diff --git a/TODO.txt b/TODO.txt
index 224af4d009111d0ecff4b8e7373380ed4a3d3c3a..88bbc99f7f3d4b1fa8e25d0069c5794067416558 100755
--- a/TODO.txt
+++ b/TODO.txt
@@ -818,7 +818,7 @@ DB->HTML
- Basically this is an rsync/ftp sync question which requires a set of static files.
- Also a "mixed mode" concept where static files not found are server dynamically by TYPO3, but where the TYPO3 install does NOT allow backend access at all - only frontend delivery.
-Two situation:
+Two situations:
- Publish static for local server, using mod_rewrite to direct requests transparently (static/dynamic). So all *.html requests WILL be found, static or dynamically! (Static/Dynamic blend)
- Publish static for FTP server. All *.html requests MUST exist. (Purely static, limitations acceptable.)
diff --git a/t3lib/class.t3lib_beuserauth.php b/t3lib/class.t3lib_beuserauth.php
index aad517a057fa570c92443e8390276c3f01961fdf..52e0dbefcfb54765eb6f1d0f87609972ddb1cb43 100644
--- a/t3lib/class.t3lib_beuserauth.php
+++ b/t3lib/class.t3lib_beuserauth.php
@@ -163,12 +163,12 @@ class t3lib_beUserAuth extends t3lib_userAuthGroup {
*/
function checkLockToIP() {
global $TYPO3_CONF_VARS;
- $out=1;
+ $out = 1;
if ($TYPO3_CONF_VARS['BE']['enabledBeUserIPLock']) {
$IPList = $this->getTSConfigVal('options.lockToIP');
if (trim($IPList)) {
$baseIP = t3lib_div::getIndpEnv('REMOTE_ADDR');
- $out=t3lib_div::cmpIP($baseIP, $IPList);
+ $out = t3lib_div::cmpIP($baseIP, $IPList);
}
}
return $out;
diff --git a/t3lib/class.t3lib_parsehtml.php b/t3lib/class.t3lib_parsehtml.php
index 3a16b83c631fd095b04ec03a6d351df2e399419e..b5d5420567fe9c4d8e2806eb05f3f92e199c1c6c 100644
--- a/t3lib/class.t3lib_parsehtml.php
+++ b/t3lib/class.t3lib_parsehtml.php
@@ -519,6 +519,24 @@ class t3lib_parsehtml {
if (strcmp($params['removeIfEquals'],'') && !strcmp($this->caseShift($tagAttrib[0][$attr],$params['casesensitiveComp']),$this->caseShift($params['removeIfEquals'],$params['casesensitiveComp']))) {
unset($tagAttrib[0][$attr]);
}
+ if ($params['prefixLocalAnchors']) {
+ if (substr($tagAttrib[0][$attr],0,1)=='#') {
+ $prefix = t3lib_div::getIndpEnv('TYPO3_REQUEST_URL');
+ $tagAttrib[0][$attr] = $prefix.$tagAttrib[0][$attr];
+ if ($params['prefixLocalAnchors']==2 && t3lib_div::isFirstPartOfStr($prefix,t3lib_div::getIndpEnv('TYPO3_SITE_URL'))) {
+ $tagAttrib[0][$attr] = substr($tagAttrib[0][$attr],strlen(t3lib_div::getIndpEnv('TYPO3_SITE_URL')));
+ }
+ }
+ }
+ if ($params['prefixRelPathWith']) {
+ $urlParts = parse_url($tagAttrib[0][$attr]);
+ if (!$urlParts['scheme'] && substr($urlParts['path'],0,1)!='/') { // If it is NOT an absolute URL (by http: or starting "/")
+ $tagAttrib[0][$attr] = $params['prefixRelPathWith'].$tagAttrib[0][$attr];
+ }
+ }
+ if ($params['userFunc']) {
+ $tagAttrib[0][$attr] = t3lib_div::callUserFunction($params['userFunc'],$tagAttrib[0][$attr],$this);
+ }
}
}
$tagParts[1]=$this->compileTagAttribs($tagAttrib[0],$tagAttrib[1]);
diff --git a/t3lib/class.t3lib_tsfebeuserauth.php b/t3lib/class.t3lib_tsfebeuserauth.php
index 7d412d685403837dcf19784554fec184065e6a31..210f819b6277ffbc10cda11143e4fd12dce61464 100755
--- a/t3lib/class.t3lib_tsfebeuserauth.php
+++ b/t3lib/class.t3lib_tsfebeuserauth.php
@@ -603,6 +603,49 @@ class t3lib_tsfeBeUserAuth extends t3lib_beUserAuth {
*
****************************************************/
+ /**
+ * Implementing the access checks that the typo3/init.php script does before a user is ever logged in.
