-
-
Notifications
You must be signed in to change notification settings - Fork 213
Fail with pathconfig.php #6855
Comments
|
Failed in 2.11, 3.1 and 3.2 |
|
same here ... :-/ |
|
Confirmed for all systems with a pathconfig.php |
|
quickfix: $strScript = strval($_SERVER['SCRIPT_NAME']);
preg_match('#^(.*)/contao/install\.php$#', $strScript, $arrMatches);
$strPath = strval($arrMatches[1]);
if ($strPath != TL_PATH) |
|
Confirmed security issue. |
|
We can confirm, that this is a security issue. |
|
My quickfix is not sufficient! |
|
Just replace |
|
not sufficient, your current scriptName implementation (which is horribly inconsistent across different sapis) will leave this issue open for at least cgi-fcgi |
Please post the output of the |
|
schaust du hier: #5881 |
|
IMO the pathconfig.php MUST NOT be deleted without proper authentication. Next, the content of the resulting path MUST be cleaned or even better validated. This is not a quick fix like: "If value A is not right, let's use value B". |
|
@backbone87: As I already commented in #5881, we are using the exact same code as TYPO3 to determine the script name: https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_3-8/t3lib/class.t3lib_div.php#L2668 And the bug in the other ticket has not yet been confirmed. |
|
@leofeyer @backbone87 No matter if the other bug is confirmed or not but this issue is about using untrusted input without any further check and persisting it into a config file without authentification and authorization. No matter from which environment it originates (granted, browser is plain wrong but who guarantees that the server setup does not allow to manipulate the |
|
Just tested my fix on uberspace.de (cgi-fcgi environment) and it did actually work. |
The |
|
Of course, if there IS an install tool password, do NOT update the path. |
|
It is not that easy. After moving an installation, the install tool shall be able to auto-detect the path change and update the configuration accordingly. At this point, there is an install tool password. |
|
And if the install tool does not auto-detect the path change, there is no way to enter the install tool password. (Assuming your next question will be "why don't we auto-detect after the install tool password has been entered".) |
|
I know that, that's why I said, the install tool shall detect it:
This is:
Of course after moving the installation the frontend will be broken and all of the backend (aside of the install tool) but we should not care about that as it is to be fixed by logging into the install tool. |
|
Ok, so here's my proposal (see 427661a).
The drawback, however, is that if you move an installation, the system is not usable anymore unless you have manually adjusted or removed the What are your thoughts? |
|
at a first glance, i am fine with it |
Personally I don't have any problems with the mentioned drawback, as I always manually adjust localconfig.php and/or pathconfig.php as this seems faster than using the installtool (after searching for the installtool password). |
|
See PR #6858. I have not tested it thoroughly but think it should work. What are the exact downsides here? |
|
Looks good to me. While reading your code, I notice that due to my changes, the install tool now writes the |
|
I was only addressing the problem about the install tool with my commit. :) About the saving upon every request, see additional commit in my PR. |
|
Here's the latest version of the patch: hotfix/3.2.9...feature/pathconfig Please revise and provide feedback, so we can release updates on Monday. |
|
Is there a reason to set |
|
Wouldn't it be better to use a different name, without double underscores, for the constant Maybe something like From the PHP Manual: // This is valid, but should be avoided:
// PHP may one day provide a magical constant
// that will break your script
define("__FOO__", "something"); |
|
I'd use something like |
|
Thank you everyone for your help! |
Hello,
I just noticed that running a url like this, it changes the value of pathconfig.php and even without being connected to the backoffice.
The text was updated successfully, but these errors were encountered: