Bug #23287

Clearing caches in backend only displays empty frame

Added by Oliver Hader almost 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
-
Target version:
-
Start date:
2010-07-28
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.1
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Clearing caches in backend only displays empty frame - applies for the typo3conf and the frontend cache.

(issue imported from #M15263)


Files

0015263.patch (4.25 KB) 0015263.patch Administrator Admin, 2010-07-29 16:55
0015263_v2.patch (3.1 KB) 0015263_v2.patch Administrator Admin, 2010-07-30 13:38

Related issues

Related to TYPO3 Core - Bug #23286: Use of undefined method t3lib_div::sanitizeLocalUrl()ClosedOliver Hader2010-07-28

Actions
Related to TYPO3 Core - Bug #21329: XSS in alt_mod_framesetClosedErnesto Baschny2009-10-22

Actions
Related to TYPO3 Core - Bug #23321: t3lib_div::sanitizeLocalUrl() leads to fatal error on PHP4 systemsClosedOliver Hader2010-07-30

Actions
Has duplicate TYPO3 Core - Bug #23291: Applying patch in issue 15260 kills site and backendClosedChris topher2010-07-28

Actions
#1

Updated by Steffen Gebert almost 11 years ago

typo3/tce_db.php:

$this->redirect = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('redirect'));

seems to cause this behavior.
When I remove the sanitizeBackEndUrl() part (and reload the whole backend), it works.

EDIT: And adding exactly this has been the security fix...

#2

Updated by Michael Raberger almost 11 years ago

after applying the patch 0015260 there is no error message but as described an empty frame

#3

Updated by Maik Matthias almost 11 years ago

In my opinion it´s not resolved.

I additionally had to change line 3552 in class.t3lib_div.php:
Old: $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
New: $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?:-]+$/';

Reason: I have a "-" (minus) in the domain name and base href set, so the redirection url is like http://www.domain-with-minus.tld. Therefore I need two additional chars in the whitlist, ":" and "-".

Maik

#4

Updated by Steffen Gebert almost 11 years ago

exactly.. so we have to add all possible chars, which can be in a host name? bad idea..

#5

Updated by Markus Cousin almost 11 years ago

confirmed. patch from issue #0015260 doesn't solve this problem for me.

#6

Updated by Steffen Gebert almost 11 years ago

Root of the problem the following:
t3lib_div::sanitizeLocalUrl() in 4.1 is now a wrapper for sanitizeBackEndUrl(), but treated by the security fix to behave like sanitizeLocalUrl() in 4.2+, although the behavior is obviously not the same.

#7

Updated by Oliver Hader almost 11 years ago

Steffen is right... issue #23286 just solves the error message but the intention of the concerned method is different.

Find attached a version that reverts the changes of issue #23286 again, and reimplements sanitizeLocalUrl() for TYPO3 4.1 (which stays still compatible to PHP4).

#8

Updated by Sven Juergens almost 11 years ago

patch works for me,

typo3 4.1.14
PHP 5

#9

Updated by Gregor Hermens almost 11 years ago

patch works fine here
TYPO3 4.1.14, PHP 5.2.12 and 5.3.2

#10

Updated by Steffen Gebert almost 11 years ago

Please give your votes in the core list / news group!

Anybody here running a PHP4? Think this has really to be tested, too ;-)

#11

Updated by Sven Juergens almost 11 years ago

hey, Steffen

Sorry, but i can't find a find a RFC for 15263 in core list, so i posted here

#12

Updated by Steffen Gebert almost 11 years ago

gregor already told me.. sorry ;-)
Let's wait for olly, till he sends the RFC

#13

Updated by Michael Raberger almost 11 years ago

patch works with PHP4

but you have to change stripos to strpos in t3lib/class.t3lib_div.php (~ line 840)

#14

Updated by Norman Wolff almost 11 years ago

Works for me if you change stripos to strpos in function isOnCurrentHost($url)

PHP 4.4
TYPO3 4.1.14

#15

Updated by Oliver Hader almost 11 years ago

The patch of issue #23286 was reverted again in TYPO3_4-1. The attached patch (v2) will be committed to TYPO3_4-1 as soon as possible.

The v2 patch thus can also be applied to the released package of TYPO3 4.1.14

#16

Updated by Oliver Hader almost 11 years ago

Committed to SVN TYPO3_4-1 (rev. 8453)

#17

Updated by Ingo Renner almost 11 years ago

released in
4.1.15

Also available in: Atom PDF