Bug #23178
closed
Wrong HTTP headers sent when trying to access pages that require login
100%
Description
When trying to access a login protected page while not being logged in it may happen that a wrong header is sent.
The install tool allows to set a header for the page not found handling: [FE][pageNotFound_handling_statheader]
The default value for this setting is "HTTP/1.0 404 Not Found"
In a case where access is denied because the user is not logged in, this is the wrong header of course, it should be 401 instead.
Proposed solution: In case where access is denied because of missing privileges, TYPO3 should ignore the mentioned setting and send a 401 instead.
(issue imported from #M15114)
Files
Updated by Ingo Renner over 14 years ago
The solution for this issue may result in being able to remove the $TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'] option if we are always sending the correct headers.
Need to check whether there are more places where this option is used...
Updated by Dmitry Dulepov over 14 years ago
TYPO3 treats such cases as "not found", not as "access denied". I am not sure why but it is historical (since 3.x I think). It makes sense from security point of view because "access denied" tells that something is there but "page not found" does not reveal that protected content exists. This is called "security by obscurity".
Updated by Hassan Ait about 14 years ago
Thanks Ingo, I've just tested your fix and it works fine for me (TYPO3 Version: 4.3). What about the fact to add a different page error for unauthorized pages. I made a test with the following code and it works for me. It supposes to add a new parameter [FE][pageUnauthorized_handling]
Index: typo3/sysext/cms/tslib/class.tslib_fe.php
function pageNotFoundAndExit($reason='', $header='') {
$header = $header ? $header : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling_statheader'];
if ($this->pageNotFound === 1 || $this->pageNotFound === 2) {
$code=($this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling']) ? $this->TYPO3_CONF_VARS['FE']['pageUnauthorized_handling'] : $this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
else {
$code=$this->TYPO3_CONF_VARS['FE']['pageNotFound_handling'];
}
$this->pageNotFoundHandler($code, $header, $reason);
exit;
}
Updated by Ingo Renner over 12 years ago
- Category deleted (
Communication) - Assignee set to Ingo Renner
- Target version deleted (
0)
Updated by Gerrit Code Review over 12 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281
Updated by Gerrit Code Review over 12 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281
Updated by Gerrit Code Review over 12 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281
Updated by Gerrit Code Review over 12 years ago
Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10281
Updated by Gerrit Code Review about 11 years ago
Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/10281
Updated by Christian Kuhn almost 10 years ago
- Status changed from Under Review to New
- Is Regression set to No
The pending patch was abandoned after some discussion.
The solution should be different and needs a new approach. Some hints on how this could be solved are given in the abandoned patch for anyone who wants to pick this issue up again and re-push a new solution.
Updated by
Updated by Susanne Moog about 7 years ago
- Category set to Site Handling, Site Sets & Routing
- Assignee deleted (
Ingo Renner)
Updated by Markus Klein about 7 years ago
This must be a 403 header. 401 must only be used together with http-authentication header, not custom authentication within PHP.
Updated by Gerrit Code Review about 7 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495
Updated by Gerrit Code Review about 7 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495
Updated by Benni Mack almost 7 years ago
- Sprint Focus set to On Location Sprint
Updated by Gerrit Code Review almost 7 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54495
Updated by Gerrit Code Review almost 7 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814
Updated by Markus Klein almost 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 2ba1bc316e04606ed4a82f8cb257fcb71201607e.
Updated by Gerrit Code Review almost 7 years ago
- Status changed from Resolved to Under Review
Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814
Updated by Gerrit Code Review almost 7 years ago
Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814
Updated by Gerrit Code Review almost 7 years ago
Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54814
Updated by Markus Klein almost 7 years ago
- Status changed from Under Review to Resolved
Applied in changeset bb39b2263acca70ad4cd78e787da9edfc332c767.
Updated by Sascha Egerer about 6 years ago
- Related to Bug #86346: Hidden pages sent 403 Header added