Fixed bug #14712: The GET/POST variable mimeType is used to create the http header...
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:14:36 +0000 (09:14 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:14:36 +0000 (09:14 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@8411 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/cms/tslib/class.tslib_content.php
typo3/sysext/cms/tslib/class.tslib_fe.php

index fa35abb..3b287e5 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,7 @@
        * Follow-up to bug #14389: Added unit test
        * Fixed bug #1985: XSS vulnerability in wizard classes
        * Fixed bug #15223: Password request hash in felogin is created with not enough randomness (thanks to Helmut Hummel)
+       * Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)
 
 2010-07-27  Steffen Kamper  <steffen@typo3.org>
 
index c74be97..b352759 100644 (file)
@@ -4707,7 +4707,9 @@ class tslib_cObj {
                        foreach ($mimeTypes as $v) {
                                $parts = explode('=',$v,2);
                                if (strtolower($fI['extension']) == strtolower(trim($parts[0])))        {
-                                       $mimetype = '&mimeType='.rawurlencode(trim($parts[1]));
+                                       $mimetypeValue = trim($parts[1]);
+                                       $mimetype = '&mimeType=' . rawurlencode($mimetypeValue);
+                                       break;
                                }
                        }
                }
@@ -4716,6 +4718,7 @@ class tslib_cObj {
                $hArr = array(
                        $jumpUrl,
                        $locationData,
+                       $mimetypeValue,
                        $GLOBALS['TSFE']->TYPO3_CONF_VARS['SYS']['encryptionKey']
                );
                $juHash='&juHash='.t3lib_div::shortMD5(serialize($hArr));
index 86513ae..41b5d3b 100644 (file)
        function jumpUrl()      {
                if ($this->jumpurl)     {
                        if (t3lib_div::_GP('juSecure')) {
+                               $locationData = t3lib_div::_GP('locationData');
+                               $mimeType = t3lib_div::_GP('mimeType');
+
                                $hArr = array(
                                        $this->jumpurl,
                                        t3lib_div::_GP('locationData'),
+                                       t3lib_div::_GP('mimeType'),
                                        $this->TYPO3_CONF_VARS['SYS']['encryptionKey']
                                );
                                $calcJuHash=t3lib_div::shortMD5(serialize($hArr));
-                               $locationData = t3lib_div::_GP('locationData');
                                $juHash = t3lib_div::_GP('juHash');
                                if ($juHash == $calcJuHash)     {
                                        if ($this->locDataCheck($locationData)) {
                                                        // Deny access to files that match TYPO3_CONF_VARS[SYS][fileDenyPattern] and whose parent directory is typo3conf/ (there could be a backup file in typo3conf/ which does not match against the fileDenyPattern)
                                                if (t3lib_div::verifyFilenameAgainstDenyPattern($this->jumpurl) && basename(dirname($this->jumpurl)) !== 'typo3conf') {
                                                        if (@is_file($this->jumpurl)) {
-                                                               $mimeType = t3lib_div::_GP('mimeType');
                                                                $mimeType = $mimeType ? $mimeType : 'application/octet-stream';
                                                                header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
                                                                header('Content-Type: '.$mimeType);