Actions
Bug #58369
closedExtbase query cache does not respect current fe_group
Start date:
2014-04-30
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:
Description
If a fe user requests extbase objects the query cache is build with settings of the current users group:
e.g.
... AND (tx_productdownloads_domain_model_document.fe_group='' OR tx_productdownloads_domain_model_document.fe_group IS NULL OR tx_productdownloads_domain_model_document.fe_group='0' OR FIND_IN_SET('0',tx_productdownloads_domain_model_document.fe_group) OR FIND_IN_SET('-2',tx_productdownloads_domain_model_document.fe_group) OR FIND_IN_SET('2',tx_productdownloads_domain_model_document.fe_group)) ...
If next time a user NOT in that group (2) requests the objects the cached query is executed and he gets the same objects, also the access restricted.
This is a security problem because the query cache is enabled by default.
Actions