[SECURITY] Avoid disclosing loaded extensions 34/59534/2
authorOliver Hader <oliver@typo3.org>
Tue, 22 Jan 2019 08:42:46 +0000 (09:42 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Jan 2019 08:42:49 +0000 (09:42 +0100)
commitda6d0adf500cc933e01f4beda8db26669beaefb6
tree00c60e0cafdd33c21444e9f50f890467287671da
parent90305f1b1de2c70e4fe958ae231866488816e42f
[SECURITY] Avoid disclosing loaded extensions

Inline JavaScript settings for RequireJS and ajaxUrls disclose the
existence of specific extensions in a TYPO3 installation.

In case no backend user is logged in RequireJS settings are fetched
using an according endpoint, ajaxUrls (for backend AJAX routes) are
limited to those that are accessible without having a user session.

Resolves: #83855
Releases: master, 9.5, 8.7
Security-Commit: a9b60d26597449fec46bd26e0b511bc6e423ef24
Security-Bulletin: TYPO3-CORE-SA-2019-001
Change-Id: Ifa4029340e750baaf216fa953bf41b6d06d3138b
Reviewed-on: https://review.typo3.org/59534
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Middleware/BackendUserAuthenticator.php
typo3/sysext/core/Classes/Controller/RequireJsController.php [new file with mode: 0644]
typo3/sysext/core/Classes/Page/PageRenderer.php
typo3/sysext/core/Configuration/Backend/AjaxRoutes.php [new file with mode: 0644]
typo3/sysext/core/Resources/Public/JavaScript/requirejs-loader.js [new file with mode: 0644]
typo3/sysext/core/ext_localconf.php