From 9b4b6be50caffc3b5c11ee2452a7b48c1348c583 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Gro=C3=9Fberndt?= <stephan@grossberndt.de>
Date: Fri, 8 Dec 2017 12:16:16 +0100
Subject: [PATCH] [BUGFIX] Access Close.html from Resources/Public/Html/

Clicking the close button in a editing popup accesses Close.html in
Resources/Public/Html/ which is a folder accessible by a web user
instead of Resources/Private/Templates/ which lead to a HTTP 403 error
on closing the popup.

Releases: master, 8.7, 7.6
Resolves: #83258
Related: #68108
Change-Id: Ibe7e328936240df436a3c9585e53122f1577dc6e
Reviewed-on: https://review.typo3.org/54983
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
---
 .../Classes/Controller/EditDocumentController.php |  2 +-
 .../Resources/Private/Templates/Close.html        |  4 ++--
 .../backend/Resources/Public/Html/Close.html      | 15 +++++++++++++++
 typo3/sysext/feedit/Classes/FrontendEditPanel.php |  2 +-
 4 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 typo3/sysext/backend/Resources/Public/Html/Close.html

diff --git a/typo3/sysext/backend/Classes/Controller/EditDocumentController.php b/typo3/sysext/backend/Classes/Controller/EditDocumentController.php
index 27f710068e69..aa253cf289b8 100644
--- a/typo3/sysext/backend/Classes/Controller/EditDocumentController.php
+++ b/typo3/sysext/backend/Classes/Controller/EditDocumentController.php
@@ -1491,7 +1491,7 @@ class EditDocumentController
      */
     protected function getCloseUrl(): string
     {
-        $closeUrl = GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Templates/Close.html');
+        $closeUrl = GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html');
         return PathUtility::getAbsoluteWebPath($closeUrl);
     }
 
diff --git a/typo3/sysext/backend/Resources/Private/Templates/Close.html b/typo3/sysext/backend/Resources/Private/Templates/Close.html
index e5fbc77bef0b..5a0cfc59ebc8 100644
--- a/typo3/sysext/backend/Resources/Private/Templates/Close.html
+++ b/typo3/sysext/backend/Resources/Private/Templates/Close.html
@@ -2,7 +2,7 @@
 <html>
 	<head>
 		<!-- Close script, used in particular by FormEngine to close the current edit window -->
-		<!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Private/Templates/close.html -->
+		<!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Private/Templates/Close.html -->
 		<meta charset="utf-8" />
 		<title>Close</title>
 		<script type="text/javascript">
@@ -12,4 +12,4 @@
 	</head>
 	<body>
 	</body>
-</html>
\ No newline at end of file
+</html>
diff --git a/typo3/sysext/backend/Resources/Public/Html/Close.html b/typo3/sysext/backend/Resources/Public/Html/Close.html
new file mode 100644
index 000000000000..1a4faf689b96
--- /dev/null
+++ b/typo3/sysext/backend/Resources/Public/Html/Close.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+	<head>
+		<!-- Close script, used in particular by FormEngine to close the current edit window -->
+		<!-- TYPO3 Script ID: typo3/sysext/backend/Resources/Public/Html/Close.html -->
+		<meta charset="utf-8" />
+		<title>Close</title>
+		<script type="text/javascript">
+			self.close();
+			window.opener.location.reload(true);
+		</script>
+	</head>
+	<body>
+	</body>
+</html>
diff --git a/typo3/sysext/feedit/Classes/FrontendEditPanel.php b/typo3/sysext/feedit/Classes/FrontendEditPanel.php
index 011873e621b9..fcc311b51d26 100644
--- a/typo3/sysext/feedit/Classes/FrontendEditPanel.php
+++ b/typo3/sysext/feedit/Classes/FrontendEditPanel.php
@@ -299,7 +299,7 @@ class FrontendEditPanel
     {
         $width = MathUtility::forceIntegerInRange($this->backendUser->getTSConfigVal('options.feedit.popupWidth'), 690, 5000, 690);
         $height = MathUtility::forceIntegerInRange($this->backendUser->getTSConfigVal('options.feedit.popupHeight'), 500, 5000, 500);
-        $onclick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue($url . '&returnUrl=' . rawurlencode(PathUtility::getAbsoluteWebPath(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Templates/Close.html')))) . ',\'FEquickEditWindow\',\'width=' . $width . ',height=' . $height . ',status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
+        $onclick = 'vHWin=window.open(' . GeneralUtility::quoteJSvalue($url . '&returnUrl=' . rawurlencode(PathUtility::getAbsoluteWebPath(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Public/Html/Close.html')))) . ',\'FEquickEditWindow\',\'width=' . $width . ',height=' . $height . ',status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
         return '<a href="#" class="typo3-editPanel-btn typo3-editPanel-btn-default frontEndEditIconLinks ' . htmlspecialchars($additionalClasses) . '" onclick="' . htmlspecialchars($onclick) . '" style="display: none;">' . $string . '</a>';
     }
 
-- 
GitLab