Project

General

Profile

Actions

Feature #22318

closed

Define a central whitelist for allowed tables for cObjects CONTENT and RECORDS

Added by Sebastian Michaelsen over 14 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2010-03-23
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

With the cObjects CONTENT and RECORDS you can get records out of database tables and render them.
However CONTENT is restricted to work only with the tables pages, fe_*, static_*, fe_*, tt_*, ttx_', tx_* and user_* (that means, not allowed are be_*, cache_*, index_*, sys_* and a few others). RECORDS has no restritctions regarding tables.
The reason for the restriction seems to be security as Dmitry pointed out: http://lists.typo3.org/pipermail/typo3-dev/2007-May/023736.html

To have a consistent behaviour among CONTENT and RECORDS and for configurability of allowed tables I suggest to have a whitelist of allowed tables in the install tool (to be honest, Benjamin suggested this: http://lists.typo3.org/pipermail/typo3-dev/2010-February/039116.html)

I think, when a TYPO3 Admin knows what he does he should be allowed to access all tables (even be_users). Because as Georg pointed out when TS does not allow him the functionality he wants, he'll write an Extension or UserScript to achieve it, which can again introduce security holes.

This would break compatiblity when someone used a table with RECORDS, which is not allowed for CONTENT. The admin would need to add the tables he needs to the whitelist in the install tool.
(issue imported from #M13898)

Actions

Also available in: Atom PDF