[SECURITY] Restrict export functionality to allowed users
The import functionality of the import/export module is already restricted to admin users or users, who explicitly have access through the user TSConfig setting "options.impexp.enableImportForNonAdminUser". The export functionality has the following security drawbacks: * Export for editors is not limited on field level * The "Save to filename" functionality saves to a shared folder, which other editors with different access rights may have access to. Both issues are not easy to resolve and also the target audience for the Import/Export functionality are mainly TYPO3 admins. Therefore, now also the export functionality is restricted to TYPO3 admin users and to users, who explicitly have access through the new user TSConfig setting "options.impexp.enableExportForNonAdminUser". Additionally, the contents of the temporary "importexport" folder in file storages is now only visible to users who have access to the export functionality. In general, it is recommended to only install the Import/Export extension when the functionality is required. Resolves: #94951 Releases: main, 11.5, 10.4 Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2 Security-Bulletin: TYPO3-CORE-SA-2022-001 Security-References: CVE-2022-31046 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74897 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php 22 additions, 0 deletions...core/Classes/Authentication/BackendUserAuthentication.php
- typo3/sysext/core/Classes/Resource/Filter/ImportExportFilter.php 55 additions, 0 deletions...ysext/core/Classes/Resource/Filter/ImportExportFilter.php
- typo3/sysext/core/Classes/Resource/ResourceStorage.php 22 additions, 7 deletionstypo3/sysext/core/Classes/Resource/ResourceStorage.php
- typo3/sysext/core/Tests/Acceptance/Application/Impexp/UsersCest.php 5 additions, 5 deletions...xt/core/Tests/Acceptance/Application/Impexp/UsersCest.php
- typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php 66 additions, 0 deletions...nctional/Authentication/BackendUserAuthenticationTest.php
- typo3/sysext/impexp/Classes/ContextMenu/ItemProvider.php 2 additions, 11 deletionstypo3/sysext/impexp/Classes/ContextMenu/ItemProvider.php
- typo3/sysext/impexp/Classes/Controller/ExportController.php 8 additions, 0 deletionstypo3/sysext/impexp/Classes/Controller/ExportController.php
- typo3/sysext/impexp/Classes/Controller/ImportController.php 1 addition, 12 deletionstypo3/sysext/impexp/Classes/Controller/ImportController.php
- typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php 46 additions, 0 deletions...3/sysext/reports/Classes/Report/Status/SecurityStatus.php
- typo3/sysext/reports/Resources/Private/Language/locallang_reports.xlf 9 additions, 0 deletions.../reports/Resources/Private/Language/locallang_reports.xlf
Please register or sign in to comment