Files · da6d0adf500cc933e01f4beda8db26669beaefb6 · accessibility / TYPO3.CMS

[SECURITY] Avoid disclosing loaded extensions

Oliver Hader authored 6 years ago

Inline JavaScript settings for RequireJS and ajaxUrls disclose the
existence of specific extensions in a TYPO3 installation.

In case no backend user is logged in RequireJS settings are fetched
using an according endpoint, ajaxUrls (for backend AJAX routes) are
limited to those that are accessible without having a user session.

Resolves: #83855
Releases: master, 9.5, 8.7
Security-Commit: a9b60d26597449fec46bd26e0b511bc6e423ef24
Security-Bulletin: TYPO3-CORE-SA-2019-001
Change-Id: Ifa4029340e750baaf216fa953bf41b6d06d3138b
Reviewed-on: https://review.typo3.org/59534


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

da6d0adf

History

da6d0adf 6 years ago

History

Name	Last commit	Last update