[SECURITY] Prohibit TypoScript in form yaml files
Only evaluate TypoScript-like instructions like ``` submitButtonLabel = TEXT submitButtonLabel.value = Bar ``` defined within `plugin.tx_form.settings.formDefinitionOverrides` and `plugin.tx_form.settings.yamlSettingsOverrides` and **not** within form definition yaml files or the form setup yaml files. This is achieved by not searching the entire form definition or form setup for TypoScript instructions, but only the actual TypoScript. Resolves: #98403 Releases: main, 11.5, 10.4 Change-Id: I7b066f109d6061715c2240b01ed15185c58fa9f5 Security-Bulletin: TYPO3-CORE-SA-2022-015 Security-References: CVE-2022-23503 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77092 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/form/Classes/Controller/FormFrontendController.php 4 additions, 3 deletions...sysext/form/Classes/Controller/FormFrontendController.php
- typo3/sysext/form/Classes/Mvc/Configuration/ConfigurationManager.php 8 additions, 7 deletions...t/form/Classes/Mvc/Configuration/ConfigurationManager.php
- typo3/sysext/form/Tests/Unit/Controller/FormFrontendControllerTest.php 95 additions, 0 deletions...form/Tests/Unit/Controller/FormFrontendControllerTest.php
- typo3/sysext/form/Tests/Unit/Mvc/Configuration/ConfigurationManagerTest.php 145 additions, 0 deletions...Tests/Unit/Mvc/Configuration/ConfigurationManagerTest.php
Please register or sign in to comment