[!!!][SECURITY] Remove old backend_layout wizard 21/28121/2
authorWouter Wolters <typo3@wouterwolters.nl>
Thu, 6 Mar 2014 20:44:02 +0000 (21:44 +0100)
committerHelmut Hummel <helmut.hummel@typo3.org>
Thu, 6 Mar 2014 22:19:17 +0000 (23:19 +0100)
Keeping the old wizard script would not solve
the CSRF attack vector as they could still
be referenced in this kind of attack.

Because of that, we remove it now.

This change provides a backwards compatibility layer.

It will however break code which link to the
old scripts directly in other places.

Resolves: #56625
Releases: 6.2
Change-Id: I07577dca0e16cf095e114799ace4a6e344ad5aa3
Reviewed-on: https://review.typo3.org/28121
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
typo3/sysext/backend/Classes/Form/FormEngine.php
typo3/sysext/cms/layout/wizard_backend_layout.php [deleted file]

index d4bd8e7..be8ec9b 100644 (file)
@@ -4193,6 +4193,7 @@ TBE_EDITOR.customEvalFunctions[\'' . $evalData . '\'] = function(value) {
                                                                                                        'wizard_rte.php',
                                                                                                        'wizard_table.php',
                                                                                                        'browse_links.php',
+                                                                                                       'sysext/cms/layout/wizard_backend_layout.php'
                                                                                                ))
                                                                                ) {
                                                                                        $urlParameters = array();
@@ -4200,8 +4201,8 @@ TBE_EDITOR.customEvalFunctions[\'' . $evalData . '\'] = function(value) {
                                                                                                 parse_str($parsedWizardUrl['query'], $urlParameters);
                                                                                        }
                                                                                        $moduleName = str_replace(
-                                                                                               array('.php', 'browse_links'),
-                                                                                               array('', 'wizard_element_browser'),
+                                                                                               array('.php', 'browse_links', 'sysext/cms/layout/wizard_backend_layout'),
+                                                                                               array('', 'wizard_element_browser', 'wizard_backend_layout'),
                                                                                                $parsedWizardUrl['path']
                                                                                        );
                                                                                        $wScript = BackendUtility::getModuleUrl($moduleName, $urlParameters);
diff --git a/typo3/sysext/cms/layout/wizard_backend_layout.php b/typo3/sysext/cms/layout/wizard_backend_layout.php
deleted file mode 100644 (file)
index b2b168f..0000000
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php
-/***************************************************************
- *  Copyright notice
- *
- *  (c) 1999-2013 Kasper Sk?rh?j (kasperYYYY@typo3.com)
- *  All rights reserved
- *
- *  This script is part of the TYPO3 project. The TYPO3 project is
- *  free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  The GNU General Public License can be found at
- *  http://www.gnu.org/copyleft/gpl.html.
- *  A copy is found in the text file GPL.txt and important notices to the license
- *  from the author is found in LICENSE.txt distributed with these scripts.
- *
- *
- *  This script is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  This copyright notice MUST APPEAR in all copies of the script!
- ***************************************************************/
-/**
- * Grid wizard
- */
-require_once 'conf.php';
-require $BACK_PATH . 'init.php';
-$LANG->includeLLFile('EXT:lang/locallang_wizards.xlf');
-/*
- * @deprecated since 6.0, the classname SC_wizard_backend_layout and this file is obsolete
- * and will be removed with 6.2. The class was renamed and is now located at:
- * typo3/sysext/backend/Classes/Controller/BackendLayoutWizardController.php
- */
-require_once \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('backend') . 'Classes/Controller/BackendLayoutWizardController.php';
-// Make instance:
-$SOBE = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Backend\\Controller\\BackendLayoutWizardController');
-$SOBE->init();
-$SOBE->main();
-$SOBE->printContent();