[BUGFIX] Fix double encoded returnUrl parameters in file search 77/50077/2
authorWouter Wolters <typo3@wouterwolters.nl>
Fri, 30 Sep 2016 13:22:52 +0000 (15:22 +0200)
committerNicole Cordes <typo3@cordes.co>
Thu, 6 Oct 2016 09:04:31 +0000 (11:04 +0200)
In ext:filelist you can search for files. All actions that contain
a returnUrl as parameter lead to CSRF-token issues. This is because
the returnUrl is double encoded. Remove the double encoding.

Resolves: #78124
Releases: master
Change-Id: I2719b6e7905576c307e4bdc06d5e6384625a4da3
Reviewed-on: https://review.typo3.org/50077
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Josef Glatz <josef.glatz@typo3.org>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
typo3/sysext/filelist/Resources/Private/Templates/FileList/Search.html

index 35f5014..719b642 100644 (file)
@@ -43,7 +43,7 @@
                                                                <f:then>
                                                                        <a href="#" class="filelist-file-title"
                                                                                title="{f:translate( htmlEscape:'true', key:'LLL:EXT:lang/locallang_core.xlf:cm.editMetadata' )}"
-                                                                               data-url="{fl:uri.editSysFileMetadataRecord( uid:file.metadataUid, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } )}' )}"
+                                                                               data-url="{fl:uri.editSysFileMetadataRecord( uid:file.metadataUid, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } ) -> f:format.raw()}' )}"
                                                                        >
                                                                                {file.name}
                                                                        </a>
@@ -63,7 +63,7 @@
                                                                        <f:then>
                                                                                <a href="#" class="btn btn-default filelist-file-edit"
                                                                                        title="{f:translate( htmlEscape:'true', key:'LLL:EXT:lang/locallang_core.xlf:cm.editcontent' )}"
-                                                                                       data-url="{fl:uri.editFileContent( file:file.resource, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } )}' )}"
+                                                                                       data-url="{fl:uri.editFileContent( file:file.resource, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } ) -> f:format.raw()}' )}"
                                                                                >
                                                                                        <core:icon identifier="actions-page-open" />
                                                                                </a>
@@ -91,7 +91,7 @@
                                                                        <f:then>
                                                                                <a href="#" class="btn btn-default filelist-file-replace"
                                                                                        title="{f:translate( htmlEscape:'true', key:'LLL:EXT:lang/locallang_core.xlf:cm.replace' )}"
-                                                                                       data-url="{fl:uri.replaceFile( file:file.resource, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } )}' )}"
+                                                                                       data-url="{fl:uri.replaceFile( file:file.resource, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } ) -> f:format.raw()}' )}"
                                                                                >
                                                                                        <core:icon identifier="actions-edit-replace" />
                                                                                </a>
                                                                        <f:then>
                                                                                <a href="#" class="btn btn-default filelist-file-rename"
                                                                                        title="{f:translate( htmlEscape:'true', key:'LLL:EXT:lang/locallang_core.xlf:cm.rename' )}"
-                                                                                       data-url="{fl:uri.renameFile( file:file.resource, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } )}' )}"
+                                                                                       data-url="{fl:uri.renameFile( file:file.resource, returnUrl:'{f:uri.action( action:\'search\', arguments:{ searchWord:\'{searchWord->f:format.htmlentities()}\' } ) -> f:format.raw()}' )}"
                                                                                >
                                                                                        <core:icon identifier="actions-edit-rename" />
                                                                                </a>