[SECURITY] Prevent login of restricted users 92/51892/2
authorNicole Cordes <typo3@cordes.co>
Tue, 28 Feb 2017 10:23:24 +0000 (11:23 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 28 Feb 2017 10:23:30 +0000 (11:23 +0100)
As the new restriction handling relies on TCA information, we need to
load the TCA before any authentication starts. To prevent double loading
if a backend user is available the bootstrap API for loading TCA and
extension configuration is separated into two own functions.

Furthermore this patch resolves a wrong table parameter handling.

Resolves: #79761
Releases: master
Security-Commit: 936bf33bc337b9a00ca0b1ed4ba4d5d19b0999a1
Security-Bulletin: TYPO3-CORE-SA-2017-002
Change-Id: I2add4e96b9b1308756022c532395ce7bbc160bf2
Reviewed-on: https://review.typo3.org/51892
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/frontend/Classes/Http/RequestHandler.php

index af392b8..ac48e29 100644 (file)
@@ -1439,7 +1439,7 @@ abstract class AbstractUserAuthentication
         $authInfo['db_user']['userident_column'] = $this->userident_column;
         $authInfo['db_user']['usergroup_column'] = $this->usergroup_column;
         $authInfo['db_user']['enable_clause'] = $this->userConstraints()->buildExpression(
-            [$this->user_table],
+            [$this->user_table => ''],
             $expressionBuilder
         );
         if ($this->checkPid && $this->checkPid_value !== null) {
index c4a75de..fee17d8 100644 (file)
@@ -915,7 +915,37 @@ class Bootstrap
      */
     public function loadExtensionTables($allowCaching = true)
     {
+        $this->loadBaseTca($allowCaching)->loadExtTables($allowCaching);
+        return $this;
+    }
+
+    /**
+     * Load $TCA
+     *
+     * This will mainly set up $TCA through extMgm API.
+     *
+     * @param bool $allowCaching True, if loading TCA from cache is allowed
+     * @return Bootstrap
+     * @internal This is not a public API method, do not use in own extensions
+     */
+    public function loadBaseTca(bool $allowCaching = true): Bootstrap
+    {
         ExtensionManagementUtility::loadBaseTca($allowCaching);
+        return $this;
+    }
+
+    /**
+     * Load ext_tables and friends.
+     *
+     * This will mainly load and execute ext_tables.php files of loaded extensions
+     * or the according cache file if exists.
+     *
+     * @param bool $allowCaching True, if reading compiled ext_tables file from cache is allowed
+     * @return Bootstrap
+     * @internal This is not a public API method, do not use in own extensions
+     */
+    public function loadExtTables(bool $allowCaching = true): Bootstrap
+    {
         ExtensionManagementUtility::loadExtTables($allowCaching);
         $this->runExtTablesPostProcessingHooks();
         return $this;
index 050e192..3865f54 100644 (file)
@@ -113,6 +113,8 @@ class RequestHandler implements RequestHandlerInterface
         $this->bootstrap->endOutputBufferingAndCleanPreviousOutput();
         $this->initializeOutputCompression();
 
+        $this->bootstrap->loadBaseTca();
+
         // Initializing the Frontend User
         $this->timeTracker->push('Front End user initialized', '');
         $this->controller->initFEuser();
@@ -131,9 +133,7 @@ class RequestHandler implements RequestHandlerInterface
             $GLOBALS['BE_USER']->initializeAdminPanel();
             $this->bootstrap
                     ->initializeBackendRouter()
-                    ->loadExtensionTables();
-        } else {
-            ExtensionManagementUtility::loadBaseTca();
+                    ->loadExtTables();
         }
         $this->controller->checkAlternativeIdMethods();
         $this->controller->clear_preview();