Bug #23287
closedClearing caches in backend only displays empty frame
0%
Description
Clearing caches in backend only displays empty frame - applies for the typo3conf and the frontend cache.
(issue imported from #M15263)
Files
Updated by Steffen Gebert over 14 years ago
typo3/tce_db.php:
$this->redirect = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('redirect'));
seems to cause this behavior.
When I remove the sanitizeBackEndUrl() part (and reload the whole backend), it works.
EDIT: And adding exactly this has been the security fix...
Updated by Michael Raberger over 14 years ago
after applying the patch 0015260 there is no error message but as described an empty frame
Updated by Maik Matthias over 14 years ago
In my opinion it´s not resolved.
I additionally had to change line 3552 in class.t3lib_div.php:
Old: $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
New: $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?:-]+$/';
Reason: I have a "-" (minus) in the domain name and base href set, so the redirection url is like http://www.domain-with-minus.tld. Therefore I need two additional chars in the whitlist, ":" and "-".
Maik
Updated by Steffen Gebert over 14 years ago
exactly.. so we have to add all possible chars, which can be in a host name? bad idea..
Updated by Markus Cousin over 14 years ago
confirmed. patch from issue #0015260 doesn't solve this problem for me.
Updated by Steffen Gebert over 14 years ago
Root of the problem the following:
t3lib_div::sanitizeLocalUrl() in 4.1 is now a wrapper for sanitizeBackEndUrl(), but treated by the security fix to behave like sanitizeLocalUrl() in 4.2+, although the behavior is obviously not the same.
Updated by Oliver Hader over 14 years ago
Updated by Sven Juergens over 14 years ago
patch works for me,
typo3 4.1.14
PHP 5
Updated by Gregor Hermens over 14 years ago
patch works fine here
TYPO3 4.1.14, PHP 5.2.12 and 5.3.2
Updated by Steffen Gebert over 14 years ago
Please give your votes in the core list / news group!
Anybody here running a PHP4? Think this has really to be tested, too ;-)
Updated by Sven Juergens over 14 years ago
hey, Steffen
Sorry, but i can't find a find a RFC for 15263 in core list, so i posted here
Updated by Steffen Gebert over 14 years ago
gregor already told me.. sorry ;-)
Let's wait for olly, till he sends the RFC
Updated by Michael Raberger over 14 years ago
patch works with PHP4
but you have to change stripos to strpos in t3lib/class.t3lib_div.php (~ line 840)
Updated by Norman Wolff over 14 years ago
Works for me if you change stripos to strpos in function isOnCurrentHost($url)
PHP 4.4
TYPO3 4.1.14
Updated by Oliver Hader over 14 years ago
The patch of issue #23286 was reverted again in TYPO3_4-1. The attached patch (v2) will be committed to TYPO3_4-1 as soon as possible.
The v2 patch thus can also be applied to the released package of TYPO3 4.1.14
Updated by Oliver Hader over 14 years ago
Committed to SVN TYPO3_4-1 (rev. 8453)