[SECURITY][FEATURE] Disable import module for non admin users 67/49067/2
authorChristian Kuhn <lolli@schwarzbu.ch>
Tue, 19 Jul 2016 10:16:09 +0000 (12:16 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:16:16 +0000 (12:16 +0200)
commit1374e9937af68fa9c43be9051472d9532de2199e
treeb9751291e842218734f3d8f0fad8ccc7896b63c8
parenta333ce3b2803d5a155a315bff10a462d07ae72d1
[SECURITY][FEATURE] Disable import module for non admin users

To mitigate a potential insecure unserialize issue in the core:
Disable the import module of extension impexp for non admin users
if the module is not explicitely enabled for this user or group.

Introduce userTsConfig option
options.impexp.enableImportForNonAdminUser

Create a hook in page tree context menu to handle the item removal.

The v8 series is not directly affected by the underlying security
issue, but 7.6 and 6.2 are.

Resolves: #73461
Releases: master, 7.6, 6.2
Security-Commit: 294416360b57bddba70ffee67e5cb6c44d471fc8
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I62b33dc1de60283467e1276a9c03920887999cc0
Reviewed-on: https://review.typo3.org/49067
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/ContextMenu/Pagetree/ContextMenuDataProvider.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-73461-ImportModuleDisabledForNonAdminUsers.rst [new file with mode: 0644]
typo3/sysext/core/Documentation/Changelog/master/Feature-73461-EnableImportModuleForNonAdminUsers.rst [new file with mode: 0644]
typo3/sysext/impexp/Classes/Clickmenu.php
typo3/sysext/impexp/Classes/Controller/ImportExportController.php
typo3/sysext/impexp/Classes/Hook/ContextMenuDisableItemsHook.php [new file with mode: 0644]
typo3/sysext/impexp/ext_tables.php