Bug #29603
__toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
| Status: | Closed | Start date: | 2011-09-09 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | Core | |||
| Target version: | TYPO3 Flow Base Distribution - 1.0.5 | |||
| Has patch: | No | Affected Flow version: | FLOW3 1.0.0 |
Description
PHP does not allow to throw exceptions within a __toString() method. Therefore security exception don't work while rendering the Fluid template. We somehow have to call a method to render a node and not just concatenate the objects as string and use the interal __toString() functionality. This is a really stupid PHP behaviour, that is documented here: http://php.net/manual/en/migration52.incompatible.php
History
#1 Updated by Andreas Förthner almost 4 years ago
- Subject changed from __toString() usage for rendering in the compiled Fluid template breaks the concept of security exceptions to __toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
#2 Updated by Bastian Waidelich almost 4 years ago
Do you have an example where objects are concatenated in a compiled template?
#3 Updated by Andreas Förthner almost 4 years ago
Ah sorry ;-) This is done in line 322 of the TemplateCompiler.
$initializationPhpCode .= sprintf('%s .= %s;', $outputVariableName, $converted['execution']) . chr(10);
#4 Updated by Karsten Dambekalns almost 4 years ago
- Target version changed from 1.0.0 to 1.0.1
#5 Updated by Karsten Dambekalns almost 4 years ago
- Affected Flow version set to FLOW3 1.0.0
#6 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.1 to 1.0.2
#7 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.2 to 1.0.3
#8 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.3 to 1.0.4
#9 Updated by Karsten Dambekalns over 3 years ago
- Target version changed from 1.0.4 to 1.0.5
#10 Updated by Sebastian Kurfuerst about 3 years ago
- Status changed from New to Needs Feedback
I fear that I need more feedback in here.
Inside fluid, __toString is definitely never used.
Could it have something to do with the old TypoScript? If yes, that has been quite sure fixed with the new TS.
#11 Updated by Andreas Förthner about 3 years ago
Hi Sebastian,
I'm currently checking this, probably you are right, that this was only a problem with the old TS rendering.
I'll give you more feedback a soosn as I have verified this.
#12 Updated by Andreas Förthner about 3 years ago
- Status changed from Needs Feedback to Closed
After looking at it and discussing it once again with my colleague, this was probably fixed somewhen along the way. When I created the issue view helpers got rendered by an implicit cast of the VH object in a string concatenation. This seems not to be the case anymore, now initializeArgumentsAndReder() is called explicitly. Therefore I consider this issue not present anymore and close this ticket.