[BUGFIX] ext:adodb Restrict connection wizard to admins 60/25760/3
authorChristian Kuhn <lolli@schwarzbu.ch>
Fri, 29 Nov 2013 15:11:04 +0000 (16:11 +0100)
committerChristian Kuhn <lolli@schwarzbu.ch>
Fri, 29 Nov 2013 16:02:05 +0000 (17:02 +0100)
In the unlikely case ext:datasources is used, there is a potential
information disclosure that content of this table is shown to
non-admin backend users. This is better sanitized with the patch.

Change-Id: I748a0e05b57ac8c6d9c37cdd86fdb093c380dea5
Resolves: #42651
Releases: 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25760
Reviewed-by: Franz G. Jahn
Tested-by: Franz G. Jahn
Reviewed-by: Oliver Klee
Tested-by: Oliver Klee
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
typo3/sysext/adodb/checkconnectionwizard.php

index 5f6cd7d..8551649 100644 (file)
@@ -69,7 +69,7 @@ class tx_adodb_checkconnectionwizard {
 
                $conf['md5ID'];
 
-               if ($conf['table'] == 'tx_datasources_datasource') {
+               if (($conf['table'] === 'tx_datasources_datasource') && $GLOBALS['BE_USER']->isAdmin()) {
                        $dsRecord = t3lib_beFunc::getRecord($conf['table'], intval($conf['uid']));
 
                        if (is_array ($dsRecord)) {