[SECURITY] Show only explicitly configured page tree information
Backend users were able see page tree items without having access: - in case no DB mounts were configured for a particular user and page permissions configured to allow "everybody" - in case DB mounts were pointing to pages, but actually not having any permission configured for these pages (user/group/everybody) It was not possible to manipulate any of the affected pages. Resolves: #104397 Releases: main, 13.3, 12.4, 11.5 Change-Id: I52079c8cef3d78946083403adb23a3e1a706c652 Security-Bulletin: TYPO3-CORE-SA-2024-012 Security-References: CVE-2024-47780 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/86501 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
Showing
- typo3/sysext/backend/Classes/Controller/Page/TreeController.php 4 additions, 4 deletions...sysext/backend/Classes/Controller/Page/TreeController.php
- typo3/sysext/backend/Classes/Tree/Repository/PageTreeRepository.php 8 additions, 9 deletions...xt/backend/Classes/Tree/Repository/PageTreeRepository.php
- typo3/sysext/backend/Tests/Functional/Controller/Page/Fixtures/PagesWithBEPermissions.yaml 7 additions, 4 deletions...onal/Controller/Page/Fixtures/PagesWithBEPermissions.yaml
- typo3/sysext/backend/Tests/Functional/Controller/Page/Fixtures/be_users.csv 2 additions, 0 deletions...nd/Tests/Functional/Controller/Page/Fixtures/be_users.csv
- typo3/sysext/backend/Tests/Functional/Controller/Page/TreeControllerTest.php 49 additions, 3 deletions...d/Tests/Functional/Controller/Page/TreeControllerTest.php
Please register or sign in to comment