Fixed bug #11937: Do not show E_DEPRECATED messages on productive systems
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_div.php
index 91bba6c..76ed5ba 100644 (file)
@@ -1941,6 +1941,7 @@ final class t3lib_div {
                        } else {
                                $value = addslashes($value);
                        }
+                       unset($value);
                }
                reset($theArray);
        }
@@ -1962,6 +1963,7 @@ final class t3lib_div {
                        } else {
                                $value = stripslashes($value);
                        }
+                       unset($value);
                }
                reset($theArray);
        }
@@ -2954,10 +2956,12 @@ final class t3lib_div {
        }
 
        /**
-        * Setting file system mode & group ownership of file
+        * Sets the file system mode and group ownership of file.
         *
-        * @param       string          Filepath of newly created file
-        * @return      void
+        * @param string $file
+        *               the path of an existing file, must not be escaped
+        *
+        * @return void
         */
        public static function fixPermissions($file)    {
                if (@is_file($file) && TYPO3_OS!='WIN') {
@@ -4168,13 +4172,38 @@ final class t3lib_div {
         * @return string either $url if $url is considered to be harmless, or an
         *                empty string otherwise
         */
-       public static function sanitizeBackEndUrl($url = '') {
-               $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
-               if (!preg_match($whitelistPattern, $url)) {
-                       $url = '';
+       public static function sanitizeLocalUrl($url = '') {
+               $sanitizedUrl = '';
+               $decodedUrl = rawurldecode($url);
+
+               if (!empty($url) && self::removeXSS($decodedUrl) === $decodedUrl) {
+                       $testAbsoluteUrl = self::resolveBackPath($decodedUrl);
+                       $testRelativeUrl = self::resolveBackPath(
+                               t3lib_div::dirname(t3lib_div::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl
+                       );
+
+                               // Pass if URL is on the current host:
+                       if (self::isValidUrl($decodedUrl)) {
+                               if (self::isOnCurrentHost($decodedUrl) && strpos($decodedUrl, self::getIndpEnv('TYPO3_SITE_URL')) === 0) {
+                                       $sanitizedUrl = $url;
+                               }
+                               // Pass if URL is an absolute file path:
+                       } elseif (self::isAbsPath($decodedUrl) && self::isAllowedAbsPath($decodedUrl)) {
+                               $sanitizedUrl = $url;
+                               // Pass if URL is absolute and below TYPO3 base directory:
+                       } elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && substr($decodedUrl, 0, 1) === '/') {
+                               $sanitizedUrl = $url;
+                               // Pass if URL is relative and below TYPO3 base directory:
+                       } elseif (strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && substr($decodedUrl, 0, 1) !== '/') {
+                               $sanitizedUrl = $url;
+                       }
                }
 
-               return $url;
+               if (!empty($url) && empty($sanitizedUrl)) {
+                       self::sysLog('The URL "' . $url . '" is not considered to be local and was denied.', 'Core', self::SYSLOG_SEVERITY_NOTICE);
+               }
+
+               return $sanitizedUrl;
        }
 
        /**
@@ -4397,11 +4426,13 @@ final class t3lib_div {
                                }
                                $fileNotFound = TRUE;
                        }
-                       if (isset($GLOBALS['TYPO3_CONF_VARS']['EXT']['locallangXMLOverride'][$fileRef])) {
-                               $languageOverrideFileName = t3lib_div::getFileAbsFileName($GLOBALS['TYPO3_CONF_VARS']['EXT']['locallangXMLOverride'][$fileRef]);
-                               if (@is_file($languageOverrideFileName)) {
-                                       $languageOverrideArray = t3lib_div::readLLXMLfile($languageOverrideFileName, $langKey, $charset);
-                                       $LOCAL_LANG = t3lib_div::array_merge_recursive_overrule($LOCAL_LANG, $languageOverrideArray);
+                       if (is_array($GLOBALS['TYPO3_CONF_VARS']['SYS']['locallangXMLOverride'][$fileRef])) {
+                               foreach ($GLOBALS['TYPO3_CONF_VARS']['SYS']['locallangXMLOverride'][$fileRef] as $overrideFile) {
+                                       $languageOverrideFileName = t3lib_div::getFileAbsFileName($overrideFile);
+                                       if (@is_file($languageOverrideFileName)) {
+                                               $languageOverrideArray = t3lib_div::readLLXMLfile($languageOverrideFileName, $langKey, $charset);
+                                               $LOCAL_LANG = t3lib_div::array_merge_recursive_overrule($LOCAL_LANG, $languageOverrideArray);
+                                       }
                                }
                        }
                }
@@ -5742,7 +5773,6 @@ final class t3lib_div {
                while (ob_get_level()) {
                        ob_end_flush();
                }
-               header('Content-Encoding: None', TRUE);
        }
 }