Fixed bug #14712: The GET/POST variable mimeType is used to create the http header...
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:14:10 +0000 (09:14 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:14:10 +0000 (09:14 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@8408 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/cms/tslib/class.tslib_content.php
typo3/sysext/cms/tslib/class.tslib_fe.php

index 28f89f2..5e43a36 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,7 @@
        * Fixed bug #15254: Extension Manager allows to edit arbitrary files if noEdit flag is not set (thanks to Helmut Hummel)
        * Fixed bug #14389: phtml is also PHP extension and should be denied editing / uploading via fileadmin (thanks to Ernesto Baschny)
        * Fixed bug #1985: XSS vulnerability in wizard classes
+       * Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)
 
 2010-07-21  Ingo Renner  <ingo@typo3.org>
 
index 7dea37b..8d09248 100755 (executable)
@@ -3978,7 +3978,9 @@ class tslib_cObj {
                        while(list(,$v)=each($mimeTypes))       {
                                $parts = explode('=',$v,2);
                                if (strtolower($fI['extension']) == strtolower(trim($parts[0])))        {
-                                       $mimetype = '&mimeType='.rawurlencode(trim($parts[1]));
+                                       $mimetypeValue = trim($parts[1]);
+                                       $mimetype = '&mimeType=' . rawurlencode($mimetypeValue);
+                                       break;
                                }
                        }
                }
@@ -3987,6 +3989,7 @@ class tslib_cObj {
                $hArr = array(
                        $jumpUrl,
                        $locationData,
+                       $mimetypeValue,
                        $GLOBALS['TSFE']->TYPO3_CONF_VARS['SYS']['encryptionKey']
                );
                $juHash='&juHash='.t3lib_div::shortMD5(serialize($hArr));
index 5a00a61..de3d0ad 100755 (executable)
@@ -2519,13 +2519,16 @@ require_once (PATH_t3lib.'class.t3lib_lock.php');
        function jumpUrl()      {
                if ($this->jumpurl)     {
                        if (t3lib_div::_GP('juSecure')) {
+                               $locationData = t3lib_div::_GP('locationData');
+                               $mimeType = t3lib_div::_GP('mimeType');
+
                                $hArr = array(
                                        $this->jumpurl,
                                        t3lib_div::_GP('locationData'),
+                                       t3lib_div::_GP('mimeType'),
                                        $this->TYPO3_CONF_VARS['SYS']['encryptionKey']
                                );
                                $calcJuHash=t3lib_div::shortMD5(serialize($hArr));
-                               $locationData = t3lib_div::_GP('locationData');
                                $juHash = t3lib_div::_GP('juHash');
                                if ($juHash == $calcJuHash)     {
                                        if ($this->locDataCheck($locationData)) {
@@ -2533,7 +2536,6 @@ require_once (PATH_t3lib.'class.t3lib_lock.php');
                                                        // Deny access to files that match TYPO3_CONF_VARS[SYS][fileDenyPattern] and whose parent directory is typo3conf/ (there could be a backup file in typo3conf/ which does not match against the fileDenyPattern)
                                                if (t3lib_div::verifyFilenameAgainstDenyPattern($this->jumpurl) && basename(dirname($this->jumpurl)) !== 'typo3conf') {
                                                        if (@is_file($this->jumpurl)) {
-                                                               $mimeType = t3lib_div::_GP('mimeType');
                                                                $mimeType = $mimeType ? $mimeType : 'application/octet-stream';
                                                                header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
                                                                header('Content-Type: '.$mimeType);