Feature #20450
closed
Use t3lib_div::callUserFunction in typoscript userFunc condition
Added by Fabrizio Branca over 15 years ago.
Updated almost 10 years ago.
Description
In typoscripts userFunc condition [userFunc = ...] it is only allowed to user php functions. No class methods. The parsing (t3lib_matchCondition->evalConditionStr()) should use t3lib_div::callUserFunction() internally for consistency and the possibility to use class methods as a user function. This has been discussed (http://lists.typo3.org/pipermail/typo3-team-core/2006-September/005667.html) but was never commited.
A patch (originally from Wolfgang Klinger's post) is appended to this ticket.
(issue imported from #M11120)
Files
Using extensions that allow TypScript Editing for Editors this feature is a security-issue that allows getting admin-rights.
I think it's better to call Core-Classes through a wrapper-class where filtering of allowed classes or tables can be done.
- Status changed from New to Needs Feedback
- Target version deleted (
0)
The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
- Status changed from Needs Feedback to New
Alexander Opitz wrote:
does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
Yes, it does.
David Bruchmann wrote:
Using extensions that allow TypoScript Editing for Editors this feature is a security-issue that allows getting admin-rights.
"Using extensions that allow TypoScript Editing for Editors" is the security risk. As long as any kind of "user function" (i.e. userland code) can be included via TS - no matter if TS condition, stdWrap option, ... - there's a decent security risk. And that's the reason why TS should only be editable for administrators.
This issue only requests a consistent way to call "user functions", not a policy change.
- Tracker changed from Bug to Feature
- Category set to TypoScript
- TYPO3 Version changed from 4.3 to 6.2
- PHP Version changed from 5.2 to 5.3
- Complexity set to medium
IMO this is rather a feature than a bug thus I change the tracker to "feature" and suggest to implement it in version 6.2.
Any news about this feature?
Thanks
- Status changed from New to Closed
I also think this can be closed due to the integration of AbstractCondition. I hope everyone agrees with this decision. Otherwise please reopen this ticket or create a new one.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by