[BUGFIX][SECURITY] Arbitrary TypoScript execution on system extension form
The new system extension form can be used to render custom FORM elements as well as regular cObjects like TEXT or COA. Since the form wizard can be used by any editor in the backend and writes data to the field bodytext, this can also be used to execute arbitrary TypoScript without further access checks. This change introduces two defined and allowed content elements "header" and "textblock" that can be defined by using the form wizard. If the TypoScript that was generated by the mentioned wizard is rendered, regular cObjects are disabled. If the FORM or FORM_INT cObject is used directly from a TypoScript template, all possible cObjects can still be used. Change-Id: I573764de7583b078456e71e95ea7903b433c29db Resolves: #30095 Releases: 4.6 Reviewed-on: http://review.typo3.org/5128 Reviewed-by: Andreas Wolf Reviewed-by: Frederic Gaus Tested-by: Frederic Gaus Reviewed-by: Oliver Hader Tested-by: Oliver Hader
Showing
- typo3/sysext/form/Classes/Common.php 21 additions, 19 deletionstypo3/sysext/form/Classes/Common.php
- typo3/sysext/form/Classes/Controller/Form.php 21 additions, 14 deletionstypo3/sysext/form/Classes/Controller/Form.php
- typo3/sysext/form/Classes/Domain/Factory/JsonToTyposcript.php 8 additions, 13 deletions...3/sysext/form/Classes/Domain/Factory/JsonToTyposcript.php
- typo3/sysext/form/Classes/Domain/Factory/Typoscript.php 53 additions, 29 deletionstypo3/sysext/form/Classes/Domain/Factory/Typoscript.php
- typo3/sysext/form/Classes/Domain/Factory/TyposcriptToJson.php 0 additions, 3 deletions...3/sysext/form/Classes/Domain/Factory/TyposcriptToJson.php
- typo3/sysext/form/Classes/Domain/Model/Element/Abstract.php 17 additions, 0 deletionstypo3/sysext/form/Classes/Domain/Model/Element/Abstract.php
- typo3/sysext/form/Classes/Domain/Model/Element/AbstractPlain.php 91 additions, 0 deletions...ysext/form/Classes/Domain/Model/Element/AbstractPlain.php
- typo3/sysext/form/Classes/Domain/Model/Element/Content.php 5 additions, 0 deletionstypo3/sysext/form/Classes/Domain/Model/Element/Content.php
- typo3/sysext/form/Classes/Domain/Model/Element/Header.php 58 additions, 0 deletionstypo3/sysext/form/Classes/Domain/Model/Element/Header.php
- typo3/sysext/form/Classes/Domain/Model/Element/Textblock.php 35 additions, 0 deletionstypo3/sysext/form/Classes/Domain/Model/Element/Textblock.php
- typo3/sysext/form/Classes/Domain/Model/JSON/Header.php 6 additions, 7 deletionstypo3/sysext/form/Classes/Domain/Model/JSON/Header.php
- typo3/sysext/form/Classes/Domain/Model/JSON/Textblock.php 92 additions, 0 deletionstypo3/sysext/form/Classes/Domain/Model/JSON/Textblock.php
- typo3/sysext/form/Classes/View/Form/Element/Abstract.php 2 additions, 0 deletionstypo3/sysext/form/Classes/View/Form/Element/Abstract.php
- typo3/sysext/form/Classes/View/Form/Element/Header.php 42 additions, 0 deletionstypo3/sysext/form/Classes/View/Form/Element/Header.php
- typo3/sysext/form/Classes/View/Form/Element/Textblock.php 42 additions, 0 deletionstypo3/sysext/form/Classes/View/Form/Element/Textblock.php
- typo3/sysext/form/Classes/View/Wizard/Wizard.php 1 addition, 0 deletionstypo3/sysext/form/Classes/View/Wizard/Wizard.php
- typo3/sysext/form/Resources/Private/Configuration/PageTSconfig/modWizards.ts 4 additions, 1 deletion...esources/Private/Configuration/PageTSconfig/modWizards.ts
- typo3/sysext/form/Resources/Private/Language/locallang_wizard.xlf 14 additions, 6 deletions...sext/form/Resources/Private/Language/locallang_wizard.xlf
- typo3/sysext/form/Resources/Public/CSS/Wizard/Wizard.css 4 additions, 0 deletionstypo3/sysext/form/Resources/Public/CSS/Wizard/Wizard.css
- typo3/sysext/form/Resources/Public/Images/edit-textblock.png 0 additions, 0 deletionstypo3/sysext/form/Resources/Public/Images/edit-textblock.png
Please register or sign in to comment