[SECURITY] Protect frame GET parameter in tx_cms_showpic eID
The "frame" parameter is no longer evaluated in the showpic eID as it allowed uncontrolled resource consumption. This parameter was actually never used by ContentObjectRenderer and existed since the initial commit and is therefore put behind a feature flag. Resolves: #103306 Releases: main, 13.1, 12.4, 11.5 Change-Id: I87019e58c078c8ccafc0b7ce42fe28b49dc068e4 Security-Bulletin: TYPO3-CORE-SA-2024-010 Security-References: CVE-2024-34358 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84256 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/core/Configuration/DefaultConfiguration.php 1 addition, 0 deletionstypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 3 additions, 0 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/core/Documentation/Changelog/11.5.x/Important-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst 32 additions, 0 deletions...t-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst
- typo3/sysext/frontend/Classes/Controller/ShowImageController.php 7 additions, 1 deletion...ysext/frontend/Classes/Controller/ShowImageController.php
Please register or sign in to comment