Project

General

Profile

Actions

Bug #14530

closed

The backend menu has ugly URLS like "mod/ext/../../something.php"

Added by Allan Jacobsen about 19 years ago. Updated over 17 years ago.

Status:
Closed
Priority:
Could have
Category:
Backend API
Target version:
-
Start date:
2005-02-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
3.7.0
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The real problem with URLs like described in the summary is that they are blocked by our checkpoint firewall as the ../.. is a pattern that is a possible security risk.

I dont know enough about the backend to solve this the right way, but i traced some of the urls to typo3/class.alt_menu_functions.inc where i inserted this line "$link = preg_replace('/\w+\/\.\.\//','',$link);" 3 time in the wrapLinkWithAB($link) function near the buttom of the file. This solves the problem enough to be able to use the backend except for the filelist item.
(issue imported from #M750)


Files

0000750-urlfix.diff (1.63 KB) 0000750-urlfix.diff Administrator Admin, 2005-02-07 10:08
0000750-11_resolveBackPath.diff (2.17 KB) 0000750-11_resolveBackPath.diff Administrator Admin, 2005-03-28 18:22
Actions #1

Updated by Michael Stucki about 19 years ago

Well, these links are fully legal so I don't think it's a problem of TYPO3 but of your firewall!

However I agree these links do not look very nice, maybe someone wants to write a little function that separates the path from the full URL and resolves /path/../ things recursively. Additionally, one would have to search wherever this should be used afterwards.

Pretty tricky, I don't think it's worth the effort.

Actions #2

Updated by Allan Jacobsen about 19 years ago

I agree that the urls are legal, but Checkpoint firewall software is pretty popular in big companies with deep pockets(like my daytime job), and it would be a shame if typo3 is excluded from being used in these places.

the preg_replace function I used could be used as a starting point, but urls are generated in different places, so I could not solve the problem myself.

If someone with enough knowledge of the core can give an estimate of the hours needed, I can try if I can find sponsorship for this.

Actions #3

Updated by Michael Stucki about 19 years ago

Well, the deep pocket sounds like an argument ;-)

Seriously - you have the possibility to define exceptions in Checkpoint which are not checked anymore, so TYPO3 will still work, maybe this simply needs to be documented somewhere...

Actions #4

Updated by Allan Jacobsen about 19 years ago

This diff fixes things on our installation at work, and I dont think it should have any bad influence on other things, so I would be glad if it was in the next release 8-).

Actions #5

Updated by Michael Stucki about 19 years ago

Thanks, I will test this.

Actions #6

Updated by Michael Stucki about 19 years ago

Please check my latest patch attached (11_resolveBackPath.diff)

Actions #7

Updated by Allan Jacobsen almost 19 years ago

Yes, the new patch works perfectly, and is surely the right way to do it.

Actions #8

Updated by Michael Stucki almost 19 years ago

Fixed in CVS.

Actions

Also available in: Atom PDF