+ * Used in the frontend.
+ *
+ * @return boolean Returns true if access is OK
+ * @see typo3/init.php, t3lib_beuserauth::backendCheckLogin()
+ */
+ function checkBackendAccessSettingsFromInitPhp() {
+ global $TYPO3_CONF_VARS;
+
+ // **********************
+ // Check Hardcoded lock on BE:
+ // **********************
+ if ($TYPO3_CONF_VARS['BE']['adminOnly'] < 0) {
+ return FALSE;
+ }
+
+ // **********************
+ // Check IP
+ // **********************
+ if (trim($TYPO3_CONF_VARS['BE']['IPmaskList'])) {
+ if (!t3lib_div::cmpIP(t3lib_div::getIndpEnv('REMOTE_ADDR'), $TYPO3_CONF_VARS['BE']['IPmaskList'])) {
+ return FALSE;
+ }
+ }
+
+
+ // **********************
+ // Check SSL (https)
+ // **********************
+ if (intval($TYPO3_CONF_VARS['BE']['lockSSL'])) {
+ if (!$HTTP_SERVER_VARS['SSL_SESSION_ID']) {
+ return FALSE;
+ }
+ }
+
+ // Finally a check from t3lib_beuserauth::backendCheckLogin()
+ if (!$TYPO3_CONF_VARS['BE']['adminOnly'] || $this->isAdmin()) {
+ return TRUE;
+ } else return FALSE;
+ }
+
+
/**
* Evaluates if the Backend User has read access to the input page record.
* The evaluation is based on both read-permission and whether the page is found in one of the users webmounts. Only if both conditions are true will the function return true.
diff --git a/t3lib/config_default.php b/t3lib/config_default.php
index 60be67f73858594cf30f6b40a1db76885ce141bc..01436019fb91dfd45c3be91e4c3816d5c04017cd 100755
--- a/t3lib/config_default.php
+++ b/t3lib/config_default.php
@@ -102,7 +102,7 @@ $TYPO3_CONF_VARS = Array(
'warning_email_addr' => '', // Email-address that will receive a warning if there has been failed logins 4 times within an hour (all users).
'warning_mode' => '', // Bit 1: If set, warning_email_addr gets a mail everytime a user logs in. Bit 2: If set, a mail is sent if an ADMIN user logs in! Other bits reserved for future options.
'IPmaskList' => '', // String. Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function t3lib_div::cmpIP())
- 'adminOnly' => 0, // Boolean. If set, the only "admin" users can log in to the backend. For maintenance purposes.
+ 'adminOnly' => 0, // Boolean. If set (>=1), the only "admin" users can log in to the backend. If "<=-1" then the backend is totally shut down! For maintenance purposes.
'lockBeUserToDBmounts' => 1, // Boolean. If set, the backend user is allowed to work only within his page-mount. It's advisable to leave this on because it makes security easy to manage.
'lockSSL' => 0, // Int. 0,1,2: If set (1+2), the backend can only be operated from an ssl-encrypted connection (https). Set to 2 you will be redirected to the https admin-url supposed to be the http-url, but with https scheme instead.
