[SECURITY] XSS in install tool
authorMario Rimann <mario.rimann@typo3.org>
Wed, 15 Aug 2012 10:22:16 +0000 (12:22 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 15 Aug 2012 10:22:22 +0000 (12:22 +0200)
In the "Basic Configuration" section, some configuration values are
rendered without proper escaping both as input fields or as
regular content of the page. These values are htmlspecialchars-
treated now.

For the "All Configuration" form, all input fields and text area fields get now htmlspecialchars-treated.

Change-Id: I141efa5ad610bda4608f65c136af472cc3c4ec73
Fixes: #21634
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 1063d380e3532b69c24800f20b1127af70f820a0
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13774
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/install/mod/class.tx_install.php

index 7a6931d..9ab2918 100644 (file)
@@ -1984,9 +1984,8 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                                $textAreaMarkers = array(
                                                                        'id' => $k . '-' . $vk,
                                                                        'name' => 'TYPO3_INSTALL[extConfig]['.$k.']['.$vk.']',
-                                                                       'value' => str_replace(array("'.chr(10).'", "' . LF . '"), array(LF, LF), $value)
-                                                               );
-                                                               $value = str_replace(array("'.chr(10).'", "' . LF . '"), array(' | ', ' | '), $value);
+                                                                       'value' => htmlspecialchars(str_replace(array("'.chr(10).'", "' . LF . '"), array(LF, LF), $value)
+                                                               ));
                                                                        // Fill the markers in the subpart
                                                                $textAreaSubpart = t3lib_parsehtml::substituteMarkerArray(
                                                                        $textAreaSubpart,
@@ -2020,7 +2019,7 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                                $textLineMarkers = array(
                                                                        'id' => $k . '-' . $vk,
                                                                        'name' => 'TYPO3_INSTALL[extConfig]['.$k.']['.$vk.']',
-                                                                       'value' => $value
+                                                                       'value' => htmlspecialchars($value)
                                                                );
                                                                        // Fill the markers in the subpart
                                                                $textLineSubpart = t3lib_parsehtml::substituteMarkerArray(
@@ -3520,9 +3519,9 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                $imCombineFileNameSubpart = t3lib_parsehtml::getSubpart($regularModeSubpart, '###IMCOMBINEFILENAMESUBPART###');
                                                        // Define the markers content
                                                $regularModeMarkers['labelImCombineFilename'] = '[GFX][im_combine_filename]';
-                                               $regularModeMarkers['strongImCombineFilename'] = (string) current($fA['im_combine_filename']);
-                                               $regularModeMarkers['defaultImCombineFilename'] = (string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_combine_filename'];
-                                               $regularModeMarkers['imCombineFilename'] = (string) ($fA['im_combine_filename'] ? current($fA['im_combine_filename']) : 'combine');
+                                               $regularModeMarkers['strongImCombineFilename'] = htmlspecialchars((string) current($fA['im_combine_filename']));
+                                               $regularModeMarkers['defaultImCombineFilename'] = htmlspecialchars((string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_combine_filename']);
+                                               $regularModeMarkers['imCombineFilename'] = htmlspecialchars((string) ($fA['im_combine_filename'] ? current($fA['im_combine_filename']) : 'combine'));
                                                        // Fill the markers in the subpart
                                                $imCombineFileNameSubpart = t3lib_parsehtml::substituteMarkerArray(
                                                        $imCombineFileNameSubpart,
@@ -3537,9 +3536,9 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                $imVersion5Subpart = t3lib_parsehtml::getSubpart($regularModeSubpart, '###IMVERSION5SUBPART###');
                                                        // Define the markers content
                                                $regularModeMarkers['labelImVersion5'] = '[GFX][im_version_5]=';
-                                               $regularModeMarkers['strongImVersion5'] = (string) current($fA['im_version_5']);
-                                               $regularModeMarkers['defaultImVersion5'] = (string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'];
-                                               $regularModeMarkers['imVersion5'] = (string) ($fA['im_version_5'] ? current($fA['im_version_5']) : '');
+                                               $regularModeMarkers['strongImVersion5'] = htmlspecialchars((string) current($fA['im_version_5']));
+                                               $regularModeMarkers['defaultImVersion5'] = htmlspecialchars((string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5']);
+                                               $regularModeMarkers['imVersion5'] = htmlspecialchars((string) ($fA['im_version_5'] ? current($fA['im_version_5']) : ''));
                                                        // Fill the markers in the subpart
                                                $imVersion5Subpart = t3lib_parsehtml::substituteMarkerArray(
                                                        $imVersion5Subpart,
@@ -3561,9 +3560,9 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                                reset($imPath);
                                                                        // Define the markers content
                                                                $regularModeMarkers['labelImPath'] = '[GFX][im_path]=';
-                                                               $regularModeMarkers['strongImPath'] = (string) current($labelImPath);
-                                                               $regularModeMarkers['defaultImPath'] = (string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_path'];
-                                                               $regularModeMarkers['ImPath'] = (string) current($imPath);
+                                                               $regularModeMarkers['strongImPath'] = htmlspecialchars((string) current($labelImPath));
+                                                               $regularModeMarkers['defaultImPath'] = htmlspecialchars((string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_path']);
+                                                               $regularModeMarkers['ImPath'] = htmlspecialchars((string) current($imPath));
                                                                        // Fill the markers in the subpart
                                                                $imPathSubpart = t3lib_parsehtml::substituteMarkerArray(
                                                                        $imPathSubpart,
@@ -3586,9 +3585,9 @@ REMOTE_ADDR was '".t3lib_div::getIndpEnv('REMOTE_ADDR')."' (".t3lib_div::getIndp
                                                                reset($imPathLzw);
                                                                        // Define the markers content
                                                                $regularModeMarkers['labelImPathLzw'] = '[GFX][im_path_lzw]=';
-                                                               $regularModeMarkers['strongImPathLzw'] = (string) current($labelImPathLzw);
-                                                               $regularModeMarkers['defaultImPathLzw'] = (string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_path_lzw'];
-                                                               $regularModeMarkers['ImPathLzw'] = (string) current($imPathLzw);
+                                                               $regularModeMarkers['strongImPathLzw'] = htmlspecialchars((string) current($labelImPathLzw));
+                                                               $regularModeMarkers['defaultImPathLzw'] = htmlspecialchars((string) $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_path_lzw']);
+                                                               $regularModeMarkers['ImPathLzw'] = htmlspecialchars((string) current($imPathLzw));
 
                                                                $imPathLzwOptions = array();
                                                                foreach ($labelImPathLzw as $k => $v) {