Bug #82978

Core Extension felogin prevents Helmut Hummel secure web approach

Added by Daniel Siepmann about 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
Start date:
2017-11-12
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The extension felogin does conflict with Helmut Hummel approach of secure web folder structure.

The extension uses TSFE->tmpl to fetch the tempalte file. This way it's always relative to the document root where no private files are available.
This needs to be adjusted to template files are searched within the typo3 folder.

The issue is the following line: https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php#L145
Bu using the TemplateService it will always be relative to document root.
As https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/core/Classes/TypoScript/TemplateService.php#L1351 tells to

Returns the reference used for the frontend inclusion, checks against allowed paths for inclusion.

This is definitively the wrong API usage, as templates are not frontend inclusions.

Therefore some other API should be used.


Related issues

Duplicated by TYPO3 Core - Task #82979: BUGFIX: Fix wrong usage of API in felogin Closed 2017-11-12

Associated revisions

Revision ba5e1f24 (diff)
Added by Daniel Siepmann about 2 years ago

[BUGFIX] Fix path-resolution for template-resource in EXT:felogin

Do not use frontend inclusion API for private template resource.
Instead resolve to full absolute path for inclusion.

Releases: master, 8.7
Resolves: #82978
Resolves: #82979
Change-Id: Iadd3a8386b967aeb8b5ffdb28baeb73c2a0f2734
Reviewed-on: https://review.typo3.org/54622
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>
Reviewed-by: Stefan Neufeind <>
Tested-by: Stefan Neufeind <>

Revision d604511f (diff)
Added by Daniel Siepmann about 2 years ago

[BUGFIX] Fix path-resolution for template-resource in EXT:felogin

Do not use frontend inclusion API for private template resource.
Instead resolve to full absolute path for inclusion.

Releases: master, 8.7
Resolves: #82978
Resolves: #82979
Change-Id: Iadd3a8386b967aeb8b5ffdb28baeb73c2a0f2734
Reviewed-on: https://review.typo3.org/54625
Reviewed-by: Stefan Neufeind <>
Tested-by: Stefan Neufeind <>
Tested-by: TYPO3com <>
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>

History

#2 Updated by Daniel Siepmann about 2 years ago

  • Duplicated by Task #82979: BUGFIX: Fix wrong usage of API in felogin added

#3 Updated by Gerrit Code Review about 2 years ago

  • Status changed from New to Under Review

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54622

#4 Updated by Gerrit Code Review about 2 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54622

#5 Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54625

#6 Updated by Anonymous about 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#7 Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF