Use t3lib_div::callUserFunction in typoscript userFunc condition
In typoscripts userFunc condition [userFunc = ...] it is only allowed to user php functions. No class methods. The parsing (t3lib_matchCondition->evalConditionStr()) should use t3lib_div::callUserFunction() internally for consistency and the possibility to use class methods as a user function. This has been discussed (http://lists.typo3.org/pipermail/typo3-team-core/2006-September/005667.html) but was never commited.
A patch (originally from Wolfgang Klinger's post) is appended to this ticket.
(issue imported from #M11120)
#4 Updated by Thorsten Kahler almost 7 years ago
David Bruchmann wrote:
Using extensions that allow TypoScript Editing for Editors this feature is a security-issue that allows getting admin-rights.
"Using extensions that allow TypoScript Editing for Editors" is the security risk. As long as any kind of "user function" (i.e. userland code) can be included via TS - no matter if TS condition, stdWrap option, ... - there's a decent security risk. And that's the reason why TS should only be editable for administrators.
This issue only requests a consistent way to call "user functions", not a policy change.
#5 Updated by Thorsten Kahler almost 7 years ago
- Tracker changed from Bug to Feature
- Category set to TypoScript
- TYPO3 Version changed from 4.3 to 6.2
- PHP Version changed from 5.2 to 5.3
- Complexity set to medium
IMO this is rather a feature than a bug thus I change the tracker to "feature" and suggest to implement it in version 6.2.