[SECURITY] Hide items in page tree a user does not have access to 01/60701/2
authorOliver Hader <oliver@typo3.org>
Tue, 7 May 2019 09:43:45 +0000 (11:43 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 7 May 2019 09:43:54 +0000 (11:43 +0200)
Due to a pass-by-reference error pages a user does not have access
to were still visible in the page tree.

Resolves: #87676
Releases: master, 9.5
Security-Commit: 5d2c69c00554ec64ea020ec803f593ae772fa367
Security-Bulletin: TYPO3-CORE-SA-2019-009
Change-Id: Ic8ba91b596e1589860bc28b746e551ac6bc47588
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60701
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Tree/Repository/PageTreeRepository.php

index 6f2e764..5875cc1 100644 (file)
@@ -142,7 +142,7 @@ class PageTreeRepository
         if (!isset($tree['_children'])) {
             return;
         }
-        foreach ($tree['_children'] as $k => $childPage) {
+        foreach ($tree['_children'] as $k => &$childPage) {
             if (!call_user_func_array($callback, [$childPage])) {
                 unset($tree['_children'][$k]);
                 continue;