Feature #20450

Use t3lib_div::callUserFunction in typoscript userFunc condition

Added by Fabrizio Branca almost 11 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
TypoScript
Target version:
-
Start date:
2009-05-18
Due date:
% Done:

0%

PHP Version:
5.3
Tags:
Complexity:
medium
Sprint Focus:

Description

In typoscripts userFunc condition [userFunc = ...] it is only allowed to user php functions. No class methods. The parsing (t3lib_matchCondition->evalConditionStr()) should use t3lib_div::callUserFunction() internally for consistency and the possibility to use class methods as a user function. This has been discussed (http://lists.typo3.org/pipermail/typo3-team-core/2006-September/005667.html) but was never commited.
A patch (originally from Wolfgang Klinger's post) is appended to this ticket.

(issue imported from #M11120)

patch_matchuserfunc.diff View (1.36 KB) Administrator Admin, 2009-05-18 17:07


Related issues

Related to TYPO3 Core - Feature #61489: Add AbstractCondition to implement custom TypoScript Conditions Closed 2014-09-09

History

#1 Updated by David Bruchmann almost 11 years ago

Using extensions that allow TypScript Editing for Editors this feature is a security-issue that allows getting admin-rights.
I think it's better to call Core-Classes through a wrapper-class where filtering of allowed classes or tables can be done.

#2 Updated by Alexander Opitz almost 7 years ago

  • Status changed from New to Needs Feedback
  • Target version deleted (0)

The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?

#3 Updated by Chris topher almost 7 years ago

  • Status changed from Needs Feedback to New

Alexander Opitz wrote:

does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?

Yes, it does.

#4 Updated by Thorsten Kahler almost 7 years ago

David Bruchmann wrote:

Using extensions that allow TypoScript Editing for Editors this feature is a security-issue that allows getting admin-rights.

"Using extensions that allow TypoScript Editing for Editors" is the security risk. As long as any kind of "user function" (i.e. userland code) can be included via TS - no matter if TS condition, stdWrap option, ... - there's a decent security risk. And that's the reason why TS should only be editable for administrators.

This issue only requests a consistent way to call "user functions", not a policy change.

#5 Updated by Thorsten Kahler almost 7 years ago

  • Tracker changed from Bug to Feature
  • Category set to TypoScript
  • TYPO3 Version changed from 4.3 to 6.2
  • PHP Version changed from 5.2 to 5.3
  • Complexity set to medium

IMO this is rather a feature than a bug thus I change the tracker to "feature" and suggest to implement it in version 6.2.

#6 Updated by Eric Chavaillaz over 5 years ago

Any news about this feature?

Thanks

#7 Updated by Eric Chavaillaz about 5 years ago

With the new AbstractCondition to implement custom TypoScript Conditions (https://forge.typo3.org/issues/61489), this issue is also resolved...

I think it can be closed...

Thanks

#8 Updated by Frederic Gaus about 5 years ago

  • Status changed from New to Closed

I also think this can be closed due to the integration of AbstractCondition. I hope everyone agrees with this decision. Otherwise please reopen this ticket or create a new one.

Also available in: Atom PDF