Bug #82978

Core Extension felogin prevents Helmut Hummel secure web approach

Added by Daniel Siepmann over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
Start date:
2017-11-12
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The extension felogin does conflict with Helmut Hummel approach of secure web folder structure.

The extension uses TSFE->tmpl to fetch the tempalte file. This way it's always relative to the document root where no private files are available.
This needs to be adjusted to template files are searched within the typo3 folder.

The issue is the following line: https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php#L145
Bu using the TemplateService it will always be relative to document root.
As https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/core/Classes/TypoScript/TemplateService.php#L1351 tells to

Returns the reference used for the frontend inclusion, checks against allowed paths for inclusion.

This is definitively the wrong API usage, as templates are not frontend inclusions.

Therefore some other API should be used.


Related issues

Has duplicate TYPO3 Core - Task #82979: BUGFIX: Fix wrong usage of API in feloginClosed2017-11-12

Actions
#2

Updated by Daniel Siepmann over 3 years ago

  • Has duplicate Task #82979: BUGFIX: Fix wrong usage of API in felogin added
#3

Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54622

#4

Updated by Gerrit Code Review over 3 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54622

#5

Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54625

#6

Updated by Anonymous over 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#7

Updated by Benni Mack over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF