Project

General

Profile

Actions

Bug #83258

closed

Close-button in edit-popups directly references HTML in Resources/Private

Added by Sven Juergens over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Category:
Backend User Interface
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Is Regression:
Sprint Focus:

Description

hi,

i have a fresh install of TYPO3 8.7.8 and use the standard .htaccess file from the typo3_src folder.

but in this htaccess is this line

RewriteRule (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ - [F]

which blocks access to all Resource/Private Folders.

if you use feedit (not frontend_editing) the contentelements will be opened in PopUps. BUT the Close Button (next to the save Button) got a returnURL with

typo3/sysext/backend/Resources/Private/Templates/Close.html

so you can save you content Element but if you click close Button you got a 403 Forbidden Error


Files

forbidden.mp4 (127 KB) forbidden.mp4 Sven Juergens, 2017-12-08 10:20
forbidden-in-be.mp4 (210 KB) forbidden-in-be.mp4 Sven Juergens, 2017-12-08 10:49
openInNewWindow.png (2.31 KB) openInNewWindow.png Stephan Großberndt, 2017-12-08 11:54

Related issues 2 (0 open2 closed)

Follows TYPO3 Core - Task #68108: Move close.html to ext:backendClosed2015-07-14

Actions
Precedes TYPO3 Core - Task #83284: Remove EXT:backend/Resources/Private/Templates/Close.htmlClosedStephan Großberndt2017-12-11

Actions
Actions #1

Updated by Sven Juergens over 6 years ago

here an example

Actions #2

Updated by Sven Juergens over 6 years ago

hi,
changed the subject, same problem in Backend if you use the Button "Open in New Window" in Content Elements and additionally the link to the file is wrong.
see attached video

Actions #3

Updated by Stephan Großberndt over 6 years ago

  • Subject changed from standard htaccess block required file for closing PopUps to @feedit@ directly links to resource in Resources/Private
  • Category set to Frontend
  • Priority changed from Should have to Must have

This is a bug in feedit, resources from Resources/Private must not be directly referenced for web users to access it.

In future versions of TYPO3 (for now e.g. https://github.com/helhum/typo3-secure-web) only Resources/Public of extensions is in the web directory (not just protected by htaccess in web root, but outside of web root).

Actions #4

Updated by Stephan Großberndt over 6 years ago

  • Subject changed from @feedit@ directly links to resource in Resources/Private to EXT:feedit directly references close button HTML in Resources/Private
Actions #5

Updated by Stephan Großberndt over 6 years ago

  • Due date set to 2015-07-15
  • Start date changed from 2017-12-08 to 2015-07-15
  • Follows Task #68108: Move close.html to ext:backend added
Actions #6

Updated by Stephan Großberndt over 6 years ago

This bug was introduced by #68108 where close.html was moved to EXT:backend into backend/Resources/Private/ which must to be referenced directly.

According to the code in https://review.typo3.org/#/c/41169/ this bug should also affect the functionality to open the window in a new tab when editing a record.

Actions #7

Updated by Stephan Großberndt over 6 years ago

  • Category changed from Frontend to Backend User Interface
Actions #8

Updated by Stephan Großberndt over 6 years ago

Confirmed. This also happens in backend if you open an record you are editing in a new window and close that window using the close button inside the popup.

Actions #9

Updated by Stephan Großberndt over 6 years ago

  • Subject changed from EXT:feedit directly references close button HTML in Resources/Private to Close-button in edit-popups directly references HTML in Resources/Private
Actions #10

Updated by Markus Klein over 6 years ago

  • Status changed from New to Accepted
  • Assignee set to Markus Klein
  • Target version set to next-patchlevel
  • Complexity set to easy
Actions #11

Updated by Gerrit Code Review over 6 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54983

Actions #12

Updated by Stephan Großberndt over 6 years ago

  • Due date deleted (2015-07-15)
  • Assignee changed from Markus Klein to Stephan Großberndt
  • Start date deleted (2015-07-15)
Actions #13

Updated by Gerrit Code Review over 6 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992

Actions #14

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992

Actions #15

Updated by Gerrit Code Review over 6 years ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992

Actions #16

Updated by Gerrit Code Review over 6 years ago

Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992

Actions #17

Updated by Gerrit Code Review over 6 years ago

Patch set 5 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992

Actions #18

Updated by Stephan Großberndt over 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #19

Updated by Gerrit Code Review over 6 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54993

Actions #20

Updated by Stephan Großberndt over 6 years ago

  • Status changed from Under Review to Resolved
Actions #21

Updated by Gerrit Code Review over 6 years ago

  • Status changed from Resolved to Under Review

Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54993

Actions #22

Updated by Stephan Großberndt over 6 years ago

  • Precedes Task #83284: Remove EXT:backend/Resources/Private/Templates/Close.html added
Actions #23

Updated by Stephan Großberndt about 6 years ago

  • Status changed from Under Review to Resolved
Actions #24

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF