Skip to content
Snippets Groups Projects
Commit 75cc3d6b authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[SECURITY] Deny pages' TSconfig and tsconfig_includes for non-admins 

Fields `TSconfig` and `tsconfig_includes` of table `pages` can be
misused by restricted users to contain malicious instructions and
lead to cross-site scripting as well as arbitrary code execution.
Since user input cannot be sanitized properly, the field is now
available for admin users only. In addition directory traversal
in TSconfig static includes has been mitigated.

Resolves: #88565
Releases: master, 9.5, 8.7
Security-Commit: b4ab9cd1f0539b3af675b94aa01d26e5c4b3a1d9
Security-Bulletin: TYPO3-CORE-SA-2019-019
Change-Id: I712364fde6a76ad761a0b738756cb151dc5c22e1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61145


Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent 3a48bb6c
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 229 additions and 9 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment