[BUGFIX] "New page" wizard discloses existence of pages outside DB mount 32/22632/5
authorNicole Cordes <typo3@cordes.co>
Sat, 27 Jul 2013 21:13:06 +0000 (23:13 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Fri, 7 Feb 2014 21:52:16 +0000 (22:52 +0100)
When creating a new page inside the top level of a DB mount which is
only a sub tree, the pages up and down from the DB mount root will be
displayed in the position selector if the logged-in user has read
permissions for these pages. This is unwanted information disclosure as
the permissions should not matter for pages which are outside the DB
mount.

Resolves: #18797
Releases: 6.2, 6.1, 6.0
Change-Id: I98008bc7f4308c9fb32dae645325e7cb1b44e413
Reviewed-on: https://review.typo3.org/22632
Reviewed-by: Markus Klein
Reviewed-by: Xavier Perseguers
Reviewed-by: Wouter Wolters
Tested-by: Markus Klein
Reviewed-by: Marcin SÄ…gol
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php

index 43f5a7d..576578e 100644 (file)
@@ -771,6 +771,11 @@ abstract class AbstractTreeView {
                $idH = array();
                // Traverse the records:
                while ($crazyRecursionLimiter > 0 && ($row = $this->getDataNext($res, $subCSSclass))) {
+                       if (!$GLOBALS['BE_USER']->isInWebMount($row['uid'])) {
+                               // Current record is not within web mount => skip it
+                               continue;
+                       }
+
                        $a++;
                        $crazyRecursionLimiter--;
                        $newID = $row['uid'];
index e2feab1..640765f 100644 (file)
@@ -542,6 +542,10 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
                if ($this->isAdmin()) {
                        return 31;
                }
+               // Return 0 if page is not within the allowed web mount
+               if (!$this->isInWebMount($row['uid'])) {
+                       return 0;
+               }
                $out = 0;
                if (isset($row['perms_userid']) && isset($row['perms_user']) && isset($row['perms_groupid']) && isset($row['perms_group']) && isset($row['perms_everybody']) && isset($this->groupList)) {
                        if ($this->user['uid'] == $row['perms_userid']) {