Feature #22318
closed
Define a central whitelist for allowed tables for cObjects CONTENT and RECORDS
0%
Description
With the cObjects CONTENT and RECORDS you can get records out of database tables and render them.
However CONTENT is restricted to work only with the tables pages, fe_*, static_*, fe_*, tt_*, ttx_', tx_* and user_* (that means, not allowed are be_*, cache_*, index_*, sys_* and a few others). RECORDS has no restritctions regarding tables.
The reason for the restriction seems to be security as Dmitry pointed out: http://lists.typo3.org/pipermail/typo3-dev/2007-May/023736.html
To have a consistent behaviour among CONTENT and RECORDS and for configurability of allowed tables I suggest to have a whitelist of allowed tables in the install tool (to be honest, Benjamin suggested this: http://lists.typo3.org/pipermail/typo3-dev/2010-February/039116.html)
I think, when a TYPO3 Admin knows what he does he should be allowed to access all tables (even be_users). Because as Georg pointed out when TS does not allow him the functionality he wants, he'll write an Extension or UserScript to achieve it, which can again introduce security holes.
This would break compatiblity when someone used a table with RECORDS, which is not allowed for CONTENT. The admin would need to add the tables he needs to the whitelist in the install tool.
(issue imported from #M13898)
Updated by Sebastian Michaelsen over 14 years ago
Just a note: When you want to fetch records from a sys_* table, these tables have to be allowed to be fetched from Root-Page in tslib_cObj::getWhere()
Updated by Alexander Opitz over 11 years ago
- Category deleted (
Communication) - Status changed from New to Needs Feedback
- Target version deleted (
0)
The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by Alexander Opitz about 11 years ago
- Status changed from Needs Feedback to Closed
No feedback for over 90 days.