Feature #20450
closed
Use t3lib_div::callUserFunction in typoscript userFunc condition
0%
Description
In typoscripts userFunc condition [userFunc = ...] it is only allowed to user php functions. No class methods. The parsing (t3lib_matchCondition->evalConditionStr()) should use t3lib_div::callUserFunction() internally for consistency and the possibility to use class methods as a user function. This has been discussed (http://lists.typo3.org/pipermail/typo3-team-core/2006-September/005667.html) but was never commited.
A patch (originally from Wolfgang Klinger's post) is appended to this ticket.
(issue imported from #M11120)
Files
Updated by David Bruchmann almost 15 years ago
Using extensions that allow TypScript Editing for Editors this feature is a security-issue that allows getting admin-rights.
I think it's better to call Core-Classes through a wrapper-class where filtering of allowed classes or tables can be done.
Updated by Alexander Opitz almost 11 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
0)
The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by Chris topher almost 11 years ago
- Status changed from Needs Feedback to New
Alexander Opitz wrote:
does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
Yes, it does.
Updated by Thorsten Kahler almost 11 years ago
David Bruchmann wrote:
Using extensions that allow TypoScript Editing for Editors this feature is a security-issue that allows getting admin-rights.
"Using extensions that allow TypoScript Editing for Editors" is the security risk. As long as any kind of "user function" (i.e. userland code) can be included via TS - no matter if TS condition, stdWrap option, ... - there's a decent security risk. And that's the reason why TS should only be editable for administrators.
This issue only requests a consistent way to call "user functions", not a policy change.
Updated by Thorsten Kahler almost 11 years ago
- Tracker changed from Bug to Feature
- Category set to TypoScript
- TYPO3 Version changed from 4.3 to 6.2
- PHP Version changed from 5.2 to 5.3
- Complexity set to medium
IMO this is rather a feature than a bug thus I change the tracker to "feature" and suggest to implement it in version 6.2.
Updated by Eric Chavaillaz almost 10 years ago
Any news about this feature?
Thanks
Updated by Eric Chavaillaz over 9 years ago
With the new AbstractCondition to implement custom TypoScript Conditions (https://forge.typo3.org/issues/61489), this issue is also resolved...
I think it can be closed...
Thanks
Updated by Frederic Gaus about 9 years ago
- Status changed from New to Closed
I also think this can be closed due to the integration of AbstractCondition. I hope everyone agrees with this decision. Otherwise please reopen this ticket or create a new one.