Bug #14530
closed
The backend menu has ugly URLS like "mod/ext/../../something.php"
Added by Allan Jacobsen almost 20 years ago.
Updated over 18 years ago.
Description
The real problem with URLs like described in the summary is that they are blocked by our checkpoint firewall as the ../.. is a pattern that is a possible security risk.
I dont know enough about the backend to solve this the right way, but i traced some of the urls to typo3/class.alt_menu_functions.inc where i inserted this line "$link = preg_replace('/\w+\/\.\.\//','',$link);" 3 time in the wrapLinkWithAB($link) function near the buttom of the file. This solves the problem enough to be able to use the backend except for the filelist item.
(issue imported from #M750)
Files
Well, these links are fully legal so I don't think it's a problem of TYPO3 but of your firewall!
However I agree these links do not look very nice, maybe someone wants to write a little function that separates the path from the full URL and resolves /path/../ things recursively. Additionally, one would have to search wherever this should be used afterwards.
Pretty tricky, I don't think it's worth the effort.
I agree that the urls are legal, but Checkpoint firewall software is pretty popular in big companies with deep pockets(like my daytime job), and it would be a shame if typo3 is excluded from being used in these places.
the preg_replace function I used could be used as a starting point, but urls are generated in different places, so I could not solve the problem myself.
If someone with enough knowledge of the core can give an estimate of the hours needed, I can try if I can find sponsorship for this.
Well, the deep pocket sounds like an argument ;-)
Seriously - you have the possibility to define exceptions in Checkpoint which are not checked anymore, so TYPO3 will still work, maybe this simply needs to be documented somewhere...
This diff fixes things on our installation at work, and I dont think it should have any bad influence on other things, so I would be glad if it was in the next release 8-).
Thanks, I will test this.
Please check my latest patch attached (11_resolveBackPath.diff)
Yes, the new patch works perfectly, and is surely the right way to do it.
Also available in: Atom
PDF