Project

General

Profile

Actions

Task #63712

closed

Avoid use of eval() and replace it

Added by Job Rutgers almost 10 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2015-09-30
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The use of the eval() can be slow and insecure, so maybe it's better to avoid and replace it.
More info on:
http://www.nczonline.net/blog/2013/06/25/eval-isnt-evil-just-misunderstood/

After it is implemented it should be possible to use (in nginx):

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'";

Now 'unsafe-eval' still needed in default-src


Subtasks 1 (0 open1 closed)

Bug #70205: Remove eval from TCA slider JavaScriptClosedAndreas Kienast2015-09-30

Actions

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #61996: unsafe-evalClosed2014-10-01

Actions
Related to TYPO3 Core - Task #17626: JS-function checkSubmit should not use evalClosedFrank Nägler2007-09-24

Actions
Related to TYPO3 Core - Task #73047: Content-Security-Policy for the BackendClosed2016-01-31

Actions
Actions #1

Updated by Mathias Schreiber almost 10 years ago

  • Target version changed from 7.0 to 7.1 (Cleanup)
Actions #2

Updated by Benni Mack over 9 years ago

  • Target version changed from 7.1 (Cleanup) to 7.4 (Backend)
Actions #3

Updated by Susanne Moog over 9 years ago

  • Target version changed from 7.4 (Backend) to 7.5
Actions #4

Updated by Benni Mack about 9 years ago

  • Target version changed from 7.5 to 7 LTS
Actions #5

Updated by Stefan Neufeind about 9 years ago

  • Status changed from New to Resolved

just a few remaining evals, but all in JavaScript-code. Let's imho close it

Actions #6

Updated by Peter Proell almost 9 years ago

There is still (7.6) CSP Issues in the backend (/typo3).

We should add a fitting CSP to the .htaccess in /typo3. Currently I am adding

Header set Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline';

in /typo3/.htaccess to overrule the more strict CSP of the website itself and make the backend work as well.

It would be a nice security feature if the TYPO3 backend would support a stricter CSP.

Infos on CSP:
http://content-security-policy.com/
https://de.wikipedia.org/wiki/Content_Security_Policy

Actions #7

Updated by Peter Proell almost 9 years ago

Opened a new ticket https://forge.typo3.org/issues/73047 as I cannot reopen this one.

Actions #8

Updated by Riccardo De Contardi about 7 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF