From c59d89f809898784aaedd507db61a4d380bc27a8 Mon Sep 17 00:00:00 2001
From: Nicole Cordes <typo3@cordes.co>
Date: Sat, 27 Jul 2013 23:13:06 +0200
Subject: [PATCH] [BUGFIX] "New page" wizard discloses existence of pages
 outside DB mount
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When creating a new page inside the top level of a DB mount which is
only a sub tree, the pages up and down from the DB mount root will be
displayed in the position selector if the logged-in user has read
permissions for these pages. This is unwanted information disclosure as
the permissions should not matter for pages which are outside the DB
mount.

Resolves: #18797
Releases: 6.2, 6.1, 6.0
Change-Id: I98008bc7f4308c9fb32dae645325e7cb1b44e413
Reviewed-on: https://review.typo3.org/22632
Reviewed-by: Markus Klein
Reviewed-by: Xavier Perseguers
Reviewed-by: Wouter Wolters
Tested-by: Markus Klein
Reviewed-by: Marcin SÄ…gol
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
---
 typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php  | 5 +++++
 .../Classes/Authentication/BackendUserAuthentication.php     | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php b/typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php
index 43f5a7d6a4ea..576578e56665 100644
--- a/typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php
+++ b/typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php
@@ -771,6 +771,11 @@ abstract class AbstractTreeView {
 		$idH = array();
 		// Traverse the records:
 		while ($crazyRecursionLimiter > 0 && ($row = $this->getDataNext($res, $subCSSclass))) {
+			if (!$GLOBALS['BE_USER']->isInWebMount($row['uid'])) {
+				// Current record is not within web mount => skip it
+				continue;
+			}
+
 			$a++;
 			$crazyRecursionLimiter--;
 			$newID = $row['uid'];
diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index e2feab199ae9..640765f233ae 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -542,6 +542,10 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
 		if ($this->isAdmin()) {
 			return 31;
 		}
+		// Return 0 if page is not within the allowed web mount
+		if (!$this->isInWebMount($row['uid'])) {
+			return 0;
+		}
 		$out = 0;
 		if (isset($row['perms_userid']) && isset($row['perms_user']) && isset($row['perms_groupid']) && isset($row['perms_group']) && isset($row['perms_everybody']) && isset($this->groupList)) {
 			if ($this->user['uid'] == $row['perms_userid']) {
-- 
GitLab