From 5782f4aa6e6b7ba0b70fa4ddcafb6ee6fc9afb7c Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Thu, 26 Nov 2020 13:48:44 +0100
Subject: [PATCH] [!!!][TASK] Remove global option "lockBeUserToDBmounts"
The global configuration option, which is always active by
default, restricts ALL non-administrators to be locked in to
their webroots (DB mounts).
Disabling this option would allow any editor to see the whole
page tree, overriding most of the concepts used in TYPO3
Backend and permission handling.
As stated in the description of the option, it is highly
recommended for security reasons to leave this option enabled.
This option is removed to streamline TYPO3's permission handling.
Resolves: #92940
Releases: master
Change-Id: I15f6538bdb34077a99cb8d2db7a21e60492bb923
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66908
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
---
.../BackendUserAuthentication.php | 5 +-
.../core/Classes/Database/QueryGenerator.php | 4 +-
.../core/Classes/Database/QueryView.php | 2 +-
.../Configuration/DefaultConfiguration.php | 1 -
.../DefaultConfigurationDescription.yaml | 3 --
...lobalOptionLockBeUserToDBmountsRemoved.rst | 48 +++++++++++++++++++
.../BackendUserAuthenticationTest.php | 1 -
.../SilentConfigurationUpgradeService.php | 2 +
.../Php/ArrayDimensionMatcher.php | 5 ++
.../Classes/Database/QueryGenerator.php | 6 +--
10 files changed, 63 insertions(+), 14 deletions(-)
create mode 100644 typo3/sysext/core/Documentation/Changelog/master/Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst
diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index 75edc441b37d..e669b178f191 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -365,8 +365,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
* The point is that this will add the security that a user can NEVER touch parts outside his mounted
* pages in the page tree. This is otherwise possible if the raw page permissions allows for it.
* So this security check just makes it easier to make safe user configurations.
- * If the user is admin OR if this feature is disabled
- * (fx. by setting TYPO3_CONF_VARS['BE']['lockBeUserToDBmounts']=0) then it returns "1" right away
+ * If the user is admin then it returns "1" right away
* Otherwise the function will return the uid of the webmount which was first found in the rootline of the input page $id
*
* @param int|array $idOrRow Page ID or full page record to check
@@ -377,7 +376,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
*/
public function isInWebMount($idOrRow, $readPerms = '', $exitOnError = 0)
{
- if (!$GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts'] || $this->isAdmin()) {
+ if ($this->isAdmin()) {
return 1;
}
$checkRec = [];
diff --git a/typo3/sysext/core/Classes/Database/QueryGenerator.php b/typo3/sysext/core/Classes/Database/QueryGenerator.php
index ea4887cc799e..202e27dfd89b 100644
--- a/typo3/sysext/core/Classes/Database/QueryGenerator.php
+++ b/typo3/sysext/core/Classes/Database/QueryGenerator.php
@@ -925,7 +925,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
@@ -1657,7 +1657,7 @@ class QueryGenerator
$queryBuilder->setMaxResults((int)$this->extFieldLists['queryLimit']);
}
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
diff --git a/typo3/sysext/core/Classes/Database/QueryView.php b/typo3/sysext/core/Classes/Database/QueryView.php
index b8c1d1d4ac4c..97f578d219fe 100644
--- a/typo3/sysext/core/Classes/Database/QueryView.php
+++ b/typo3/sysext/core/Classes/Database/QueryView.php
@@ -1055,7 +1055,7 @@ class QueryView
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$this->backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$this->backendUserAuthentication->isAdmin()) {
$webMounts = $this->backendUserAuthentication->returnWebmounts();
$perms_clause = $this->backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
index 794ba81d3b47..6d8ef133c7d1 100644
--- a/typo3/sysext/core/Configuration/DefaultConfiguration.php
+++ b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -1149,7 +1149,6 @@ return [
'lockIPv6' => 0,
'sessionTimeout' => 28800, // a backend user logged in for 8 hours
'IPmaskList' => '',
- 'lockBeUserToDBmounts' => true,
'lockSSL' => false,
'lockSSLPort' => 0,
'enabledBeUserIPLock' => true,
diff --git a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
index c8b74b36f4d7..28b3eb7dfaf1 100644
--- a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
+++ b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
@@ -291,9 +291,6 @@ BE:
IPmaskList:
type: list
description: 'Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function <code>\TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())</code>'
- lockBeUserToDBmounts:
- type: bool
- description: 'If set, the backend user is allowed to work only within his page-mount. It''s advisable to leave this on because it makes security easy to manage.'
