Project

General

Profile

Actions
Copy link

Bug #58369

closed

Extbase query cache does not respect current fe_group

Added by Jan Kiesewetter about 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Felix Oertel
Category:
Extbase
Target version:
next-patchlevel
Start date:
2014-04-30
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

If a fe user requests extbase objects the query cache is build with settings of the current users group:
e.g.

...
AND (tx_productdownloads_domain_model_document.fe_group='' OR tx_productdownloads_domain_model_document.fe_group IS NULL OR tx_productdownloads_domain_model_document.fe_group='0' OR FIND_IN_SET('0',tx_productdownloads_domain_model_document.fe_group) OR FIND_IN_SET('-2',tx_productdownloads_domain_model_document.fe_group) OR FIND_IN_SET('2',tx_productdownloads_domain_model_document.fe_group))
...

If next time a user NOT in that group (2) requests the objects the cached query is executed and he gets the same objects, also the access restricted.

This is a security problem because the query cache is enabled by default.

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #58655: Add tests for extbase query cache current fe_groupClosed2014-05-09

Actions
Actions
Copy link

Also available in: Atom PDF