[SECURITY] Possible XSS in felogin messages 67/45267/2
authorGeorg Ringer <mail@ringerge.org>
Tue, 15 Dec 2015 10:34:15 +0000 (11:34 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:34:24 +0000 (11:34 +0100)
Change default TypoScript to encode messages in felogin
with htmlspecialchars.

Fix two occurences of _LOCAL_LANG messages where htmlspecialchars
was missing.

Resolves: #25243
Releases: master, 6.2
Security-Commit: dd8cdadc5ff64ff415035490646e8cf2578ee396
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I186f8cb344b9b16f38d11926529a52e7ed4c831d
Reviewed-on: https://review.typo3.org/45267
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
typo3/sysext/felogin/ext_typoscript_setup.txt

index 8bc91b0..ec7b663 100644 (file)
@@ -168,7 +168,7 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
                // Process the redirect
                if (($this->logintype === 'login' || $this->logintype === 'logout') && $this->redirectUrl && !$this->noRedirect) {
                        if (!$GLOBALS['TSFE']->fe_user->isCookieSet() && $this->userIsLoggedIn) {
-                               $content .= $this->cObj->stdWrap($this->pi_getLL('cookie_warning', '', TRUE), $this->conf['cookieWarning_stdWrap.']);
+                               $content .= $this->cObj->stdWrap($this->pi_getLL('cookie_warning'), $this->conf['cookieWarning_stdWrap.']);
                        } else {
                                // Add hook for extra processing before redirect
                                if (
@@ -240,7 +240,7 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
                                        $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap($error, $this->conf['forgotErrorMessage_stdWrap.']);
                                } else {
                                        $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap(
-                                               $this->pi_getLL('ll_forgot_reset_message_emailSent', '', TRUE),
+                                               $this->pi_getLL('ll_forgot_reset_message_emailSent'),
                                                $this->conf['forgotResetMessageEmailSentMessage_stdWrap.']
                                        );
                                }
@@ -900,7 +900,7 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
         * @return string label text
         */
        protected function getDisplayText($label, $stdWrapArray = array()) {
-               $text = $this->flexFormValue($label, 's_messages') ? $this->cObj->stdWrap($this->flexFormValue($label, 's_messages'), $stdWrapArray) : $this->cObj->stdWrap($this->pi_getLL('ll_' . $label, '', TRUE), $stdWrapArray);
+               $text = $this->flexFormValue($label, 's_messages') ? $this->cObj->stdWrap($this->flexFormValue($label, 's_messages'), $stdWrapArray) : $this->cObj->stdWrap($this->pi_getLL('ll_' . $label), $stdWrapArray);
                $replace = $this->getUserFieldMarkers();
                return strtr($text, $replace);
        }
index 3fbc090..bad36c7 100644 (file)
@@ -35,66 +35,85 @@ plugin.tx_felogin_pi1 {
 
        welcomeHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        welcomeMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        successHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        successMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        logoutHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        logoutMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        errorHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        errorMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        forgotHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        forgotMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        forgotErrorMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        forgotResetMessageEmailSentMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordNotValidMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordTooShortMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordNotEqualMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        changePasswordHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        changePasswordMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordDoneMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
     }
 
        cookieWarning_stdWrap {
                wrap = <p style="color:red; font-weight:bold;">|</p>
+               htmlSpecialChars = 1
        }
 
        # stdWrap for fe_users fields used in Messages