[BUGFIX] AddController: RemoveXSS on REQUEST_URI 80/20680/5
authorLaurent Cherpit <lcherpit@ttree.ch>
Mon, 29 Jun 2015 22:06:59 +0000 (00:06 +0200)
committerAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 30 Jun 2015 08:13:20 +0000 (10:13 +0200)
sanitizeLocalUrl() fails to compare returnUrl value if the TCA column of a
field type "select" contains configuration keys like "itemListStyle" or
"selectedListStyle".
In "AddController", using RemoveXSS on request_uri before assigning the
returnUrl parameter, the comparaison of the params of returnUrl will
match on the backlink generation used to close the editForm.

If returnUrl contains string with "style" in it, it will be processed in
the same manner by sanitizeLocalUrl. So the backlink of the editForm
will not be dummy.php.

Change-Id: I5f3282766fe6cf9cae24f70d7f979ce4be004d5f
Resolves: #48096
Releases: master
Reviewed-on: http://review.typo3.org/20680
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
typo3/sysext/backend/Classes/Controller/Wizard/AddController.php

index bea7334..bd00b6b 100644 (file)
@@ -211,7 +211,7 @@ class AddController extends AbstractWizardController {
                        $redirectUrl = BackendUtility::getModuleUrl('record_edit', array(
                                'returnEditConf' => 1,
                                'edit[' . $this->P['params']['table'] . '][' . $this->pid . ']' => 'new',
-                               'returnUrl' => GeneralUtility::getIndpEnv('REQUEST_URI')
+                               'returnUrl' => GeneralUtility::removeXSS(GeneralUtility::getIndpEnv('REQUEST_URI'))
                        ));
                        HttpUtility::redirect($redirectUrl);
                }