[SECURITY] Unsafe unserialize of GET parameter in Add-Wizard 16/26216/2
authorSteffen Ritter <info@rs-websystems.de>
Tue, 10 Dec 2013 09:54:24 +0000 (10:54 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:54:28 +0000 (10:54 +0100)
If the TCEforms wizard "add" is used, the original opened document
is closed and a new one is created in which you then add a new
element to be related.

In order to "store" the originating document which has been
edited, the Wizard/AddController and EditDocumentController
exchange state data in an URL-parameter.

This state-array is serialized in the EditDocumentController
and again unserialized in the Wizard/AddController from that
GET parameter. Without any checks, every code can be injected
to be unserialized here - even though we just need an array
with some data.

This patch changes serialize/unserialize to json_encode and
json_decode. Since the GET parameter only is used in
conjunction of these two classes it is save to changes the
format how the URL parameters are serialized.

Change-Id: I3b41bd0a688f067af2ea4a345ce0264f61bdecf7
Fixes: #54073
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 7148349140f9c8ccb6d847ef58cf1e032711315b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26216
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Controller/EditDocumentController.php
typo3/sysext/backend/Classes/Controller/Wizard/AddController.php

index fdba0d0..79f6846 100644 (file)
@@ -1419,7 +1419,7 @@ class EditDocumentController {
                }
                // If ->returnEditConf is set, then add the current content of editconf to the ->retUrl variable: (used by other scripts, like wizard_add, to know which records was created or so...)
                if ($this->returnEditConf && $this->retUrl != 'dummy.php') {
-                       $this->retUrl .= '&returnEditConf=' . rawurlencode(serialize($this->editconf));
+                       $this->retUrl .= '&returnEditConf=' . rawurlencode(json_encode($this->editconf));
                }
                // If code is NOT set OR set to 1, then make a header location redirect to $this->retUrl
                if (!$code || $code == 1) {
index f91bba8..e915a2b 100644 (file)
@@ -121,7 +121,7 @@ class AddController {
                // Else proceed:
                // If a new id has returned from a newly created record...
                if ($this->returnEditConf) {
-                       $eC = unserialize($this->returnEditConf);
+                       $eC = json_decode($this->returnEditConf, TRUE);
                        if (is_array($eC[$this->table]) && \TYPO3\CMS\Core\Utility\MathUtility::canBeInterpretedAsInteger($this->P['uid'])) {
                                // Getting id and cmd from returning editConf array.
                                reset($eC[$this->table]);