Commit 9ba09a9f authored by Christian Kuhn's avatar Christian Kuhn Committed by Oliver Hader
Browse files

[SECURITY][FEATURE] Disable import module for non admin users

To mitigate a potential insecure unserialize issue in the core:
Disable the import module of extension impexp for non admin users
if the module is not explicitely enabled for this user or group.

Introduce userTsConfig option
options.impexp.enableImportForNonAdminUser

Create a hook in page tree context menu to handle the item removal.

The v8 series is not directly affected by the underlying security
issue, but 7.6 and 6.2 are.

Resolves: #73461
Releases: master, 7.6, 6.2
Security-Commit: 3ce6c6e064b3dd67051c573646e28c636937cd86
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I423122641308a6586cd3977957d4ee0bf0c8ef6b
Reviewed-on: https://review.typo3.org/49080


Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 7fc25564
......@@ -275,7 +275,24 @@ class ContextMenuDataProvider
$additionalItems[] = $item;
}
}
return array_merge($disableItems, $additionalItems);
$disableItems = array_merge($disableItems, $additionalItems);
// Further manipulation of disableItems array via hook
// @internal: This is an internal hook for extension impexp only, this hook may change without further notice
if (!empty($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'])
&& is_array($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'])
) {
$hooks = $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'];
foreach ($hooks as $hook) {
$parameterArray = [
'disableItems' => &$disableItems,
];
$null = null;
GeneralUtility::callUserFunction($hook, $parameterArray, $null);
}
}
return $disableItems;
}
/**
......
=============================================================
Breaking: #73461 - Import module disabled for non admin users
=============================================================
Description
===========
The import module of extension "impexp" has been disabled for non-admin users by default.
Impact
======
For non-admin users who need that functionality, the userTsConfig option :ts:`options.impexp.enableImportForNonAdminUser = 1` must be set. This can have a negative security impact to the TYPO3 instance in core versions 7.6 and 6.2 and should only be enabled for "trustworthy" backend users in general.
Affected Installations
======================
Installations with non-admin users making active use of the import / export module
Migration
=========
Set userTsConfig option :ts:`options.impexp.enableImportForNonAdminUser = 1` to restore the old behavior.
\ No newline at end of file
==========================================================
Feature: #73461 - Enable import module for non admin users
==========================================================
Description
===========
The new userTsConfig option :ts:`options.impexp.enableImportForNonAdminUser` can be used to enable
the import module of EXT:impexp for non admin users.
Impact
======
This option should be enabled for "trustworthy" backend users only.
\ No newline at end of file
......@@ -15,6 +15,7 @@ namespace TYPO3\CMS\Impexp;
*/
use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Imaging\Icon;
use TYPO3\CMS\Core\Imaging\IconFactory;
use TYPO3\CMS\Core\Utility\GeneralUtility;
......@@ -76,20 +77,24 @@ class Clickmenu
1
);
if ($table === 'pages') {
$urlParameters = array(
'id' => $uid,
'table' => $table,
'tx_impexp' => array(
'action' => 'import'
),
);
$url = BackendUtility::getModuleUrl('xMOD_tximpexp', $urlParameters);
$localItems[] = $backRef->linkItem(
htmlspecialchars($this->getLanguageService()->getLLL('import', $LL)),
$this->iconFactory->getIcon('actions-document-import-t3d', Icon::SIZE_SMALL),
$backRef->urlRefForCM($url),
1
);
$backendUser = $this->getBackendUser();
$isEnabledForNonAdmin = $backendUser->getTSConfig('options.impexp.enableImportForNonAdminUser');
if ($backendUser->isAdmin() || !empty($isEnabledForNonAdmin['value'])) {
$urlParameters = array(
'id' => $uid,
'table' => $table,
'tx_impexp' => array(
'action' => 'import'
),
);
$url = BackendUtility::getModuleUrl('xMOD_tximpexp', $urlParameters);
$localItems[] = $backRef->linkItem(
htmlspecialchars($this->getLanguageService()->getLLL('import', $LL)),
$this->iconFactory->getIcon('actions-document-import-t3d', Icon::SIZE_SMALL),
$backRef->urlRefForCM($url),
1
);
}
}
}
return array_merge($menuItems, $localItems);
......@@ -112,4 +117,12 @@ class Clickmenu
{
return $GLOBALS['LANG'];
}
/**
* @return BackendUserAuthentication
*/
protected function getBackendUser()
{
return $GLOBALS['BE_USER'];
}
}
......@@ -177,6 +177,7 @@ class ImportExportController extends BaseScriptClass
*
* @throws \BadFunctionCallException
* @throws \InvalidArgumentException
* @throws \RuntimeException
* @return void
*/
public function main()
......@@ -217,6 +218,15 @@ class ImportExportController extends BaseScriptClass
$this->standaloneView->setTemplate('Export.html');
break;
case 'import':
$backendUser = $this->getBackendUser();
$isEnabledForNonAdmin = $backendUser->getTSConfig('options.impexp.enableImportForNonAdminUser');
if (!$backendUser->isAdmin() && empty($isEnabledForNonAdmin['value'])) {
throw new \RuntimeException(
'Import module is disabled for non admin users and '
. 'userTsConfig options.impexp.enableImportForNonAdminUser is not enabled.',
1464435459
);
}
$this->shortcutName = $this->lang->getLL('title_import');
if (GeneralUtility::_POST('_upload')) {
$this->checkUpload();
......
<?php
namespace TYPO3\CMS\Impexp\Hook;
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
/**
* Hook for page tree context menu to suppress "import .t3d" menu item
* if user is no admin and options.impexp.enableImportForNonAdminUser is
* not set in userTsConfig
*/
class ContextMenuDisableItemsHook
{
/**
* Remove import functionality from page tree context menu
* if user is no admin and this module is not enabled via userTsConfig
*
* Modifies $parameters array by reference!
*
* @param array $parameters Parameter array
*/
public function disableImportForNonAdmin(array $parameters)
{
$backendUser = $this->getBackendUser();
if (!$backendUser->isAdmin()) {
$isEnabledForNonAdmin = $backendUser->getTSConfig('options.impexp.enableImportForNonAdminUser');
if (empty($isEnabledForNonAdmin['value'])) {
$parameters['disableItems'][] = 'importT3d';
}
}
}
/**
* @return BackendUserAuthentication
*/
protected function getBackendUser()
{
return $GLOBALS['BE_USER'];
}
}
\ No newline at end of file
......@@ -47,4 +47,8 @@ if (TYPO3_MODE === 'BE') {
}
}
');
// Hook into page tree context menu to remove "import" items again if user is not admin or module
// is not enabled for this user / group
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['backend']['contextMenu']['disableItems'][]
= \TYPO3\CMS\Impexp\Hook\ContextMenuDisableItemsHook::class . '->disableImportForNonAdmin';
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment