[SECURITY] Deny access to import module for non-admin users 43/61143/2
authorOliver Hader <oliver@typo3.org>
Tue, 25 Jun 2019 06:41:42 +0000 (08:41 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 25 Jun 2019 06:41:47 +0000 (08:41 +0200)
Due to an incomplete condition it was possible for regular
backend users to make use of the import module - which only
would be accessible to admin users or to those users have
User TSconfig `options.impexp.enableImportForNonAdminUser`
enabled.

Resolves: #88284
Releases: master, 9.5
Security-Commit: a3ca05df1e9e9269b45daf9dd79517df9d202604
Security-Bulletin: TYPO3-CORE-SA-2019-017
Change-Id: I9ac9a026d5715f9c03eda37f0ef84178640b2f1d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61143
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/impexp/Classes/Controller/ImportExportController.php

index 56618c2..ae18085 100644 (file)
@@ -241,7 +241,7 @@ class ImportExportController
             case 'import':
                 $backendUser = $this->getBackendUser();
                 $isEnabledForNonAdmin = (bool)($backendUser->getTSConfig()['options.']['impexp.']['enableImportForNonAdminUser'] ?? false);
-                if (!$backendUser->isAdmin() && $isEnabledForNonAdmin) {
+                if (!$backendUser->isAdmin() && !$isEnabledForNonAdmin) {
                     throw new \RuntimeException(
                         'Import module is disabled for non admin users and '
                         . 'userTsConfig options.impexp.enableImportForNonAdminUser is not enabled.',