Actions
Bug #92049
closedShowing Ref-Information not working
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend API
Target version:
-
Start date:
2020-08-19
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
backend,ref,refindex,information,javascript,ajax
Complexity:
Is Regression:
Sprint Focus:
Description
- Enable the [Ref] column in any record list.
- Click on the [Ref] label in a row. An error is shown: "Sie haben nicht die nötigen Rechte, um diese Änderung durchzuführen.".
The bug is because of malformed query parameters sent from JavaScript to the backend. Check the [Ref] link that triggers loading of the information-pane:
<a href="#" data-dispatch-action="TYPO3.InfoWindow.showItem" data-dispatch-args-list="'be_groups', '2'" title="" data-original-title="Referenzen anzeigen (95)">95</a>
The parameters in data-dispatch-args-list get sent as-is to the backend. The ElementInformationController receives the follwing query parameters:
table => "'be_groups'" uid => " '2'"
This implementation is implemented very questionably. There seems to be no proper validation or sanitizing of the sent data. Why not sending the data as a serialized JSON, e.g. via JSON.stringify()?
There are multiple places where this can be hot-fixed. E.g. Xclass the ElementInformationController at the init() method and sanitize the sent date manually:
protected function init(ServerRequestInterface $request): void
{
$queryParams = $request->getQueryParams();
$this->table = preg_replace('/[^\w_\-]/', '', $queryParams['table']) ?? null;
$this->uid = preg_replace('/[^\d]/', '', $queryParams['uid']) ?? null;
// [...]
}
Actions