Story #34664
closed
jumpurl.secure misses a test for backend user sections
0%
Description
I use links with jumpurl.secure on backend user sections. It turns out that the generated links can be used by everyone because Typo3 does not check whether a BE user is logged in.
Usually when receiving a jumpurl link, Typo3 uses the location data inside (record id and page id) to ensure that the current user can access that record and page and denies access to the file otherwise (class.tslib_fe::locDataCheck). It seems that here a test for backend user sections is missing.
This patch seems to fix the issue, but as I change an important variable this might have consequences I'm not aware of.
--- class.tslib_fe.php_orig 2012-03-07 12:00:23.996434949 +0100
+++ class.tslib_fe.php 2012-03-07 12:00:29.731736265 +0100
@@ -1382,6 +1382,9 @@
function setSysPageWhereClause() {
$this->sys_page->where_hid_del.=' AND pages.doktype<200';
$this->sys_page->where_groupAccess = $this->sys_page->getMultipleGroupsWhereClause('pages.fe_group', 'pages');
+ if (!$GLOBALS['BE_USER']) {
+ $this->sys_page->where_groupAccess .=' AND doktype != 6';
+ }
}
/**
Updated by Helmut Hummel about 12 years ago
- Project changed from TYPO3 Core to 1716
Updated by Steffen Gebert about 12 years ago
I don't know why, but it looks like jumpUrls don't work for me at all.
But here's (a simple code snippet, which is used by Martin (asked in private)):
$content .= $this->cObj->filelink($file,array(
'path'=> 'fileadmin/intern/'.$folder.'/',
'jumpurl.'=>array('secure'=>1), # Make a secure link
));
It looks like his solution makes sense, as there's obviously an entry point, where the BE user section type isn't respected (and I'm not sure, which else would be possible to exploit this way). However I wouldn't consider this extremely critical.
Updated by Helmut Hummel over 10 years ago
- Project changed from 1716 to TYPO3 Core
The behaviour of jumpurl secure is not well defined and if in doubt jumpurl should not be used to secure links to files as the feature set is very limited.
Instead extensions like naw_securedl should be used...
In any way, this can be handled and discussed in public
Updated by Mathias Schreiber over 9 years ago
- Tracker changed from Bug to Story
- Target version set to 7.2 (Frontend)
- Translation missing: en.field_remaining_hours set to 0.0
Updated by Benni Mack almost 9 years ago
- Target version changed from 7.2 (Frontend) to 7.4 (Backend)
Updated by Susanne Moog almost 9 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Christian Kuhn about 7 years ago
- Status changed from New to Closed
jumpurl has been extracted from core, this issue is no longer relevant here.