[BUGFIX] Regression: jumpUrl_transferSession throws hash exception 70/19270/6
authorErnesto Baschny <ernst@cron-it.de>
Thu, 21 Mar 2013 08:24:26 +0000 (09:24 +0100)
committerChristian Kuhn <lolli@schwarzbu.ch>
Mon, 10 Feb 2014 12:34:55 +0000 (13:34 +0100)
jumpUrl_transferSession adds some more parameters
to the URL, making the juHash invalid.
Simply add the check for the allowed redirection
before the jumpurl is internally modified.

Resolves: #46463
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I53fad094caca37b476e07cae953105623e038e85
Reviewed-on: https://review.typo3.org/19270
Reviewed-by: Helmut Hummel
Reviewed-by: Alexander Stehlik
Tested-by: Alexander Stehlik
Reviewed-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Reviewed-by: Marcin SÄ…gol
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php

index d883aed..1a45074 100644 (file)
@@ -2881,31 +2881,6 @@ class TypoScriptFrontendController {
                                        throw new \Exception('jumpurl Secure: Calculated juHash did not match the submitted juHash.', 1294585196);
                                }
                        } else {
-                               $TSConf = $this->getPagesTSconfig();
-                               if ($TSConf['TSFE.']['jumpUrl_transferSession']) {
-                                       $uParts = parse_url($this->jumpurl);
-                                       $params = '&FE_SESSION_KEY=' . rawurlencode(($this->fe_user->id . '-' . md5(($this->fe_user->id . '/' . $this->TYPO3_CONF_VARS['SYS']['encryptionKey']))));
-                                       // Add the session parameter ...
-                                       $this->jumpurl .= ($uParts['query'] ? '' : '?') . $params;
-                               }
-                               if ($TSConf['TSFE.']['jumpURL_HTTPStatusCode']) {
-                                       switch ((int)$TSConf['TSFE.']['jumpURL_HTTPStatusCode']) {
-                                               case 301:
-                                                       $statusCode = HttpUtility::HTTP_STATUS_301;
-                                                       break;
-                                               case 302:
-                                                       $statusCode = HttpUtility::HTTP_STATUS_302;
-                                                       break;
-                                               case 307:
-                                                       $statusCode = HttpUtility::HTTP_STATUS_307;
-                                                       break;
-                                               case 303:
-
-                                               default:
-                                                       $statusCode = HttpUtility::HTTP_STATUS_303;
-                                       }
-                               }
-
                                $allowRedirect = FALSE;
                                if (\TYPO3\CMS\Core\Utility\GeneralUtility::hmac($this->jumpurl, 'jumpurl') === (string)\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('juHash')) {
                                        $allowRedirect = TRUE;
@@ -2922,8 +2897,28 @@ class TypoScriptFrontendController {
                                                }
                                        }
                                }
-
                                if ($allowRedirect) {
+                                       $TSConf = $this->getPagesTSconfig();
+                                       if ($TSConf['TSFE.']['jumpUrl_transferSession']) {
+                                               $uParts = parse_url($this->jumpurl);
+                                               $params = '&FE_SESSION_KEY=' . rawurlencode(($this->fe_user->id . '-' . md5(($this->fe_user->id . '/' . $this->TYPO3_CONF_VARS['SYS']['encryptionKey']))));
+                                               // Add the session parameter ...
+                                               $this->jumpurl .= ($uParts['query'] ? '' : '?') . $params;
+                                       }
+                                       $statusCode = HttpUtility::HTTP_STATUS_303;
+                                       if ($TSConf['TSFE.']['jumpURL_HTTPStatusCode']) {
+                                               switch ((int)$TSConf['TSFE.']['jumpURL_HTTPStatusCode']) {
+                                                       case 301:
+                                                               $statusCode = HttpUtility::HTTP_STATUS_301;
+                                                               break;
+                                                       case 302:
+                                                               $statusCode = HttpUtility::HTTP_STATUS_302;
+                                                               break;
+                                                       case 307:
+                                                               $statusCode = HttpUtility::HTTP_STATUS_307;
+                                                               break;
+                                               }
+                                       }
                                        HttpUtility::redirect($this->jumpurl, $statusCode);
                                } else {
                                        throw new \Exception('jumpurl: Calculated juHash did not match the submitted juHash.', 1359987599);