[BUGFIX] Check page access only if integer in ModuleRunner 48/39648/2
authorNicole Cordes <typo3@cordes.co>
Thu, 21 May 2015 11:25:59 +0000 (13:25 +0200)
committerMarkus Klein <markus.klein@typo3.org>
Thu, 21 May 2015 14:17:17 +0000 (16:17 +0200)
If you register a module in main module "file" an error is thrown
because the ModuleRunner checks page access for the variable "id".
In any file module the id is a FAL identifier which can't be converted
to an integer value and the check fails.

This patch adds a limitation to the ModuleRunner to check page access
only if the id can be interpreted as integer value.

Releases: master, 6.2
Resolves: #67079
Change-Id: Iba44499b9b13172818aee48aefb01d102f810285
Reviewed-on: http://review.typo3.org/39648
Reviewed-by: Markus Sommer <markussom@posteo.de>
Tested-by: Markus Sommer <markussom@posteo.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/extbase/Classes/Core/ModuleRunner.php

index ce8dd79..2db45d8 100644 (file)
@@ -42,10 +42,11 @@ class ModuleRunner implements ModuleRunnerInterface {
 
                // Check permissions and exit if the user has no permission for entry
                $GLOBALS['BE_USER']->modAccess($moduleConfiguration, TRUE);
-               if (\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('id')) {
+               $id = \TYPO3\CMS\Core\Utility\GeneralUtility::_GP('id');
+               if ($id && \TYPO3\CMS\Core\Utility\MathUtility::canBeInterpretedAsInteger($id)) {
                        // Check page access
                        $permClause = $GLOBALS['BE_USER']->getPagePermsClause(TRUE);
-                       $access = is_array(\TYPO3\CMS\Backend\Utility\BackendUtility::readPageAccess((int)\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('id'), $permClause));
+                       $access = is_array(\TYPO3\CMS\Backend\Utility\BackendUtility::readPageAccess((int)$id, $permClause));
                        if (!$access) {
                                throw new \RuntimeException('You don\'t have access to this page', 1289917924);
                        }