Bug #57541

Content Security: operands work intrinsically differently in Rewrite and Manual check

Added by Adrian Föder over 7 years ago. Updated over 7 years ago.

Status:
Under Review
Priority:
Must have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2014-04-02
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

when having defined an Entity resource like

'current.securityContext.party != this.owner'

the `owner` field refers to, in one case, to the actual `owner` field of the database table (i.e. in \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::rewriteQomQuery

and in the other case to the (hydrated) Entity property `owner` (i.e. in \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::checkAccessAfterFetchingAnObjectByIdentifier)

This leads to unpredicted results when the entity for example does not have a getter on this property, as it was in my case. I just considered it not necessary.

IMO urgently an exception is necessary if, in \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::checkSingleConstraintDefinitionOnResultObject, the following lines:

if (!is_array($constraintDefinition['leftValue']) && strpos($constraintDefinition['leftValue'], 'this.') === 0) {
    $referenceToThisFound = TRUE;
    $propertyPath = substr($constraintDefinition['leftValue'], 5);
    $leftOperand = $this->getObjectValueByPath($result, $propertyPath);
}

need to throw an exception if getObjectValueByPath, leading to ObjectAccess::getPropertyPath, tries to access something that cannot be retrieved.

#1

Updated by Gerrit Code Review over 7 years ago

  • Status changed from New to Under Review

Patch set 2 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/29065

#2

Updated by Gerrit Code Review over 7 years ago

Patch set 3 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/29065

Also available in: Atom PDF