[SECURITY][FEATURE] Disable import module for non admin users 80/49080/2
authorChristian Kuhn <lolli@schwarzbu.ch>
Tue, 19 Jul 2016 10:17:50 +0000 (12:17 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:17:53 +0000 (12:17 +0200)
commit9ba09a9f270bdb568f0ed57d1912820bd869f5a6
tree619dcbb236abaf748bf3411b0387548e22f53a27
parent7fc25564e4034c016705da6646ffaf65891453d8
[SECURITY][FEATURE] Disable import module for non admin users

To mitigate a potential insecure unserialize issue in the core:
Disable the import module of extension impexp for non admin users
if the module is not explicitely enabled for this user or group.

Introduce userTsConfig option
options.impexp.enableImportForNonAdminUser

Create a hook in page tree context menu to handle the item removal.

The v8 series is not directly affected by the underlying security
issue, but 7.6 and 6.2 are.

Resolves: #73461
Releases: master, 7.6, 6.2
Security-Commit: 3ce6c6e064b3dd67051c573646e28c636937cd86
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I423122641308a6586cd3977957d4ee0bf0c8ef6b
Reviewed-on: https://review.typo3.org/49080
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/ContextMenu/Pagetree/ContextMenuDataProvider.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-73461-ImportModuleDisabledForNonAdminUsers.rst [new file with mode: 0644]
typo3/sysext/core/Documentation/Changelog/master/Feature-73461-EnableImportModuleForNonAdminUsers.rst [new file with mode: 0644]
typo3/sysext/impexp/Classes/Clickmenu.php
typo3/sysext/impexp/Classes/Controller/ImportExportController.php
typo3/sysext/impexp/Classes/Hook/ContextMenuDisableItemsHook.php [new file with mode: 0644]
typo3/sysext/impexp/ext_tables.php