[SECURITY] Information Disclosure in Wizards 80/26180/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:51:05 +0000 (10:51 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:51:09 +0000 (10:51 +0100)
commitba92f0abe512e9b024047921cdbb614d0ef63846
treeced0ca399d925bb7276f9a00227fe2434bcdddef
parent63ff9109c15560b9c357e513d98fd3525a0dc150
[SECURITY] Information Disclosure in Wizards

It has been possible for authenticated editors
to show content of arbitrary tables and fields
that are defined in TCA by manipulating
GET parameters of the forms and table wizard.

This change adds a check if the editor has access
to the given record.

Change-Id: I524ae9bd75a5cca9e37918e64f5c492c9fa3c36e
Fixes: #41714
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 9ee30833350405d003de206501118d1300998bee
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26180
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/wizard_forms.php
typo3/wizard_rte.php
typo3/wizard_table.php