Bug #30095
closed
Arbitrary TypoScript execution on system extension form
100%
Description
The new system extension form can be used to render custom FORM elements as well as regular cObjects like TEXT or COA.
Since the form wizard can be used by any editor in the backend and writes data to the field bodytext, this can also be used to execute arbitrary TypoScript without further access checks.
This change introduces two defined and allowed content elements "header" and "textblock" that can be defined by using the form wizard. If the TypoScript that was generated by the mentioned wizard is rendered, regular cObjects are disabled. If the FORM or FORM_INT cObject is used directly from a TypoScript template, all possible cObjects can still be used.
Files
Updated by Oliver Hader over 12 years ago
- File form_wizard.png form_wizard.png added
Updated by Mr. Hudson over 12 years ago
Patch set 1 of change I573764de7583b078456e71e95ea7903b433c29db has been pushed to the review server.
It is available at http://review.typo3.org/5128
Updated by Oliver Hader over 12 years ago
- Status changed from New to Under Review
Updated by Mr. Hudson over 12 years ago
Patch set 2 of change I573764de7583b078456e71e95ea7903b433c29db has been pushed to the review server.
It is available at http://review.typo3.org/5128
Updated by Oliver Hader over 12 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 7005e5e7388b08d67035d5d88dc20a1f99145cd6.
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed