[BUGFIX] Improve exceptions when BE.adminOnly or BE.IPmaskList is used

TYPO3 now returns a HTTP 403 status code, when BE.adminOnly is configured or when the clients IP address does not match the configured BE.IPmaskList. Additionally, TYPO3 will now present a proper system message instead of showing the default "Oops, an error occurred!". Resolves: #93379 Releases: master, 10.4 Change-Id: I409a514852b25c2891eade71bd61f50e25ffc174 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67546 Tested-by: Richard Haeser <richard@richardhaeser.com> Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Richard Haeser <richard@richardhaeser.com> Reviewed-by: Benni Mack <benni@typo3.org>

[BUGFIX] Improve exceptions when BE.adminOnly or BE.IPmaskList is used
TYPO3 now returns a HTTP 403 status code, when BE.adminOnly is configured or when the clients IP address does not match the configured BE.IPmaskList. Additionally, TYPO3 will now present a proper system message instead of showing the default "Oops, an error occurred!". Resolves: #93379 Releases: master, 10.4 Change-Id: I409a514852b25c2891eade71bd61f50e25ffc174 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67546 Tested-by: Richard Haeser <richard@richardhaeser.com> Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Richard Haeser <richard@richardhaeser.com> Reviewed-by: Benni Mack <benni@typo3.org>
9f7ed147 · Torben Hansen · Benni Mack · def73f27 · 9f7ed147 · 9f7ed147
Commit 9f7ed147 authored 4 years ago by Torben Hansen Committed by Benni Mack 4 years ago
--- a/typo3/sysext/backend/Classes/Exception/BackendAccessDeniedException.php
+++ b/typo3/sysext/backend/Classes/Exception/BackendAccessDeniedException.php
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Backend\Exception;
+
+use TYPO3\CMS\Core\Error\Http\AbstractClientErrorException;
+
+class BackendAccessDeniedException extends AbstractClientErrorException
+{
+}
--- a/typo3/sysext/backend/Classes/Exception/BackendLockedException.php
+++ b/typo3/sysext/backend/Classes/Exception/BackendLockedException.php
@@ -17,8 +17,8 @@ declare(strict_types=1);

 namespace TYPO3\CMS\Backend\Exception;

-use TYPO3\CMS\Backend\Exception;
+use TYPO3\CMS\Core\Error\Http\AbstractClientErrorException;

-class BackendLockedException extends Exception
+class BackendLockedException extends AbstractClientErrorException
 {
 }
--- a/typo3/sysext/backend/Classes/Middleware/LockedBackendGuard.php
+++ b/typo3/sysext/backend/Classes/Middleware/LockedBackendGuard.php
@@ -21,11 +21,13 @@ use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
+use TYPO3\CMS\Backend\Exception\BackendAccessDeniedException;
 use TYPO3\CMS\Backend\Exception\BackendLockedException;
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Http\JsonResponse;
 use TYPO3\CMS\Core\Http\RedirectResponse;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\HttpUtility;

 /**
 * Checks various security options for accessing the TYPO3 backend before proceeding
@@ -82,14 +84,24 @@ class LockedBackendGuard implements MiddlewareInterface
    protected function checkLockedBackend()
    {
        if ($GLOBALS['TYPO3_CONF_VARS']['BE']['adminOnly'] < 0) {
-            throw new BackendLockedException('TYPO3 Backend locked: Backend and Install Tool are locked for maintenance. [BE][adminOnly] is set to "' . (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['adminOnly'] . '".', 1517949794);
+            throw new BackendLockedException(
+                HttpUtility::HTTP_STATUS_403,
+                'Backend and Install Tool are locked for maintenance. [BE][adminOnly] is set to "' . (int)$GLOBALS['TYPO3_CONF_VARS']['BE']['adminOnly'] . '".',
+                'TYPO3 Backend locked',
+                1517949794
+            );
        }
        if (@is_file(Environment::getLegacyConfigPath() . '/LOCK_BACKEND')) {
            $fileContent = file_get_contents(Environment::getLegacyConfigPath() . '/LOCK_BACKEND');
            if ($fileContent) {
                return $fileContent;
            }
-            throw new BackendLockedException('TYPO3 Backend locked: Browser backend is locked for maintenance. Remove lock by removing the file "typo3conf/LOCK_BACKEND" or use CLI-scripts.', 1517949793);
+            throw new BackendLockedException(
+                HttpUtility::HTTP_STATUS_403,
+                'Backend access by browser is locked for maintenance. Remove lock by removing the file "typo3conf/LOCK_BACKEND" or use CLI-scripts.',
+                'TYPO3 Backend locked',
+                1517949793
+            );
        }

        return null;
@@ -105,7 +117,12 @@ class LockedBackendGuard implements MiddlewareInterface
    protected function validateVisitorsIpAgainstIpMaskList(string $ipAddress, string $ipMaskList = '')
    {
        if ($ipMaskList !== '' && !GeneralUtility::cmpIP($ipAddress, $ipMaskList)) {
-            throw new \RuntimeException('TYPO3 Backend access denied: The IP address of your client does not match the list of allowed IP addresses.', 1517949792);
+            throw new BackendAccessDeniedException(
+                HttpUtility::HTTP_STATUS_403,
+                'The IP address of your client does not match the list of allowed IP addresses.',
+                'TYPO3 Backend access denied',
+                1517949792
+            );
        }
    }
 }