[BUGFIX] Access Close.html from Resources/Public/Html/ 93/54993/3
authorStephan Großberndt <stephan@grossberndt.de>
Fri, 8 Dec 2017 14:38:44 +0000 (15:38 +0100)
committerSusanne Moog <susanne.moog@typo3.org>
Fri, 9 Feb 2018 20:48:13 +0000 (21:48 +0100)
Clicking the close button in a editing popup accesses Close.html in
Resources/Public/Html/ which is a folder accessible by a web user
instead of Resources/Private/Templates/ which lead to a HTTP 403 error
on closing the popup.

Releases: master, 8.7, 7.6
Resolves: #83258
Related: #68108
Change-Id: Ibe7e328936240df436a3c9585e53122f1577dc6e
Reviewed-on: https://review.typo3.org/54993
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
typo3/sysext/backend/Classes/Controller/EditDocumentController.php
typo3/sysext/backend/Resources/Private/Templates/Close.html
typo3/sysext/backend/Resources/Public/Html/Close.html [new file with mode: 0644]
typo3/sysext/feedit/Classes/FrontendEditPanel.php

index 8ad2982..4ce2274 100644 (file)
@@ -36,6 +36,7 @@ use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\HttpUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
+use TYPO3\CMS\Core\Utility\PathUtility;
 use TYPO3\CMS\Extbase\SignalSlot\Dispatcher;
 use TYPO3\CMS\Frontend\Page\PageRepository;
 
@@ -1522,7 +1523,7 @@ class EditDocumentController extends AbstractModule
      */
     public function shortCutLink()
     {
-        if ($this->returnUrl !== ExtensionManagementUtility::extRelPath('backend') . 'Resources/Private/Templates/Close.html') {
+        if ($this->returnUrl !== GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html')) {
             $shortCutButton = $this->moduleTemplate->getDocHeaderComponent()->getButtonBar()->makeShortcutButton();
             $shortCutButton->setModuleName($this->MCONF['name'])
                 ->setGetVariables([
@@ -1543,10 +1544,10 @@ class EditDocumentController extends AbstractModule
      */
     public function openInNewWindowLink()
     {
-        $backendRelPath = ExtensionManagementUtility::extRelPath('backend');
-        if ($this->returnUrl !== $backendRelPath . 'Resources/Private/Templates/Close.html') {
+        $closeUrl = GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html');
+        if ($this->returnUrl !== $closeUrl) {
             $aOnClick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue(GeneralUtility::linkThisScript(
-                ['returnUrl' => $backendRelPath . 'Resources/Private/Templates/Close.html']
+                ['returnUrl' => PathUtility::getAbsoluteWebPath($closeUrl)]
             ))
                 . ','
                 . GeneralUtility::quoteJSvalue(md5($this->R_URI))
index e5fbc77..5a0cfc5 100644 (file)
@@ -2,7 +2,7 @@
 <html>
        <head>
                <!-- Close script, used in particular by FormEngine to close the current edit window -->
-               <!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Private/Templates/close.html -->
+               <!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Private/Templates/Close.html -->
                <meta charset="utf-8" />
                <title>Close</title>
                <script type="text/javascript">
@@ -12,4 +12,4 @@
        </head>
        <body>
        </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/typo3/sysext/backend/Resources/Public/Html/Close.html b/typo3/sysext/backend/Resources/Public/Html/Close.html
new file mode 100644 (file)
index 0000000..1a4faf6
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+       <head>
+               <!-- Close script, used in particular by FormEngine to close the current edit window -->
+               <!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Public/Html/Close.html -->
+               <meta charset="utf-8" />
+               <title>Close</title>
+               <script type="text/javascript">
+                       self.close();
+                       window.opener.location.reload(true);
+               </script>
+       </head>
+       <body>
+       </body>
+</html>
index 51687de..1ca8675 100644 (file)
@@ -19,9 +19,9 @@ use TYPO3\CMS\Core\Database\DatabaseConnection;
 use TYPO3\CMS\Core\Imaging\Icon;
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Type\Bitmask\JsConfirmation;
-use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
+use TYPO3\CMS\Core\Utility\PathUtility;
 use TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController;
 use TYPO3\CMS\Frontend\View\AdminPanelView;
 
@@ -304,7 +304,7 @@ class FrontendEditPanel
      */
     protected function editPanelLinkWrap_doWrap($string, $url, $additionalClasses = '')
     {
-        $onclick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue($url . '&returnUrl=' . rawurlencode(ExtensionManagementUtility::extRelPath('backend') . 'Resources/Private/Templates/Close.html')) . ',\'FEquickEditWindow\',\'width=690,height=500,status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
+        $onclick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue($url . '&returnUrl=' . rawurlencode(PathUtility::getAbsoluteWebPath(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html')))) . ',\'FEquickEditWindow\',\'width=690,height=500,status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
         return '<a href="#" class="btn btn-default btn-sm ' . htmlspecialchars($additionalClasses) . '" onclick="' . htmlspecialchars($onclick) . '" class="frontEndEditIconLinks">' . $string . '</a>';
     }