Bug #92049

Showing Ref-Information not working

Added by Philipp Seiler about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend API
Target version:
-
Start date:
2020-08-19
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
backend,ref,refindex,information,javascript,ajax
Complexity:
Is Regression:
Sprint Focus:

Description

  • Enable the [Ref] column in any record list.
  • Click on the [Ref] label in a row. An error is shown: "Sie haben nicht die nötigen Rechte, um diese Änderung durchzuführen.".

The bug is because of malformed query parameters sent from JavaScript to the backend. Check the [Ref] link that triggers loading of the information-pane:

<a href="#" data-dispatch-action="TYPO3.InfoWindow.showItem" data-dispatch-args-list="'be_groups', '2'" title="" data-original-title="Referenzen anzeigen (95)">95</a>

The parameters in data-dispatch-args-list get sent as-is to the backend. The ElementInformationController receives the follwing query parameters:

table => "'be_groups'" 
uid => " '2'" 

This implementation is implemented very questionably. There seems to be no proper validation or sanitizing of the sent data. Why not sending the data as a serialized JSON, e.g. via JSON.stringify()?

There are multiple places where this can be hot-fixed. E.g. Xclass the ElementInformationController at the init() method and sanitize the sent date manually:

protected function init(ServerRequestInterface $request): void
    {
        $queryParams = $request->getQueryParams();

        $this->table = preg_replace('/[^\w_\-]/', '', $queryParams['table']) ?? null;
        $this->uid = preg_replace('/[^\d]/', '', $queryParams['uid']) ?? null;

        // [...]
    }

Related issues

Related to TYPO3 Core - Story #82206: list module enhancements/bugfixesNew2005-07-21

Actions
Has duplicate TYPO3 Core - Bug #91830: ElementInformationController gets wrong table name when clicking on the ref counter leading to access denied even for adminsClosed2020-07-20

Actions
#1

Updated by Andreas Fernandez about 1 year ago

I think this is not a JavaScript issue per se, but the markup is generated wrong in DatabaseRecordList already:

  • ->createShowItemTagAttributes()
  • ->generateReferenceToolTip()
  • ->createReferenceHtml()

The method createReferenceHtml() uses GeneralUtility::quoteJSvalue() which quotes the values for further usage in JavaScript, which is then used as-is.

#2

Updated by Daniel Windloff about 1 year ago

  • Related to Story #82206: list module enhancements/bugfixes added
#3

Updated by Gerrit Code Review about 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65432

#4

Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65421

#5

Updated by Daniel Windloff about 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#6

Updated by Georg Ringer about 1 year ago

  • Has duplicate Bug #91830: ElementInformationController gets wrong table name when clicking on the ref counter leading to access denied even for admins added
#7

Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF