TYPO3 Core

After upgrade from TYPO3 7.6 to 9.5.5, we had one backend user, which could not access to backend after successfull login.

Given

You have a backend user with at least one bookmark, which contains a uri with empty returnUrl parameter.

Expected

If you are logged in, you can see your bookmark (upper toolbar star icon) and open it on click.

Actual

If you are logged in, the rendering of backend breaks with a PHP TypeError.
You cannot see anything or act in backend.

Error message

parse_str() expects parameter 1 to be string, null given
…
in /Users/jok/Dev/Sites/typo3/cms/review/10/typo3/sysext/backend/Classes/Backend/Shortcut/ShortcutRepository.php line 741

How to Reproduce (both TYPO3 v9.5.5 and 10.0.0-dev)

Manipulate stored URl for any bookmark in database directly to have an empty returnUrl parameter in it…

Having a backend user, create a bookmark for example:


• Go to WebList module
• Select Root page
  
* Open your backend user for editing
• Add this edit page to bookmark (Star at upper right corner)

Goto database table sys_be_shortcuts and change field url, that it contains an empty parameter &returnUrl=
for example
from:

/typo3/index.php?&route=record_edit&route=%2Frecord%2Fedit&returnUrl=%2Ftypo3%2Findex.php%3Froute%3D%252Fweb%252Flist%252F%26token%3D407860fa493b86d79f3c738efdc762ccc71bf3d8%26id%3D0%26table%3D%26imagemode%3D1&edit%5Bbe_users%5D%5B1%5D=edit

to:

/typo3/index.php?&route=record_edit&route=%2Frecord%2Fedit&returnUrl=&edit%5Bbe_users%5D%5B1%5D=edit

Reload backend in your browser, and expect, that you will see PHP TypeError as described above



How to solve



The class typo3/sysext/backend/Classes/Backend/Shortcut/ShortcutRepository.php should be changed to ensure, that first argument in PHP method parse_uri() is a valid string.

I will append a patch for it.