Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[BUGFIX] Mitigate misusing request 'id' as pages-uid in extbase BE
The backend uses request GET/POST parameter 'id' as convention for "pages uid" at various places: Especially the BackendModuleValidator checks for this parameter early, to deny access to pages a BE user has no access to. This convention is a broken misuse: There is no such convention, and for instance the filelist module uses 'id' to transfer a selected "storage-uid:path". The BackendModuleValidator mitigates this by calling MU::canBeInterpretedAsInteger() before interpreting that parameter as a pages-uid. The extbase BackendConfigurationManager also uses 'id' to retrieve the FE TypoScript configuration for this "pages-uid", it however does not check with MU::canBeInterpretedAsInteger(), first. The patch adds a MU::canBeInterpretedAsInteger() check to extbase BackendConfigurationManager to be in-line with BackendModuleValidator, and adds `@todo` comments outlining the general misuse of the argument. Change-Id: I9b53a521bde4d3c145bfda2994d81dc4abf9c103 Resolves: #103540 Related: #96797 Releases: main, 12.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/83678 Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: core-ci <typo3@b13.com> Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
- Loading branch information