Bug #83258
closed
Close-button in edit-popups directly references HTML in Resources/Private
Added by Sven Juergens almost 7 years ago. Updated about 6 years ago.
100%
Description
hi,
i have a fresh install of TYPO3 8.7.8 and use the standard .htaccess file from the typo3_src folder.
but in this htaccess is this line
RewriteRule (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ - [F]
which blocks access to all Resource/Private Folders.
if you use feedit (not frontend_editing) the contentelements will be opened in PopUps. BUT the Close Button (next to the save Button) got a returnURL with
typo3/sysext/backend/Resources/Private/Templates/Close.html
so you can save you content Element but if you click close Button you got a 403 Forbidden Error
Files
| forbidden.mp4 (127 KB) forbidden.mp4 | Sven Juergens, 2017-12-08 10:20 | ||
| forbidden-in-be.mp4 (210 KB) forbidden-in-be.mp4 | Sven Juergens, 2017-12-08 10:49 | ||
| openInNewWindow.png (2.31 KB) openInNewWindow.png | Stephan Großberndt, 2017-12-08 11:54 |
Updated by Sven Juergens almost 7 years ago
- File forbidden-in-be.mp4 forbidden-in-be.mp4 added
- Subject changed from standard htaccess block required file for feedit to standard htaccess block required file for closing PopUps
hi,
changed the subject, same problem in Backend if you use the Button "Open in New Window" in Content Elements and additionally the link to the file is wrong.
see attached video
Updated by Stephan Großberndt almost 7 years ago
- Subject changed from standard htaccess block required file for closing PopUps to @feedit@ directly links to resource in Resources/Private
- Category set to Frontend
- Priority changed from Should have to Must have
This is a bug in feedit, resources from Resources/Private must not be directly referenced for web users to access it.
In future versions of TYPO3 (for now e.g. https://github.com/helhum/typo3-secure-web) only Resources/Public of extensions is in the web directory (not just protected by htaccess in web root, but outside of web root).
Updated by Stephan Großberndt almost 7 years ago
- Subject changed from @feedit@ directly links to resource in Resources/Private to EXT:feedit directly references close button HTML in Resources/Private
Updated by Stephan Großberndt almost 7 years ago
- Due date set to 2015-07-15
- Start date changed from 2017-12-08 to 2015-07-15
- Follows Task #68108: Move close.html to ext:backend added
Updated by Stephan Großberndt almost 7 years ago
This bug was introduced by #68108 where close.html was moved to EXT:backend into backend/Resources/Private/ which must to be referenced directly.
According to the code in https://review.typo3.org/#/c/41169/ this bug should also affect the functionality to open the window in a new tab when editing a record.
Updated by Stephan Großberndt almost 7 years ago
- Category changed from Frontend to Backend User Interface
Updated by Stephan Großberndt almost 7 years ago
- File openInNewWindow.png openInNewWindow.png added
Confirmed. This also happens in backend if you open an record you are editing in a new window 
and close that window using the close button inside the popup.
Updated by Stephan Großberndt almost 7 years ago
- Subject changed from EXT:feedit directly references close button HTML in Resources/Private to Close-button in edit-popups directly references HTML in Resources/Private
Updated by Markus Klein almost 7 years ago
- Status changed from New to Accepted
- Assignee set to Markus Klein
- Target version set to next-patchlevel
- Complexity set to easy
Updated by Gerrit Code Review almost 7 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54983
Updated by Stephan Großberndt almost 7 years ago
- Due date deleted (
2015-07-15) - Assignee changed from Markus Klein to Stephan Großberndt
- Start date deleted (
2015-07-15)
Updated by Gerrit Code Review almost 7 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992
Updated by Gerrit Code Review almost 7 years ago
Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992
Updated by Gerrit Code Review almost 7 years ago
Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992
Updated by Gerrit Code Review almost 7 years ago
Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992
Updated by Gerrit Code Review almost 7 years ago
Patch set 5 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54992
Updated by Stephan Großberndt almost 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 9b4b6be50caffc3b5c11ee2452a7b48c1348c583.
Updated by Gerrit Code Review almost 7 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54993
Updated by Stephan Großberndt almost 7 years ago
- Status changed from Under Review to Resolved
Applied in changeset 3050faa205661a8b1da2683cc4da2a6215dd3616.
Updated by Gerrit Code Review almost 7 years ago
- Status changed from Resolved to Under Review
Patch set 2 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54993
Updated by Stephan Großberndt almost 7 years ago
- Precedes Task #83284: Remove EXT:backend/Resources/Private/Templates/Close.html added
Updated by Stephan Großberndt almost 7 years ago
- Status changed from Under Review to Resolved
Applied in changeset df4b0966e77e46e83983245322f3d652c768f1ee.
Updated by