Bug #100153
closedADMCMD_simUser vs. dumpFile-Link
0%
Description
When previewing an access protected page (with GET parameter ADMCMD_simUser
on the URL) this parameter seems not to be attached to the "dumpFile" URL that is being created for non-public files via EXT:core/Classes/Resource/ResourceStorage.php#L1404-L1417
if ($publicUrl === null && $resourceObject instanceof FileInterface) { $queryParameterArray = ['eID' => 'dumpFile', 't' => '']; if ($resourceObject instanceof File) { $queryParameterArray['f'] = $resourceObject->getUid(); $queryParameterArray['t'] = 'f'; } elseif ($resourceObject instanceof ProcessedFile) { $queryParameterArray['p'] = $resourceObject->getUid(); $queryParameterArray['t'] = 'p'; } $queryParameterArray['token'] = GeneralUtility::hmac(implode('|', $queryParameterArray), 'resourceStorageDumpFile'); $publicUrl = GeneralUtility::locationHeaderUrl(PathUtility::getAbsoluteWebPath(Environment::getPublicPath() . '/index.php')); $publicUrl .= '?' . http_build_query($queryParameterArray, '', '&', PHP_QUERY_RFC3986); }
Since we're using EXT:fal_securedownload this might not be a core issue but one of said extension. But I thought I start on force...
Setup:
- TYPO3 10.4.36
- EXT:fal_securedownload 3.0.2
Updated by Philipp Kitzberger over 1 year ago
- Related to Bug #94974: Pass on simUser parameter to other pages added
Updated by Georg Ringer 22 days ago
- Status changed from New to Needs Feedback
- Priority changed from Should have to Could have
I tried to reproduce that and the URL of the page is https://t3-master.ddev.site/issues/100153-secured-download-preview?ADMCMD_simUser=1
and for the file https://t3-master.ddev.site/index.php?eID=dumpFile&t=f&f=28&token=ce6452b96c488a4ec70e11c2cf5453eccadf302d
and the file is reachable (being in a non-public storage)
would it ok to close it?
Updated by Philipp Kitzberger 16 days ago
Yup, go ahead. Cannot reproduce it with v11 anymore as well.
Updated by Garvin Hicking 16 days ago
- Status changed from Needs Feedback to Closed