Skip to content

Commit

Permalink
[SECURITY] Check record permissions in record information popup
Browse files Browse the repository at this point in the history 
The ElementInformationController now checks a backend user has sufficient
permissions to see each referenced record.

Resolves: #88317
Releases: master, 9.5, 8.7
Security-Commit: 4322d6b827c09b98b35ab4ef47753e9c20f7f117
Security-Bulletin: TYPO3-CORE-SA-2019-014
Change-Id: I49d077e5628465111b4460dd3cb673182d09eaa0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61140
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@andreaskienast @ohader
andreaskienast authored and ohader committed Jun 25, 2019
1 parent 8028f2f commit d593a69
Showing 1 changed file with 70 additions and 24 deletions.
94 changes: 70 additions & 24 deletions typo3/sysext/backend/Classes/Controller/ContentElement/ElementInformationController.php
View file
Expand Up @@ -15,6 +15,7 @@
* The TYPO3 project - inspiring people to share!
*/

use Doctrine\DBAL\Connection;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Backend\Backend\Avatar\Avatar;
Expand Down Expand Up @@ -544,23 +545,35 @@ protected function makeRef($table, $ref, ServerRequestInterface $request)
/** @var \TYPO3\CMS\Core\Database\Query\QueryBuilder $queryBuilder */
$queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
->getQueryBuilderForTable('sys_refindex');

$predicates = [
$queryBuilder->expr()->eq(
'ref_table',
$queryBuilder->createNamedParameter($selectTable, \PDO::PARAM_STR)
),
$queryBuilder->expr()->eq(
'ref_uid',
$queryBuilder->createNamedParameter($selectUid, \PDO::PARAM_INT)
),
$queryBuilder->expr()->eq(
'deleted',
$queryBuilder->createNamedParameter(0, \PDO::PARAM_INT)
)
];

$backendUser = $this->getBackendUser();
if (!$backendUser->isAdmin()) {
$allowedSelectTables = GeneralUtility::trimExplode(',', $backendUser->groupData['tables_select']);
$predicates[] = $queryBuilder->expr()->in(
'tablename',
$queryBuilder->createNamedParameter($allowedSelectTables, Connection::PARAM_STR_ARRAY)
);
}

$rows = $queryBuilder
->select('*')
->from('sys_refindex')
->where(
$queryBuilder->expr()->eq(
'ref_table',
$queryBuilder->createNamedParameter($selectTable, \PDO::PARAM_STR)
),
$queryBuilder->expr()->eq(
'ref_uid',
$queryBuilder->createNamedParameter($selectUid, \PDO::PARAM_INT)
),
$queryBuilder->expr()->eq(
'deleted',
$queryBuilder->createNamedParameter(0, \PDO::PARAM_INT)
)
)
->where(...$predicates)
->execute()
->fetchAll();

Expand All @@ -572,9 +585,14 @@ protected function makeRef($table, $ref, ServerRequestInterface $request)
return;
}
}

$line = [];
$record = BackendUtility::getRecord($row['tablename'], $row['recuid']);
if ($record) {
BackendUtility::fixVersioningPid($row['tablename'], $record);
if (!$this->canAccessPage($row['tablename'], $record)) {
continue;
}
$parentRecord = BackendUtility::getRecord('pages', $record['pid']);
$parentRecordTitle = is_array($parentRecord)
? BackendUtility::getRecordTitle('pages', $parentRecord)
Expand Down Expand Up @@ -626,19 +644,31 @@ protected function makeRefFrom($table, $ref, ServerRequestInterface $request): a
/** @var \TYPO3\CMS\Core\Database\Query\QueryBuilder $queryBuilder */
$queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
->getQueryBuilderForTable('sys_refindex');

$predicates = [
$queryBuilder->expr()->eq(
'tablename',
$queryBuilder->createNamedParameter($table, \PDO::PARAM_STR)
),
$queryBuilder->expr()->eq(
'recuid',
$queryBuilder->createNamedParameter($ref, \PDO::PARAM_INT)
)
];

$backendUser = $this->getBackendUser();
if (!$backendUser->isAdmin()) {
$allowedSelectTables = GeneralUtility::trimExplode(',', $backendUser->groupData['tables_select']);
$predicates[] = $queryBuilder->expr()->in(
'ref_table',
$queryBuilder->createNamedParameter($allowedSelectTables, Connection::PARAM_STR_ARRAY)
);
}

$rows = $queryBuilder
->select('*')
->from('sys_refindex')
->where(
$queryBuilder->expr()->eq(
'tablename',
$queryBuilder->createNamedParameter($table, \PDO::PARAM_STR)
),
$queryBuilder->expr()->eq(
'recuid',
$queryBuilder->createNamedParameter($ref, \PDO::PARAM_INT)
)
)
->where(...$predicates)
->execute()
->fetchAll();

Expand All @@ -647,6 +677,10 @@ protected function makeRefFrom($table, $ref, ServerRequestInterface $request): a
$line = [];
$record = BackendUtility::getRecord($row['ref_table'], $row['ref_uid']);
if ($record) {
BackendUtility::fixVersioningPid($row['ref_table'], $record);
if (!$this->canAccessPage($row['ref_table'], $record)) {
continue;
}
$urlParameters = [
'edit' => [
$row['ref_table'] => [
Expand Down Expand Up @@ -711,6 +745,18 @@ protected function transformFileReferenceToRecordReference(array $referenceRecor
];
}

/**
* @param string $tableName Name of the table
* @param array $record Record to be checked (ensure pid is resolved for workspaces)
* @return bool
*/
protected function canAccessPage(string $tableName, array $record): bool
{
$recordPid = (int)($tableName === 'pages' ? $record['uid'] : $record['pid']);
return $this->getBackendUser()->isInWebMount($recordPid)
|| $recordPid === 0 && !empty($GLOBALS['TCA'][$tableName]['ctrl']['security']['ignoreRootLevelRestriction']);
}

/**
* Returns LanguageService
*
Expand Down

0 comments on commit d593a69

Please sign in to comment.