--- /dev/null
+.. include:: ../../Includes.txt
+
+=====================================================================
+Breaking: #88681 - Import of PHP files in Import/Export files removed
+=====================================================================
+
+See :issue:`88681`
+
+Description
+===========
+
+Importing XML data via `EXT:impexp` previously allowed to import PHP files for Administrators
+in TYPO3 Backend. This by-pass functionality is removed, and the configured File Deny Pattern
+now applies for all imports in order to streamline import functionality with other file
+operations within TYPO3 Core.
+
+
+Impact
+======
+
+Importing XML files with embedded PHP files via EXT:impexp will trigger an import error and disallow
+the import of the file.
+
+
+Affected Installations
+======================
+
+Any TYPO3 installations using the data importer that use import files with included PHP files.
+
+
+Migration
+=========
+
+Ensure to include PHP files into a custom local extension, as importing PHP code is highly
+discouraged - even for administrators.
+
+.. index:: PHP-API, NotScanned, ext:impexp
\ No newline at end of file
$import->global_ignore_pid = $inData['global_ignore_pid'];
$import->force_all_UIDS = $inData['force_all_UIDS'];
$import->showDiff = !$inData['notShowDiff'];
- $import->allowPHPScripts = $inData['allowPHPScripts'];
$import->softrefInputValues = $inData['softrefInputValues'];
// OUTPUT creation:
}
}
$fI = GeneralUtility::split_fileref($fileName);
- if (!$fileProcObj->checkIfAllowed($fI['fileext'], $fI['path'], $fI['file']) && (!$this->allowPHPScripts || !$this->getBackendUser()->isAdmin())) {
+ if (!$fileProcObj->checkIfAllowed($fI['fileext'], $fI['path'], $fI['file'])) {
$this->error('ERROR: Filename "' . $fileName . '" failed against extension check or deny-pattern!');
return false;
}
*/
public $showDiff = false;
- /**
- * If set, and if the user is admin, allow the writing of PHP scripts to fileadmin/ area.
- *
- * @var bool
- */
- public $allowPHPScripts = false;
-
/**
* Array of values to substitute in editable softreferences.
*
$fileProcObj = $this->getFileProcObj();
if ($fileProcObj->actionPerms['addFile']) {
$testFI = GeneralUtility::split_fileref(Environment::getPublicPath() . '/' . $fI['relFileName']);
- if (!$this->allowPHPScripts && !$fileProcObj->checkIfAllowed($testFI['fileext'], $testFI['path'], $testFI['file'])) {
+ if (!$fileProcObj->checkIfAllowed($testFI['fileext'], $testFI['path'], $testFI['file'])) {
$pInfo['msg'] .= 'File extension was not allowed!';
}
} else {
- $pInfo['msg'] = 'You user profile does not allow you to create files on the server!';
+ $pInfo['msg'] = 'Your user profile does not allow you to create files on the server!';
}
}
$pInfo['showDiffContent'] = PathUtility::stripPathSitePrefix($this->fileIDMap[$ID]);
<trans-unit id="options.details" xml:space="preserve">
<source><b>Do not show differences in records</b>
When a structure has been imported you will see a difference view of all records which tells you whether the written content matched the import data or if not, what changed. In many cases content <i>should</i> change (eg. relations and file references) so it is not an error if you see red and green values. Basically the difference view is a feature you can use for visual validation of the import success. It brings piece-of-mind to those who is enlightened to understand what it tells... :-)
-Green strings represent the actual written data while red represents the original value from the import file and black represents data that is the same.
-
-<b>Allow to write banned file extensions (eg. PHP scripts), if any</b>
-Also an option for admins-only; Allows PHP-files (for example from soft references in TypoScript templates) to be written to the system. This is normally not allowed behavior for security reasons.</source>
+Green strings represent the actual written data while red represents the original value from the import file and black represents data that is the same.</source>
</trans-unit>
<trans-unit id="_options.image" xml:space="preserve">
<source>EXT:impexp/Resources/Public/Images/cshimages/impexp_misc3.png,
EXT:impexp/Resources/Public/Images/cshimages/phpext.png</source>
<note from="developer">This string contains an internal text, which must not be changed. Just copy the original text into the translation field. For more information have a look at the Tutorial.</note>
</trans-unit>
- <trans-unit id="options.image_descr" xml:space="preserve">
- <source>Options for import.
-Here you are told that this PHP file cannot be allowed - because you didn't select the option "Allow to write banned file extensions (eg. PHP scripts), if any"</source>
- </trans-unit>
<trans-unit id="action.alttitle">
<source>Import Action</source>
</trans-unit>
<p class="help-block">(<f:translate key="importdata_greenValuesAreFrom" />)</p>
</div>
<f:if condition="{isAdmin}">
- <div class="form-group">
- <label for="checkAllowPHPScripts">
- <f:form.checkbox name="tx_impexp[allowPHPScripts]" id="checkAllowPHPScripts" value="1"
- checked="{inData.allowPHPScripts} == 1" />
- <f:translate key="importdata_allowToWriteBanned" />
- </label>
- </div>
<f:if condition="!{inData.do_update}">
<div class="form-group">
<label for="checkForce_all_UIDS">