URLs defined using TYPO3's internal t3://url/?url=... notation are
now hardened against using `javascript:` and`data:` URL schemes.
Resolves: #88476
Releases: master, 9.5, 8.7
Security-Commit:
1a873c662524a62b192661da45d27e223e517d18
Security-Bulletin: TYPO3-CORE-SA-2019-015
Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
protected function addHttpSchemeAsFallback(string $url): string
{
if (!empty($url)) {
- $urlParts = parse_url($url);
- if (empty($urlParts['scheme'])) {
+ $scheme = parse_url($url, PHP_URL_SCHEME);
+ if (empty($scheme)) {
$url = 'http://' . $url;
+ } elseif (in_array(strtolower($scheme), ['javascript', 'data'], true)) {
+ // deny using insecure scheme's like `javascript:` or `data:` as URL scheme
+ $url = '';
}
}
return $url;
'url' => 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
],
'sftp://nice:andsecret@www.have.you:23/ever?did=this'
- ]
+ ],
+ 'tel URL' => [
+ ['url' => 'tel:+1-2345-6789'],
+ ['url' => 'tel:+1-2345-6789'],
+ 'tel:+1-2345-6789'
+ ],
+ 'javascript URL (denied)' => [
+ ['url' => 'javascript:alert(\'XSS\')'],
+ ['url' => ''],
+ ''
+ ],
+ 'data URL (denied)' => [
+ ['url' => 'data:text/html;base64,SGVsbG8sIFdvcmxkIQ%3D%3D'],
+ ['url' => ''],
+ ''
+ ],
];
}
return $linkText;
}
} elseif (in_array(strtolower(trim($linkHandlerKeyword)), ['javascript', 'data'], true)) {
- // Disallow direct javascript: or data: links
+ // Disallow insecure scheme's like javascript: or data:
return $linkText;
} else {
$linkParameter = $linkParameterParts['url'];