typo3/sysext/impexp/Classes/Controller/ImportExportController.php · 9ba09a9f270bdb568f0ed57d1912820bd869f5a6 · accessibility / TYPO3.CMS

[SECURITY][FEATURE] Disable import module for non admin users · 9ba09a9f

Christian Kuhn authored Jul 19, 2016 and

Oliver Hader committed Jul 19, 2016

To mitigate a potential insecure unserialize issue in the core:
Disable the import module of extension impexp for non admin users
if the module is not explicitely enabled for this user or group.

Introduce userTsConfig option
options.impexp.enableImportForNonAdminUser

Create a hook in page tree context menu to handle the item removal.

The v8 series is not directly affected by the underlying security
issue, but 7.6 and 6.2 are.

Resolves: #73461
Releases: master, 7.6, 6.2
Security-Commit: 3ce6c6e064b3dd67051c573646e28c636937cd86
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I423122641308a6586cd3977957d4ee0bf0c8ef6b
Reviewed-on: https://review.typo3.org/49080


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

9ba09a9f