[BUGFIX][SECURITY] Arbitrary TypoScript execution on system extension form
authorOliver Hader <oliver@typo3.org>
Tue, 20 Sep 2011 15:53:24 +0000 (17:53 +0200)
committerOliver Hader <oliver@typo3.org>
Fri, 30 Sep 2011 18:00:56 +0000 (20:00 +0200)
commit7005e5e7388b08d67035d5d88dc20a1f99145cd6
treeb21da594578d4cb0902d133078ea666aff6276fa
parent1bff1530399141de662331199ad8f617819db9f3
[BUGFIX][SECURITY] Arbitrary TypoScript execution on system extension form

The new system extension form can be used to render custom FORM elements as
well as regular cObjects like TEXT or COA. Since the form wizard can be used
by any editor in the backend and writes data to the field bodytext, this can
also be used to execute arbitrary TypoScript without further access checks.

This change introduces two defined and allowed content elements "header" and
"textblock" that can be defined by using the form wizard. If the TypoScript
that was generated by the mentioned wizard is rendered, regular cObjects are
disabled. If the FORM or FORM_INT cObject is used directly from a TypoScript
template, all possible cObjects can still be used.

Change-Id: I573764de7583b078456e71e95ea7903b433c29db
Resolves: #30095
Releases: 4.6
Reviewed-on: http://review.typo3.org/5128
Reviewed-by: Andreas Wolf
Reviewed-by: Frederic Gaus
Tested-by: Frederic Gaus
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
25 files changed:
typo3/sysext/form/Classes/Common.php
typo3/sysext/form/Classes/Controller/Form.php
typo3/sysext/form/Classes/Domain/Factory/JsonToTyposcript.php
typo3/sysext/form/Classes/Domain/Factory/Typoscript.php
typo3/sysext/form/Classes/Domain/Factory/TyposcriptToJson.php
typo3/sysext/form/Classes/Domain/Model/Element/Abstract.php
typo3/sysext/form/Classes/Domain/Model/Element/AbstractPlain.php [new file with mode: 0644]
typo3/sysext/form/Classes/Domain/Model/Element/Content.php
typo3/sysext/form/Classes/Domain/Model/Element/Header.php [new file with mode: 0644]
typo3/sysext/form/Classes/Domain/Model/Element/Textblock.php [new file with mode: 0644]
typo3/sysext/form/Classes/Domain/Model/JSON/Header.php
typo3/sysext/form/Classes/Domain/Model/JSON/Textblock.php [new file with mode: 0644]
typo3/sysext/form/Classes/View/Form/Element/Abstract.php
typo3/sysext/form/Classes/View/Form/Element/Header.php [new file with mode: 0644]
typo3/sysext/form/Classes/View/Form/Element/Textblock.php [new file with mode: 0644]
typo3/sysext/form/Classes/View/Wizard/Wizard.php
typo3/sysext/form/Resources/Private/Configuration/PageTSconfig/modWizards.ts
typo3/sysext/form/Resources/Private/Language/locallang_wizard.xlf
typo3/sysext/form/Resources/Public/CSS/Wizard/Wizard.css
typo3/sysext/form/Resources/Public/Images/edit-textblock.png [new file with mode: 0644]
typo3/sysext/form/Resources/Public/JavaScript/Wizard/Elements/Content/Header.js
typo3/sysext/form/Resources/Public/JavaScript/Wizard/Elements/Content/Textblock.js [new file with mode: 0644]
typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Elements/Content.js
typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Various.js
typo3/sysext/form/ext_autoload.php