[BUGFIX] Mitigate misusing request 'id' as pages-uid in extbase BE
The backend uses request GET/POST parameter 'id' as convention for "pages uid" at various places: Especially the BackendModuleValidator checks for this parameter early, to deny access to pages a BE user has no access to. This convention is a broken misuse: There is no such convention, and for instance the filelist module uses 'id' to transfer a selected "storage-uid:path". The BackendModuleValidator mitigates this by calling MU::canBeInterpretedAsInteger() before interpreting that parameter as a pages-uid. The extbase BackendConfigurationManager also uses 'id' to retrieve the FE TypoScript configuration for this "pages-uid", it however does not check with MU::canBeInterpretedAsInteger(), first. The patch adds a MU::canBeInterpretedAsInteger() check to extbase BackendConfigurationManager to be in-line with BackendModuleValidator, and adds `@todo` comments outlining the general misuse of the argument. Change-Id: I9b53a521bde4d3c145bfda2994d81dc4abf9c103 Resolves: #103540 Related: #96797 Releases: main, 12.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/83674 Reviewed-by:Garvin Hicking <gh@faktor-e.de> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
Showing
- typo3/sysext/backend/Classes/Middleware/BackendModuleValidator.php 5 additions, 0 deletions...ext/backend/Classes/Middleware/BackendModuleValidator.php
- typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php 11 additions, 1 deletion...ase/Classes/Configuration/BackendConfigurationManager.php
Please register or sign in to comment