-05T14:25:59ZAlexander Bohndorfbohndorf@web.de
<p>Setting the session lifetime to a value less than 6000 secs has no effect, f.e.</p>
<p>$GLOBALS['TYPO3_CONF_VARS']['FE']['lifetime'] = 1800;</p>
<p>results in the default lifetime of 6000 secs.</p>
<p>Reason for this is<br />\typo3\sysext\frontend\Classes\Authentication\FrontendUserAuthentication.php:171:</p>
<pre><code class="php syntaxhl" data-language="php"> <span class="k">if</span> <span class="p">(</span><span class="nb">intval</span><span class="p">(</span><span class="nv">$this</span><span class="o">-></span><span class="n">auth_timeout_field</span><span class="p">)</span> <span class="o">></span> <span class="mi">0</span> <span class="o">&&</span> <span class="nb">intval</span><span class="p">(</span><span class="nv">$this</span><span class="o">-></span><span class="n">auth_timeout_field</span><span class="p">)</span> <span class="o"><</span> <span class="nv">$this</span><span class="o">-></span><span class="n">lifetime</span><span class="p">)</span> <span class="p">{</span>
<span class="c1">// If server session timeout is non-zero but less than client session timeout: Copy this value instead.</span>
<span class="nv">$this</span><span class="o">-></span><span class="n">auth_timeout_field</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-></span><span class="n">lifetime</span><span class="p">;</span>
<span class="p">}</span>
</code></pre>
<p>and in __construct (line 144) is defined:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="nv">$this</span><span class="o">-></span><span class="n">auth_timeout_field</span> <span class="o">=</span> <span class="mi">6000</span><span class="p">;</span>
</code></pre>
<p>Maybe the fix suggested in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Session-Lifetime for BE-User and FE-User doesnt work in FE (Closed)" href="http://forge.typo3.org/issues/14836">#14836</a> (adapted to the 6.1 sources) could be the right solution?</p>
<p>adding the following line in \TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController::initFEuser after line 912:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="nv">$this</span><span class="o">-></span><span class="n">fe_user</span><span class="o">-></span><span class="n">auth_timeout_field</span> <span class="o">=</span> <span class="nb">intval</span><span class="p">(</span><span class="nv">$this</span><span class="o">-></span><span class="no">TYPO3_CONF_VARS</span><span class="p">[</span><span class="s1">'FE'</span><span class="p">][</span><span class="s1">'lifetime'</span><span class="p">]);</span>
</code></pre>
<p>This behaviour was found in TYPO3 6.1.7.</p>
<p>Best regards</p>
<p>Alexander</p> TYPO3 Core - Bug #44381 (Closed): indexed_search FE Plugin doesn't show external urls in TYPO3 4.7.7http://forge.typo3.org/issues/443812013-01-08T14:49:47ZAlexander Bohndorfbohndorf@web.de
<p>The FE plugin of indexed_search doesn't show any external urls which start with <a class="external" href="http:// or">http:// or</a> <a class="external" href="https:// (or">https:// (or</a> any other protocol).<br />These URLs have been added to the index correctly (via crawler).</p>
<p>The reason for that is in class.tx_indexedsearch.php in line 1247 ff. in function checkExistance($row).</p>
<p>The check is done for any paths with is_file() in line 1250. is_file() returns always 0 if used with urls like "http://google.de/".</p>
<p>To solve this problem you can use this alternative checkExistance() implementation:</p>
<pre><code class="php syntaxhl" data-language="php"> <span class="k">function</span> <span class="n">checkExistance</span><span class="p">(</span><span class="nv">$row</span><span class="p">)</span> <span class="p">{</span>
<span class="nv">$recordExists</span> <span class="o">=</span> <span class="kc">TRUE</span><span class="p">;</span> <span class="c1">// Always expect that page content exists</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'item_type'</span><span class="p">])</span> <span class="p">{</span> <span class="c1">// External media:</span>
