Bug #23287

Clearing caches in backend only displays empty frame

Added by Oliver Hader about 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
-
Target version:
-
Start date:
2010-07-28
Due date:
% Done:

0%

TYPO3 Version:
4.1
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Clearing caches in backend only displays empty frame - applies for the typo3conf and the frontend cache.

(issue imported from #M15263)

0015263.patch View (4.25 KB) Administrator Admin, 2010-07-29 16:55

0015263_v2.patch View (3.1 KB) Administrator Admin, 2010-07-30 13:38


Related issues

Related to TYPO3 Core - Bug #23286: Use of undefined method t3lib_div::sanitizeLocalUrl() Closed 2010-07-28
Related to TYPO3 Core - Bug #21329: XSS in alt_mod_frameset Closed 2009-10-22
Related to TYPO3 Core - Bug #23321: t3lib_div::sanitizeLocalUrl() leads to fatal error on PHP4 systems Closed 2010-07-30
Duplicated by TYPO3 Core - Bug #23291: Applying patch in issue 15260 kills site and backend Closed 2010-07-28

History

#1 Updated by Steffen Gebert about 9 years ago

typo3/tce_db.php:

$this->redirect = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('redirect'));

seems to cause this behavior.
When I remove the sanitizeBackEndUrl() part (and reload the whole backend), it works.

EDIT: And adding exactly this has been the security fix...

#2 Updated by Michael Raberger about 9 years ago

after applying the patch 0015260 there is no error message but as described an empty frame

#3 Updated by Maik Matthias about 9 years ago

In my opinion it´s not resolved.

I additionally had to change line 3552 in class.t3lib_div.php:
Old: $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
New: $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?:-]+$/';

Reason: I have a "-" (minus) in the domain name and base href set, so the redirection url is like http://www.domain-with-minus.tld. Therefore I need two additional chars in the whitlist, ":" and "-".

Maik

#4 Updated by Steffen Gebert about 9 years ago

exactly.. so we have to add all possible chars, which can be in a host name? bad idea..

#5 Updated by Markus Cousin about 9 years ago

confirmed. patch from issue #0015260 doesn't solve this problem for me.

#6 Updated by Steffen Gebert about 9 years ago

Root of the problem the following:
t3lib_div::sanitizeLocalUrl() in 4.1 is now a wrapper for sanitizeBackEndUrl(), but treated by the security fix to behave like sanitizeLocalUrl() in 4.2+, although the behavior is obviously not the same.

#7 Updated by Oliver Hader about 9 years ago

Steffen is right... issue #23286 just solves the error message but the intention of the concerned method is different.

Find attached a version that reverts the changes of issue #23286 again, and reimplements sanitizeLocalUrl() for TYPO3 4.1 (which stays still compatible to PHP4).

#8 Updated by Sven Juergens about 9 years ago

patch works for me,

typo3 4.1.14
PHP 5

#9 Updated by Gregor Hermens about 9 years ago

patch works fine here
TYPO3 4.1.14, PHP 5.2.12 and 5.3.2

#10 Updated by Steffen Gebert about 9 years ago

Please give your votes in the core list / news group!

Anybody here running a PHP4? Think this has really to be tested, too ;-)

#11 Updated by Sven Juergens about 9 years ago

hey, Steffen

Sorry, but i can't find a find a RFC for 15263 in core list, so i posted here

#12 Updated by Steffen Gebert about 9 years ago

gregor already told me.. sorry ;-)
Let's wait for olly, till he sends the RFC

#13 Updated by Michael Raberger about 9 years ago

patch works with PHP4

but you have to change stripos to strpos in t3lib/class.t3lib_div.php (~ line 840)

#14 Updated by Norman Wolff about 9 years ago

Works for me if you change stripos to strpos in function isOnCurrentHost($url)

PHP 4.4
TYPO3 4.1.14

#15 Updated by Oliver Hader about 9 years ago

The patch of issue #23286 was reverted again in TYPO3_4-1. The attached patch (v2) will be committed to TYPO3_4-1 as soon as possible.

The v2 patch thus can also be applied to the released package of TYPO3 4.1.14

#16 Updated by Oliver Hader about 9 years ago

Committed to SVN TYPO3_4-1 (rev. 8453)

#17 Updated by Ingo Renner about 9 years ago

released in
4.1.15

Also available in: Atom PDF