Fixed bug #10364: Jumpurl feature allows to access arbitrary files on a server (thank...
authorMichael Stucki <michael.stucki@typo3.org>
Tue, 10 Feb 2009 08:01:54 +0000 (08:01 +0000)
committerMichael Stucki <michael.stucki@typo3.org>
Tue, 10 Feb 2009 08:01:54 +0000 (08:01 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@4983 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/cms/tslib/class.tslib_fe.php

index 72871a6..05a0b38 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 2009-02-10  Michael Stucki  <michael@typo3.org>
 
+       * Fixed bug #10364: Jumpurl feature allows to access arbitrary files on a server (thanks to the TYPO3 Security Team and especially Marcus Krause)
        * Fixed bug #10298: Various XSS issues in the BE user admin module
 
 2009-02-08  Ingo Renner  <ingo@typo3.org>
index a460690..bbec4bc 100755 (executable)
@@ -2610,7 +2610,7 @@ require_once (PATH_t3lib.'class.t3lib_lock.php');
                                                        exit;
                                                } else die('jumpurl Secure: "'.$this->jumpurl.'" was not a valid file!');
                                        } else die('jumpurl Secure: locationData, '.$locationData.', was not accessible.');
-                               } else die('jumpurl Secure: Calculated juHash, '.$calcJuHash.', did not match the submitted juHash.');
+                               } else die('jumpurl Secure: Calculated juHash did not match the submitted juHash.');
                        } else {
                                $TSConf = $this->getPagesTSconfig();
                                if ($TSConf['TSFE.']['jumpUrl_transferSession'])        {