Bug #82978
closed
Core Extension felogin prevents Helmut Hummel secure web approach
100%
Description
The extension felogin does conflict with Helmut Hummel approach of secure web folder structure.
The extension uses TSFE->tmpl to fetch the tempalte file. This way it's always relative to the document root where no private files are available.
This needs to be adjusted to template files are searched within the typo3 folder.
The issue is the following line: https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php#L145
Bu using the TemplateService it will always be relative to document root.
As https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/core/Classes/TypoScript/TemplateService.php#L1351 tells to
Returns the reference used for the frontend inclusion, checks against allowed paths for inclusion.
This is definitively the wrong API usage, as templates are not frontend inclusions.
Therefore some other API should be used.
Updated by Daniel Siepmann about 7 years ago
Updated by Daniel Siepmann about 7 years ago
- Has duplicate Task #82979: BUGFIX: Fix wrong usage of API in felogin added
Updated by Gerrit Code Review about 7 years ago
- Status changed from New to Under Review
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54622
Updated by Gerrit Code Review about 7 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54622
Updated by Gerrit Code Review about 7 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54625
Updated by Anonymous about 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset ba5e1f24c7f30415f13500220f7c80e3775e0f25.
Updated by