<span class="k">if</span><span class="p">(</span><span class="nb">preg_match</span><span class="p">(</span><span class="s1">'/^http(s)?:\/\//'</span><span class="p">,</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'data_filename'</span><span class="p">])){</span>
<span class="nv">$ch</span> <span class="o">=</span> <span class="nb">curl_init</span><span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'data_filename'</span><span class="p">]);</span>
<span class="nb">curl_setopt</span><span class="p">(</span><span class="nv">$ch</span><span class="p">,</span> <span class="no">CURLOPT_NOBODY</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span>
<span class="nb">curl_exec</span><span class="p">(</span><span class="nv">$ch</span><span class="p">);</span>
<span class="nv">$recordExists</span> <span class="o">=</span> <span class="p">(</span><span class="nb">curl_getinfo</span><span class="p">(</span><span class="nv">$ch</span><span class="p">,</span> <span class="no">CURLINFO_HTTP_CODE</span><span class="p">)</span><span class="o">==</span><span class="mi">200</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">is_file</span><span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'data_filename'</span><span class="p">])</span> <span class="o">||</span> <span class="o">!</span><span class="nb">file_exists</span><span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'data_filename'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$recordExists</span> <span class="o">=</span> <span class="kc">FALSE</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">return</span> <span class="nv">$recordExists</span><span class="p">;</span>
<span class="p">}</span>
</code></pre>
<p>But this implementation is very slow because each external url of the search results will be checked with one http request.</p>
<p>I created an extension sms_indexedsearch_fixexternals to fix this bug. In this extension you can enable or disable the checking of http(s) URLs in the extension configuration.</p> TYPO3 Core - Feature #19443 (New): Localization of IRRE-children for n:m relations with useCombin...http://forge.typo3.org/issues/194432008-10-09T13:09:16ZAlexander Bohndorfbohndorf@web.de
<p>related to #0006087</p>
<p>Is it planned to extend the localization feature of IRRE for n:m relations in useCombination=1 mode?<br />We have the following database model (n:m relation, intermediate table with additional fields beside the foreign keys):<br />1 person has many projects. A project has many persons. A person has a special role in a project. Therefore we have 3 tables: person -- person-project -- project. The role is a field in the person-project table.</p>
<p>In the person we have IRRE-fields for person-project records with useCombination=1. So you can edit the role (field in person-project) and also you can edit the project in the person record.<br />With the localization mode "select" you can translate the person-project records with the button "synchronize". The problem is now, that all the created localized person-project records reference correctly to the localized person record but to the projects in the default language what is definitely wrong.</p>
<p>Instead the projects should also have been localized when pressing the "synchronize"-Button.</p>
<p>Looking at the other side: Editing projects and inside the projects the related persons:<br />Localizing the related project results and pressing the "syncronize" button in the localized records results in new localized person-project records with reference to the correct localized project but the wrong reference to the persons in the default language.</p>
<p>The missing feature is a way to handle localization for editing the m:n relations from each side via IRRE (from persons or from projects), resulting in person-project records where both foreign keys reference correctly to the localized projects and persons.</p>
<p>I tried also to define the foreign keys in person-project as l10n_mode=>'exclude', because the relation between persons and projects is the same in translation as in the original language. When I clicked "synchronize" in person, it results in creating new project records in the default language, this is a misbehaviour.</p>
<p>here is our tca:<br />$TCA["tx_smshisdb_person"] = array (<br /> "project" => Array ( <br /> "exclude" => 0, <br /> "label" => "LLL:EXT:sms_his_db/locallang_db.xml:tx_smshisdb_person.project", <br /> "config" => Array (<br /> "type" => "inline", <br /> "foreign_table" => "tx_smshisdb_person_project",<br /> "foreign_field" => "uid_person",<br /> "foreign_label" => "uid_project",<br /> "appearance" => Array (<br /> "useCombination" => 1,<br /> 'showSynchronizationLink' => 1,<br /> 'showAllLocalizationLink' => 1,<br /> 'showPossibleLocalizationRecords' => 1,<br /> 'showRemovedLocalizationRecords' => 1, <br /> ),<br /> 'behaviour' => array(<br /> 'localizationMode' => 'select',<br /> 'localizeChildrenAtParentLocalization' => 1,<br /> ),<br /> "foreign_selector" => "uid_project",<br /> "foreign_unique" => "uid_project", <br /> )<br /> ),<br /> ),<br />);</p>
<p>$TCA["tx_smshisdb_person_project"] = array (<br /> "uid_person" => Array ( <br /> "exclude" => 0, <br /> "label" => "LLL:EXT:sms_his_db/locallang_db.xml:tx_smshisdb_person_project.uid_person", <br /> "config" => Array (<br /> "type" => "select", <br /> "foreign_table" => "tx_smshisdb_person", <br /> "foreign_table_where" => " AND tx_smshisdb_person.sys_language_uid=###REC_FIELD_sys_language_uid### ORDER BY tx_smshisdb_person.nachname", <br /> "size" => 1, <br /> "minitems" => 0,<br /> "maxitems" => 1, <br /> )<br /> ),<br /> "uid_project" => Array ( <br /> "exclude" => 0, <br /> "label" => "LLL:EXT:sms_his_db/locallang_db.xml:tx_smshisdb_person_project.uid_project", <br /> "config" => Array (<br /> "type" => "select", <br /> "foreign_table" => "tx_smshisdb_project", <br /> "foreign_table_where" => " AND tx_smshisdb_project.sys_language_uid=###REC_FIELD_sys_language_uid### ORDER BY tx_smshisdb_project.uid", <br /> "size" => 1, <br /> "minitems" => 0,<br /> "maxitems" => 1, <br /> )<br /> ),<br /> "role" => Array ( <br /> "exclude" => 0, <br /> "label" => "LLL:EXT:sms_his_db/locallang_db.xml:tx_smshisdb_person_project.role", <br /> "config" => Array (<br /> "type" => "input", <br /> "size" => "30",<br /> )<br /> ),<br />);</p>
<p>$TCA["tx_smshisdb_project"] = array (<br /> "person" => Array ( <br /> "exclude" => 0, <br /> "label" => "LLL:EXT:sms_his_db/locallang_db.xml:tx_smshisdb_project.person", <br /> "config" => Array (<br /> "type" => "inline", <br /> "foreign_table" => "tx_smshisdb_person_project",<br /> "foreign_field" => "uid_project",<br /> "foreign_label" => "uid_person",<br /> "appearance" => Array (<br /> "useCombination" => 1,<br /> "expandSingle" => 1,<br /> "collapseAll" => 1,<br /> 'showSynchronizationLink' => 1,<br /> 'showAllLocalizationLink' => 1,<br /> 'showPossibleLocalizationRecords' => 1,<br /> 'showRemovedLocalizationRecords' => 1, <br /> ),<br /> "foreign_selector" => "uid_person",<br /> "foreign_unique" => "uid_person",<br /> "behaviour" => Array (<br /> "localizationMode" => "select",<br /> ), <br /> ),<br /> ),<br />);<br />(issue imported from #M9526)</p> TYPO3 Core - Bug #17636 (Closed): config.prefixLocalAnchors = all destroys links in fehttp://forge.typo3.org/issues/176362007-09-28T17:48:01ZAlexander Bohndorfbohndorf@web.de
<p>This TS Setup config.prefixLocalAnchors = all should replace all links like <a href="#" into <a href="[path-to-url]#".</p>
<p>Because of an error in a regular expression this function can result in destroying all this links in fe.</p>
<p>The error is in /typo3/sysext/cms/tslib/class.tslib_fe.php in line 3667, function prefixLocalAnchorsWithScript()</p>
<p>Patch:<br />Replace the line with the following:<br />$this->content = preg_replace('/(<(a|area).*\?href=")(#[^"]*")/i','$1' . htmlspecialchars($scriptPath) . '$3',$this->content);</p>
<p>In the regular expression the must an backslash be added before the question mark.</p>
<p>TYPO3 4.1.2<br />(issue imported from #M6415)</p>