'disable_exec_function' => 0, // Boolean. Don't use exec() function (except for ImageMagick which is disabled by [GFX][im]=0). If set, all fileoperations are done by the default PHP-functions. This is nescessary under windows! On UNIX the system commands by exec() can be used, unless this is disabled.
diff --git a/typo3/init.php b/typo3/init.php
index 85300436064cffb14f54b312807c83b9581d8e2f..0211ef46c61e6b8db9cdcab363493fa3d4c601a3 100755
--- a/typo3/init.php
+++ b/typo3/init.php
@@ -152,6 +152,15 @@ require_once (PATH_t3lib.'class.t3lib_iconworks.php');
require_once (PATH_t3lib.'class.t3lib_befunc.php');
require_once (PATH_t3lib.'class.t3lib_cs.php');
+// **********************
+// Check Hardcoded lock on BE:
+// **********************
+if ($TYPO3_CONF_VARS['BE']['adminOnly'] < 0) {
+ header('Status: 404 Not Found'); // Send Not Found header - if the webserver can make use of it...
+ header('Location: http://'); // Just point us away from here...
+ exit; // ... and exit good!
+}
+
// **********************
// Check IP
// **********************
diff --git a/typo3/sysext/cms/tslib/class.tslib_fe.php b/typo3/sysext/cms/tslib/class.tslib_fe.php
index 25789ed018b03d0e20748b192bfbb082f6fc6c67..af5386436c0e07968c2b93f44abfc2e8031b0d82 100755
--- a/typo3/sysext/cms/tslib/class.tslib_fe.php
+++ b/typo3/sysext/cms/tslib/class.tslib_fe.php
@@ -1044,9 +1044,10 @@
// Setting these specifically (like in the init-function):
if (isset($GET_VARS['type'])) $this->type = $GET_VARS['type'];
if (isset($GET_VARS['cHash'])) $this->cHash = $GET_VARS['cHash'];
- if (isset($GET_VARS['no_cache'])) $this->no_cache = $GET_VARS['no_cache'] ? 1 : 0;
if (isset($GET_VARS['jumpurl'])) $this->jumpurl = $GET_VARS['jumpurl'];
if (isset($GET_VARS['MP'])) $this->MP = $this->TYPO3_CONF_VARS['FE']['enable_mount_pids'] ? $GET_VARS['MP'] : '';
+
+ if (isset($GET_VARS['no_cache']) && $GET_VARS['no_cache']) $this->set_no_cache();
}
}
diff --git a/typo3/sysext/cms/tslib/index_ts.php b/typo3/sysext/cms/tslib/index_ts.php
index 0521031671a4839db0a8def89647c9d17ee88a79..3cfbda95e381b460c0e802b80bbbd760b71de57b 100755
--- a/typo3/sysext/cms/tslib/index_ts.php
+++ b/typo3/sysext/cms/tslib/index_ts.php
@@ -177,7 +177,7 @@ if ($HTTP_COOKIE_VARS['be_typo_user']) { // If the backend cookie is set, we pr
$BE_USER->fetchGroupData();
$TSFE->beUserLogin=1;
}
- if ($BE_USER->checkLockToIP()) {
+ if ($BE_USER->checkLockToIP() && $BE_USER->checkBackendAccessSettingsFromInitPhp()) {
$BE_USER->extInitFeAdmin();
if ($BE_USER->extAdmEnabled) {
require_once(t3lib_extMgm::extPath('lang').'lang.php');
@@ -218,7 +218,7 @@ if ($HTTP_COOKIE_VARS['be_typo_user']) { // If the backend cookie is set, we pr
}
}
- if ($TSFE->forceTemplateParsing || $TSFE->displayEditIcons || $TSFE->displayFieldEditIcons) {$TSFE->set_no_cache();}
+ if ($TSFE->forceTemplateParsing || $TSFE->displayEditIcons || $TSFE->displayFieldEditIcons) { $TSFE->set_no_cache(); }
}
// $WEBMOUNTS = (string)($BE_USER->groupData['webmounts'])!='' ? explode(',',$BE_USER->groupData['webmounts']) : Array();