Bug #57541
Content Security: operands work intrinsically differently in Rewrite and Manual check
Status: | Under Review | Start date: | 2014-04-02 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | - | % Done: | 0% |
|
Category: | Security | |||
Target version: | - | |||
PHP Version: | Complexity: | |||
Has patch: | No | Affected Flow version: | (any) |
Description
when having defined an Entity resource like
'current.securityContext.party != this.owner'
the `owner` field refers to, in one case, to the actual `owner` field of the database table (i.e. in \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::rewriteQomQuery
and in the other case to the (hydrated) Entity property `owner` (i.e. in \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::checkAccessAfterFetchingAnObjectByIdentifier)
This leads to unpredicted results when the entity for example does not have a getter on this property, as it was in my case. I just considered it not necessary.
IMO urgently an exception is necessary if, in \TYPO3\Flow\Security\Aspect\PersistenceQueryRewritingAspect::checkSingleConstraintDefinitionOnResultObject, the following lines:
1if (!is_array($constraintDefinition['leftValue']) && strpos($constraintDefinition['leftValue'], 'this.') === 0) {
2 $referenceToThisFound = TRUE;
3 $propertyPath = substr($constraintDefinition['leftValue'], 5);
4 $leftOperand = $this->getObjectValueByPath($result, $propertyPath);
5}
need to throw an exception if getObjectValueByPath
, leading to ObjectAccess::getPropertyPath
, tries to access something that cannot be retrieved.
History
#1 Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 2 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/29065
#2 Updated by Gerrit Code Review over 1 year ago
Patch set 3 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/29065