Bug #95941
closed
Prevent crashes in reference index update due to invalid user input
0%
Description
Currently an editor can cause crashes in the referenceindex:update command by entering invalid data in link fields (e.g. the header_link).
The first scenario is the safeguard in the TypolinkSoftReferenceParser against phar:// URLs. When the user enters such an URL the Backend crashes with an Exception and the update command will always fail until the invalid URL is removed.
The same happens with a combination of a slash / in the link value and a special char that is denied by the filename sanitation. Then the softref parser crashes with an InvalidPathException. Example: bla/blubb<specialchar>test (replace specialchar with this).
IMO editor input should not cause these kinds of Exceptions. Instead the errors should be catched / logged and additionally the validation of link input could be improved to deny disallowed URLs from the start.
Updated by Gerrit Code Review about 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72155
Updated by Gerrit Code Review almost 3 years ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/72155
Updated by Christian Kuhn over 1 year ago
- Status changed from Under Review to Rejected
Updated by Alexander Stehlik over 1 year ago
- TYPO3 Version changed from 11 to 12
- PHP Version changed from 8.0 to 8.2
@Christian Kuhn I understand that the patch was abandoned.
But the issue is still valid (just tested it with TYPO3 12). Both cases still lead to unhandled Exceptions.
So can you please reopen it?
Updated by Christian Spoo over 1 year ago
- Related to Bug #101618: TypolinkSoftReferenceParser throws warnings and "referenceindex:update" crashes if the LinkService encounters stale t3:// URLs added