[SECURITY] Disallow unauthorized module access 77/41477/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Thu, 16 Jul 2015 15:06:56 +0000 (17:06 +0200)
committerWouter Wolters <typo3@wouterwolters.nl>
Thu, 16 Jul 2015 15:47:45 +0000 (17:47 +0200)
commita2074903a2428efd396fd3b7b2cb227c919fa93e
tree2243dd90124d4a31ac75eec836ee913e5751830c
parent0e589aa080c0c59966b4543b685ed737b7673679
[SECURITY] Disallow unauthorized module access

Changing the module dispatcher url from mod.php to index.php introduced a potential security leak,
as some modules could be called even with no user authenticated.

Fix and harden the checks in the module dispatcher to avoid that.

Resolves: #68232
Related: #68183
Releases: master
Change-Id: I60e91c654c6844cd60c2699418e7d816b355c928
Reviewed-on: http://review.typo3.org/41477
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
typo3/sysext/backend/Classes/Http/Application.php
typo3/sysext/backend/Classes/Http/BackendModuleRequestHandler.php