Project

General

Profile

Actions
Copy link

Bug #82978

closed

Core Extension felogin prevents Helmut Hummel secure web approach

Added by Daniel Siepmann about 7 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
next-patchlevel
Start date:
2017-11-12
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The extension felogin does conflict with Helmut Hummel approach of secure web folder structure.

The extension uses TSFE->tmpl to fetch the tempalte file. This way it's always relative to the document root where no private files are available.
This needs to be adjusted to template files are searched within the typo3 folder.

The issue is the following line: https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php#L145
Bu using the TemplateService it will always be relative to document root.
As https://github.com/TYPO3/TYPO3.CMS/blob/v8.7.8/typo3/sysext/core/Classes/TypoScript/TemplateService.php#L1351 tells to

Returns the reference used for the frontend inclusion, checks against allowed paths for inclusion.

This is definitively the wrong API usage, as templates are not frontend inclusions.

Therefore some other API should be used.

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Task #82979: BUGFIX: Fix wrong usage of API in feloginClosed2017-11-12

Actions
Actions
Copy link

Also available in: Atom PDF