[BUGFIX] Access Close.html from Resources/Public/Html/ 92/54992/6
authorStephan Großberndt <stephan@grossberndt.de>
Fri, 8 Dec 2017 14:38:44 +0000 (15:38 +0100)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Fri, 8 Dec 2017 15:16:23 +0000 (16:16 +0100)
Clicking the close button in a editing popup accesses Close.html in
Resources/Public/Html/ which is a folder accessible by a web user
instead of Resources/Private/Templates/ which lead to a HTTP 403 error
on closing the popup.

Releases: master, 8.7, 7.6
Resolves: #83258
Related: #68108
Change-Id: Ibe7e328936240df436a3c9585e53122f1577dc6e
Reviewed-on: https://review.typo3.org/54992
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
typo3/sysext/backend/Classes/Controller/EditDocumentController.php
typo3/sysext/backend/Resources/Private/Templates/Close.html
typo3/sysext/backend/Resources/Public/Html/Close.html [new file with mode: 0644]
typo3/sysext/feedit/Classes/FrontendEditPanel.php

index d7dbf5c..d4a6bbd 100644 (file)
@@ -36,7 +36,6 @@ use TYPO3\CMS\Core\Messaging\FlashMessageQueue;
 use TYPO3\CMS\Core\Messaging\FlashMessageService;
 use TYPO3\CMS\Core\Page\PageRenderer;
 use TYPO3\CMS\Core\Type\Bitmask\Permission;
-use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\HttpUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
@@ -1448,7 +1447,7 @@ class EditDocumentController extends AbstractModule
      */
     public function shortCutLink()
     {
-        if ($this->returnUrl !== ExtensionManagementUtility::siteRelPath('backend') . 'Resources/Private/Templates/Close.html') {
+        if ($this->returnUrl !== GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html')) {
             $shortCutButton = $this->moduleTemplate->getDocHeaderComponent()->getButtonBar()->makeShortcutButton();
             $shortCutButton->setModuleName($this->MCONF['name'])
                 ->setGetVariables([
@@ -1468,7 +1467,7 @@ class EditDocumentController extends AbstractModule
      */
     public function openInNewWindowLink()
     {
-        $closeUrl = ExtensionManagementUtility::siteRelPath('backend') . 'Resources/Private/Templates/Close.html';
+        $closeUrl = GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html');
         if ($this->returnUrl !== $closeUrl) {
             $aOnClick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue(GeneralUtility::linkThisScript(
                 ['returnUrl' => PathUtility::getAbsoluteWebPath($closeUrl)]
index e5fbc77..5a0cfc5 100644 (file)
@@ -2,7 +2,7 @@
 <html>
        <head>
                <!-- Close script, used in particular by FormEngine to close the current edit window -->
-               <!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Private/Templates/close.html -->
+               <!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Private/Templates/Close.html -->
                <meta charset="utf-8" />
                <title>Close</title>
                <script type="text/javascript">
@@ -12,4 +12,4 @@
        </head>
        <body>
        </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/typo3/sysext/backend/Resources/Public/Html/Close.html b/typo3/sysext/backend/Resources/Public/Html/Close.html
new file mode 100644 (file)
index 0000000..1a4faf6
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+       <head>
+               <!-- Close script, used in particular by FormEngine to close the current edit window -->
+               <!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Public/Html/Close.html -->
+               <meta charset="utf-8" />
+               <title>Close</title>
+               <script type="text/javascript">
+                       self.close();
+                       window.opener.location.reload(true);
+               </script>
+       </head>
+       <body>
+       </body>
+</html>
index b269820..ef3bd26 100644 (file)
@@ -18,7 +18,6 @@ use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Imaging\Icon;
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Type\Bitmask\JsConfirmation;
-use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
 use TYPO3\CMS\Core\Utility\PathUtility;
@@ -298,7 +297,7 @@ class FrontendEditPanel
     {
         $width = MathUtility::forceIntegerInRange($this->backendUser->getTSConfigVal('options.feedit.popupWidth'), 690, 5000, 690);
         $height = MathUtility::forceIntegerInRange($this->backendUser->getTSConfigVal('options.feedit.popupHeight'), 500, 5000, 500);
-        $onclick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue($url . '&returnUrl=' . rawurlencode(PathUtility::getAbsoluteWebPath(ExtensionManagementUtility::siteRelPath('backend') . 'Resources/Private/Templates/Close.html'))) . ',\'FEquickEditWindow\',\'width=' . $width . ',height=' . $height . ',status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
+        $onclick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue($url . '&returnUrl=' . rawurlencode(PathUtility::getAbsoluteWebPath(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html')))) . ',\'FEquickEditWindow\',\'width=' . $width . ',height=' . $height . ',status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
         return '<a href="#" class="typo3-editPanel-btn typo3-editPanel-btn-default frontEndEditIconLinks ' . htmlspecialchars($additionalClasses) . '" onclick="' . htmlspecialchars($onclick) . '" style="display: none;">' . $string . '</a>';
     }