Feature #22318

Define a central whitelist for allowed tables for cObjects CONTENT and RECORDS

Added by Sebastian Michaelsen about 11 years ago. Updated over 7 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
PHP Version:
Sprint Focus:


With the cObjects CONTENT and RECORDS you can get records out of database tables and render them.
However CONTENT is restricted to work only with the tables pages, fe_*, static_*, fe_*, tt_*, ttx_', tx_* and user_* (that means, not allowed are be_*, cache_*, index_*, sys_* and a few others). RECORDS has no restritctions regarding tables.
The reason for the restriction seems to be security as Dmitry pointed out: http://lists.typo3.org/pipermail/typo3-dev/2007-May/023736.html

To have a consistent behaviour among CONTENT and RECORDS and for configurability of allowed tables I suggest to have a whitelist of allowed tables in the install tool (to be honest, Benjamin suggested this: http://lists.typo3.org/pipermail/typo3-dev/2010-February/039116.html)

I think, when a TYPO3 Admin knows what he does he should be allowed to access all tables (even be_users). Because as Georg pointed out when TS does not allow him the functionality he wants, he'll write an Extension or UserScript to achieve it, which can again introduce security holes.

This would break compatiblity when someone used a table with RECORDS, which is not allowed for CONTENT. The admin would need to add the tables he needs to the whitelist in the install tool.
(issue imported from #M13898)


Updated by Sebastian Michaelsen about 11 years ago

Just a note: When you want to fetch records from a sys_* table, these tables have to be allowed to be fetched from Root-Page in tslib_cObj::getWhere()


Updated by Alexander Opitz almost 8 years ago

  • Category deleted (Communication)
  • Status changed from New to Needs Feedback
  • Target version deleted (0)

The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?


Updated by Alexander Opitz over 7 years ago

  • Status changed from Needs Feedback to Closed

No feedback for over 90 days.

Also available in: Atom PDF