Bug #29603

__toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions

Added by Andreas Förthner over 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Core
Target version:
TYPO3 Flow Base Distribution - 1.0.5
Start date:
2011-09-09
Due date:
% Done:

0%

Estimated time:
Has patch:
No

Description

PHP does not allow to throw exceptions within a __toString() method. Therefore security exception don't work while rendering the Fluid template. We somehow have to call a method to render a node and not just concatenate the objects as string and use the interal __toString() functionality. This is a really stupid PHP behaviour, that is documented here: http://php.net/manual/en/migration52.incompatible.php

#1

Updated by Andreas Förthner over 9 years ago

  • Subject changed from __toString() usage for rendering in the compiled Fluid template breaks the concept of security exceptions to __toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
#2

Updated by Bastian Waidelich over 9 years ago

Do you have an example where objects are concatenated in a compiled template?

#3

Updated by Andreas Förthner over 9 years ago

Ah sorry ;-) This is done in line 322 of the TemplateCompiler.

$initializationPhpCode .= sprintf('%s .= %s;', $outputVariableName, $converted['execution']) . chr(10);

#4

Updated by Karsten Dambekalns over 9 years ago

  • Target version changed from 1.0.0 to 1.0.1
#6

Updated by Karsten Dambekalns about 9 years ago

  • Target version changed from 1.0.1 to 1.0.2
#7

Updated by Karsten Dambekalns about 9 years ago

  • Target version changed from 1.0.2 to 1.0.3
#8

Updated by Karsten Dambekalns almost 9 years ago

  • Target version changed from 1.0.3 to 1.0.4
#9

Updated by Karsten Dambekalns almost 9 years ago

  • Target version changed from 1.0.4 to 1.0.5
#10

Updated by Sebastian Kurfuerst over 8 years ago

  • Status changed from New to Needs Feedback

I fear that I need more feedback in here.

Inside fluid, __toString is definitely never used.

Could it have something to do with the old TypoScript? If yes, that has been quite sure fixed with the new TS.

#11

Updated by Andreas Förthner over 8 years ago

Hi Sebastian,

I'm currently checking this, probably you are right, that this was only a problem with the old TS rendering.

I'll give you more feedback a soosn as I have verified this.

#12

Updated by Andreas Förthner over 8 years ago

  • Status changed from Needs Feedback to Closed

After looking at it and discussing it once again with my colleague, this was probably fixed somewhen along the way. When I created the issue view helpers got rendered by an implicit cast of the VH object in a string concatenation. This seems not to be the case anymore, now initializeArgumentsAndReder() is called explicitly. Therefore I consider this issue not present anymore and close this ticket.

Also available in: Atom PDF