[SECURITY][FEATURE] Disable import module for non admin users 67/49067/2
authorChristian Kuhn <lolli@schwarzbu.ch>
Tue, 19 Jul 2016 10:16:09 +0000 (12:16 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:16:16 +0000 (12:16 +0200)
To mitigate a potential insecure unserialize issue in the core:
Disable the import module of extension impexp for non admin users
if the module is not explicitely enabled for this user or group.

Introduce userTsConfig option
options.impexp.enableImportForNonAdminUser

Create a hook in page tree context menu to handle the item removal.

The v8 series is not directly affected by the underlying security
issue, but 7.6 and 6.2 are.

Resolves: #73461
Releases: master, 7.6, 6.2
Security-Commit: 294416360b57bddba70ffee67e5cb6c44d471fc8
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I62b33dc1de60283467e1276a9c03920887999cc0
Reviewed-on: https://review.typo3.org/49067
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/ContextMenu/Pagetree/ContextMenuDataProvider.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-73461-ImportModuleDisabledForNonAdminUsers.rst [new file with mode: 0644]
typo3/sysext/core/Documentation/Changelog/master/Feature-73461-EnableImportModuleForNonAdminUsers.rst [new file with mode: 0644]
typo3/sysext/impexp/Classes/Clickmenu.php
typo3/sysext/impexp/Classes/Controller/ImportExportController.php
typo3/sysext/impexp/Classes/Hook/ContextMenuDisableItemsHook.php [new file with mode: 0644]
typo3/sysext/impexp/ext_tables.php

index 1583240..d244cb4 100644 (file)
@@ -64,7 +64,24 @@ class ContextMenuDataProvider extends \TYPO3\CMS\Backend\ContextMenu\AbstractCon
                 $additionalItems[] = $item;
             }
         }
-        return array_merge($disableItems, $additionalItems);
+        $disableItems = array_merge($disableItems, $additionalItems);
+
+        // Further manipulation of disableItems array via hook
+        // @internal: This is an internal hook for extension impexp only, this hook may change without further notice
+        if (!empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'])
+            && is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'])
+        ) {
+            $hooks = $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'];
+            foreach ($hooks as $hook) {
+                $parameterArray = [
+                    'disableItems' => &$disableItems,
+                ];
+                $null = null;
+                GeneralUtility::callUserFunction($hook, $parameterArray, $null);
+            }
+        }
+
+        return $disableItems;
     }
 
     /**
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-73461-ImportModuleDisabledForNonAdminUsers.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-73461-ImportModuleDisabledForNonAdminUsers.rst
new file mode 100644 (file)
index 0000000..1c6831e
--- /dev/null
@@ -0,0 +1,26 @@
+=============================================================
+Breaking: #73461 - Import module disabled for non admin users
+=============================================================
+
+Description
+===========
+
+The import module of extension "impexp" has been disabled for non-admin users by default.
+
+
+Impact
+======
+
+For non-admin users who need that functionality, the userTsConfig option :ts:`options.impexp.enableImportForNonAdminUser = 1` must be set. This can have a negative security impact to the TYPO3 instance in core versions 7.6 and 6.2 and should only be enabled for "trustworthy" backend users in general.
+
+
+Affected Installations
+======================
+
+Installations with non-admin users making active use of the import / export module
+
+
+Migration
+=========
+
+Set userTsConfig option :ts:`options.impexp.enableImportForNonAdminUser = 1` to restore the old behavior.
\ No newline at end of file
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Feature-73461-EnableImportModuleForNonAdminUsers.rst b/typo3/sysext/core/Documentation/Changelog/master/Feature-73461-EnableImportModuleForNonAdminUsers.rst
new file mode 100644 (file)
index 0000000..63983ee
--- /dev/null
@@ -0,0 +1,15 @@
+==========================================================
+Feature: #73461 - Enable import module for non admin users
+==========================================================
+
+Description
+===========
+
+The new userTsConfig option :ts:`options.impexp.enableImportForNonAdminUser` can be used to enable
+the import module of EXT:impexp for non admin users.
+
+
+Impact
+======
+
+This option should be enabled for "trustworthy" backend users only.
\ No newline at end of file
index ac45c4b..daf6662 100644 (file)
@@ -15,6 +15,7 @@ namespace TYPO3\CMS\Impexp;
  */
 
 use TYPO3\CMS\Backend\Utility\BackendUtility;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Imaging\Icon;
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
@@ -76,20 +77,24 @@ class Clickmenu
                 1
             );
             if ($table === 'pages') {
-                $urlParameters = array(
-                    'id' => $uid,
-                    'table' => $table,
-                    'tx_impexp' => array(
-                        'action' => 'import'
-                    ),
-                );
-                $url = BackendUtility::getModuleUrl('xMOD_tximpexp', $urlParameters);
-                $localItems[] = $backRef->linkItem(
-                    $this->getLanguageService()->makeEntities($this->getLanguageService()->getLLL('import', $LL)),
-                    $backRef->excludeIcon($this->iconFactory->getIcon('actions-document-import-t3d', Icon::SIZE_SMALL)),
-                    $backRef->urlRefForCM($url),
-                    1
-                );
+                $backendUser = $this->getBackendUser();
+                $isEnabledForNonAdmin = $backendUser->getTSConfig('options.impexp.enableImportForNonAdminUser');
+                if ($backendUser->isAdmin() || !empty($isEnabledForNonAdmin['value'])) {
+                    $urlParameters = array(
+                        'id' => $uid,
+                        'table' => $table,
+                        'tx_impexp' => array(
+                            'action' => 'import'
+                        ),
+                    );
+                    $url = BackendUtility::getModuleUrl('xMOD_tximpexp', $urlParameters);
+                    $localItems[] = $backRef->linkItem(
+                        $this->getLanguageService()->makeEntities($this->getLanguageService()->getLLL('import', $LL)),
+                        $backRef->excludeIcon($this->iconFactory->getIcon('actions-document-import-t3d', Icon::SIZE_SMALL)),
+                        $backRef->urlRefForCM($url),
+                        1
+                    );
+                }
             }
         }
         return array_merge($menuItems, $localItems);
@@ -112,4 +117,12 @@ class Clickmenu
     {
         return $GLOBALS['LANG'];
     }
+
+    /**
+     * @return BackendUserAuthentication
+     */
+    protected function getBackendUser()
+    {
+        return $GLOBALS['BE_USER'];
+    }
 }
index fffcbc2..6fd1e7e 100644 (file)
@@ -161,6 +161,7 @@ class ImportExportController extends BaseScriptClass
      *
      * @throws \BadFunctionCallException
      * @throws \InvalidArgumentException
+     * @throws \RuntimeException
      * @return void
      */
     public function main()
@@ -197,6 +198,15 @@ class ImportExportController extends BaseScriptClass
                 $this->standaloneView->setTemplate('Export.html');
                 break;
             case 'import':
+                $backendUser = $this->getBackendUser();
+                $isEnabledForNonAdmin = $backendUser->getTSConfig('options.impexp.enableImportForNonAdminUser');
+                if (!$backendUser->isAdmin() && empty($isEnabledForNonAdmin['value'])) {
+                    throw new \RuntimeException(
+                        'Import module is disabled for non admin users and '
+                        . 'userTsConfig options.impexp.enableImportForNonAdminUser is not enabled.',
+                        1464435459
+                    );
+                }
                 $this->shortcutName = $this->lang->getLL('title_import');
                 if (GeneralUtility::_POST('_upload')) {
                     $this->checkUpload();
diff --git a/typo3/sysext/impexp/Classes/Hook/ContextMenuDisableItemsHook.php b/typo3/sysext/impexp/Classes/Hook/ContextMenuDisableItemsHook.php
new file mode 100644 (file)
index 0000000..b04efa0
--- /dev/null
@@ -0,0 +1,52 @@
+<?php
+namespace TYPO3\CMS\Impexp\Hook;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+
+/**
+ * Hook for page tree context menu to suppress "import .t3d" menu item
+ * if user is no admin and options.impexp.enableImportForNonAdminUser is
+ * not set in userTsConfig
+ */
+class ContextMenuDisableItemsHook
+{
+    /**
+     * Remove import functionality from page tree context menu
+     * if user is no admin and this module is not enabled via userTsConfig
+     *
+     * Modifies $parameters array by reference!
+     *
+     * @param array $parameters Parameter array
+     */
+    public function disableImportForNonAdmin(array $parameters)
+    {
+        $backendUser = $this->getBackendUser();
+        if (!$backendUser->isAdmin()) {
+            $isEnabledForNonAdmin = $backendUser->getTSConfig('options.impexp.enableImportForNonAdminUser');
+            if (empty($isEnabledForNonAdmin['value'])) {
+                $parameters['disableItems'][] = 'importT3d';
+            }
+        }
+    }
+
+    /**
+     * @return BackendUserAuthentication
+     */
+    protected function getBackendUser()
+    {
+        return $GLOBALS['BE_USER'];
+    }
+}
\ No newline at end of file
index 70203e1..1caeefe 100644 (file)
@@ -49,4 +49,8 @@ if (TYPO3_MODE === 'BE') {
                        }
                }
        ');
+    // Hook into page tree context menu to remove "import" items again if user is not admin or module
+    // is not enabled for this user / group
+    $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'][]
+        = \TYPO3\CMS\Impexp\Hook\ContextMenuDisableItemsHook::class . '->disableImportForNonAdmin';
 }