lockSSL:
type: bool
description: 'If set, the backend can only be operated from an SSL-encrypted connection (https). A redirect to the SSL version of a URL will happen when a user tries to access non-https admin-urls'
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst
new file mode 100644
index 000000000000..2a7238626479
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst
@@ -0,0 +1,48 @@
+.. include:: ../../Includes.txt
+
+===============================================================
+Breaking: #92940 - Global option "lockBeUserToDBmounts" removed
+===============================================================
+
+See :issue:`92940`
+
+Description
+===========
+
+The system-wide setting :php:`$GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']`
+which was active by default, was used to allow any non-administrator to access
+all pages in a TYPO3 installation without considering "Web Mounts" / "DB Mounts"
+regardless of their permissions.
+
+It was recommended to keep this setting turned on at any time due to several
+security reasons.
+
+This setting itself breaks TYPO3's internal permission concept and was never
+implemented in all relevant places of TYPO3.
+
+For this reason, the setting and all its usages are removed.
+
+
+Impact
+======
+
+Activating or deactivating this option has no effect anymore as TYPO3 Core API
+is working as this option was enabled at any time.
+
+
+Affected Installations
+======================
+
+TYPO3 installations that have this option disabled in their system-wide
+configuration in the `LocalConfiguration.php` file.
+
+
+Migration
+=========
+
+None, as this feature was removed for security purposes, re-adding this feature
+is not recommended.
+
+All usages in custom TYPO3 extensions can be removed.
+
+.. index:: Backend, LocalConfiguration, FullyScanned, ext:core
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
index 1756bd689723..d0e4e24abdbe 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
+++ b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
@@ -51,7 +51,6 @@ class BackendUserAuthenticationTest extends FunctionalTestCase
*/
protected function setUp(): void
{
- $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts'] = 1;
$GLOBALS['TYPO3_CONF_VARS']['BE']['cookieName'] = 'be_typo_user';
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'] = '';
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockIP'] = 4;
diff --git a/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php b/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
index e4efc135dded..452598713194 100644
--- a/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
+++ b/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
@@ -159,6 +159,8 @@ class SilentConfigurationUpgradeService
'FE/IPmaskMountGroups',
// #87301
'SYS/cookieSecure',
+ // #92940
+ 'BE/lockBeUserToDBmounts',
];
public function __construct(ConfigurationManager $configurationManager)
diff --git a/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php b/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php
index a1b334895189..e3f6b79cd552 100644
--- a/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php
+++ b/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php
@@ -455,4 +455,9 @@ return [
'Deprecation-92062-MigrateRecordListControllerHooksToAnPSR-14Event.rst',
],
],
+ '$GLOBALS[\'TYPO3_CONF_VARS\'][\'BE\'][\'lockBeUserToDBmounts\']' => [
+ 'restFiles' => [
+ 'Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst',
+ ],
+ ],
];
diff --git a/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php b/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
index 6e5e08507d8e..3d11cbe21211 100644
--- a/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
+++ b/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
@@ -1261,7 +1261,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
@@ -2050,7 +2050,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
@@ -2694,7 +2694,7 @@ class QueryGenerator
$queryBuilder->setMaxResults((int)$this->extFieldLists['queryLimit']);
}
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
--
GitLab