[SECURITY] Information Disclosure in Wizards 21/26221/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Tue, 10 Dec 2013 09:54:53 +0000 (10:54 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:54:57 +0000 (10:54 +0100)
commitb4965e06d2c073f24d57decff90e7cd8183e801e
tree59ea4e63d2256d363be78e8ad5ebd9e5b9639d44
parent5f32f0a47174d8e5fb8e301c265d772be72b5c72
[SECURITY] Information Disclosure in Wizards

It has been possible for authenticated editors
to show content of arbitrary tables and fields
that are defined in TCA by manipulating
GET parameters of the forms and table wizard.

This change adds a check if the editor has access
to the given record.

Change-Id: I8e27e5ffbccf148d951b50b21d9e15cc8e317442
Fixes: #41714
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 52d4e3eced81639820db6d75f3d65d14c5234072
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26221
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Controller/Wizard/FormsController.php
typo3/sysext/backend/Classes/Controller/Wizard/RteController.php
typo3/sysext/backend/Classes/Controller/Wizard/TableController.php