Project

General

Profile

Actions
Copy link

Bug #30095

closed

Arbitrary TypoScript execution on system extension form

Added by Oliver Hader over 12 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Oliver Hader
Category:
-
Target version:
4.6.0-RC1
Start date:
2011-09-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The new system extension form can be used to render custom FORM elements as well as regular cObjects like TEXT or COA.
Since the form wizard can be used by any editor in the backend and writes data to the field bodytext, this can also be used to execute arbitrary TypoScript without further access checks.

This change introduces two defined and allowed content elements "header" and "textblock" that can be defined by using the form wizard. If the TypoScript that was generated by the mentioned wizard is rendered, regular cObjects are disabled. If the FORM or FORM_INT cObject is used directly from a TypoScript template, all possible cObjects can still be used.

Content Elements header and text block

Files

form_wizard.png (33.3 KB) form_wizard.png Content Elements "header" and "text block" Oliver Hader, 2011-09-20 17:50
Actions
Copy link

Also available in: Atom PDF