[SECURITY] Disallow javascript & data scheme in URL link handler 41/61141/2
authorOliver Hader <oliver@typo3.org>
Tue, 25 Jun 2019 06:41:16 +0000 (08:41 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 25 Jun 2019 06:41:21 +0000 (08:41 +0200)
URLs defined using TYPO3's internal t3://url/?url=... notation are
now hardened against using `javascript:` and`data:` URL schemes.

Resolves: #88476
Releases: master, 9.5, 8.7
Security-Commit: 1a873c662524a62b192661da45d27e223e517d18
Security-Bulletin: TYPO3-CORE-SA-2019-015
Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php
typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php

index 8a3ee7b..aa9e05c 100644 (file)
@@ -51,9 +51,12 @@ class UrlLinkHandler implements LinkHandlingInterface
     protected function addHttpSchemeAsFallback(string $url): string
     {
         if (!empty($url)) {
-            $urlParts = parse_url($url);
-            if (empty($urlParts['scheme'])) {
+            $scheme = parse_url($url, PHP_URL_SCHEME);
+            if (empty($scheme)) {
                 $url = 'http://' . $url;
+            } elseif (in_array(strtolower($scheme), ['javascript', 'data'], true)) {
+                // deny using insecure scheme's like `javascript:` or `data:` as URL scheme
+                $url = '';
             }
         }
         return $url;
index 4e8175c..36ffa35 100644 (file)
@@ -90,7 +90,22 @@ class UrlLinkHandlerTest extends UnitTestCase
                     'url' => 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
                 ],
                 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
-            ]
+            ],
+            'tel URL' => [
+                ['url' => 'tel:+1-2345-6789'],
+                ['url' => 'tel:+1-2345-6789'],
+                'tel:+1-2345-6789'
+            ],
+            'javascript URL (denied)' => [
+                ['url' => 'javascript:alert(\'XSS\')'],
+                ['url' => ''],
+                ''
+            ],
+            'data URL (denied)' => [
+                ['url' => 'data:text/html;base64,SGVsbG8sIFdvcmxkIQ%3D%3D'],
+                ['url' => ''],
+                ''
+            ],
         ];
     }
 
index 1c843ee..32eea01 100644 (file)
@@ -4939,7 +4939,7 @@ class ContentObjectRenderer implements LoggerAwareInterface
                 return $linkText;
             }
         } elseif (in_array(strtolower(trim($linkHandlerKeyword)), ['javascript', 'data'], true)) {
-            // Disallow direct javascript: or data: links
+            // Disallow insecure scheme's like javascript: or data:
             return $linkText;
         } else {
             $linkParameter = $linkParameterParts['url'];