[TASK] Disallow multi-line HTTP headers 00/44900/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Sun, 22 Nov 2015 13:00:52 +0000 (14:00 +0100)
committerMarkus Klein <markus.klein@typo3.org>
Thu, 26 Nov 2015 22:51:32 +0000 (23:51 +0100)
PHP removed the support for this deprecated HTTP specification
in recent versions of PHP, thus we should remove these as well.

Besides that, we add an additional check for newlines
in GeneralUtility::locationHeaderUrl() to prevent potential
issues with Internet Explorer.
These lines can be removed once the minimum PHP requirement
are raised.

Releases: master, 6.2
Resolves: #58816
Change-Id: I38d26affd31913b82a972ac90ebf906a45b92e05
Reviewed-on: https://review.typo3.org/44900
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Frank N├Ągler <frank.naegler@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/core/Classes/Utility/GeneralUtility.php

index 84a5e92..2788460 100755 (executable)
@@ -3141,6 +3141,7 @@ Connection: close
         *
         * @param string $path URL / path to prepend full URL addressing to.
         * @return string
+        * @throws \InvalidArgumentException
         */
        static public function locationHeaderUrl($path) {
                $uI = parse_url($path);
@@ -3151,6 +3152,9 @@ Connection: close
                        // No scheme either
                        $path = self::getIndpEnv('TYPO3_REQUEST_DIR') . $path;
                }
+               if (strpbrk($path, "\r\n") !== false) {
+                       throw new \InvalidArgumentException('HTTP header injection attempt in "' . $path . '"', 1448194036);
+               }
                return $path;
        }