[SECURITY] XSS in Backend Layout Wizard 95/30295/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Thu, 22 May 2014 07:33:08 +0000 (09:33 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 22 May 2014 07:33:12 +0000 (09:33 +0200)
Change-Id: Ie3f08333e417d8d208b3b36b208056efd4dbcec0
Fixes: #57576
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: cc840cb0438cfdae76219c3ac5f28a1f341ae9b7
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30295
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Controller/BackendLayoutWizardController.php
typo3/sysext/cms/layout/res/grideditor.js

index 7a54f72..5018917 100644 (file)
@@ -103,7 +103,7 @@ class BackendLayoutWizardController {
                // Select record
                $record = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows($this->P['field'], $this->P['table'], 'uid=' . intval($this->P['uid']));
                if (trim($record[0][$this->P['field']]) == '') {
-                       $t3GridData = '[[{colspan:1,rowspan:1,spanned:false,name:\'\'}]]';
+                       $rows = array(array(array('colspan' => 1, 'rowspan' => 1, 'spanned' => FALSE, 'name' => '')));
                        $colCount = 1;
                        $rowCount = 1;
                } else {
@@ -111,28 +111,23 @@ class BackendLayoutWizardController {
                        $parser = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\TypoScript\\Parser\\TypoScriptParser');
                        $parser->parse($record[0][$this->P['field']]);
                        $data = $parser->setup['backend_layout.'];
-                       $t3GridData = '[';
+                       $rows = array();
                        $colCount = $data['colCount'];
                        $rowCount = $data['rowCount'];
                        $dataRows = $data['rows.'];
                        $spannedMatrix = array();
                        for ($i = 1; $i <= $rowCount; $i++) {
-                               $rowString = '';
+                               $cells = array();
+                               $row = array_shift($dataRows);
+                               $columns = $row['columns.'];
                                for ($j = 1; $j <= $colCount; $j++) {
-                                       if ($j == 1) {
-                                               $row = array_shift($dataRows);
-                                               $columns = $row['columns.'];
-                                               $rowString = '[';
-                                               $cells = array();
-                                       }
+                                       $cellData = array();
                                        if (!$spannedMatrix[$i][$j]) {
                                                if (is_array($columns) && count($columns)) {
                                                        $column = array_shift($columns);
-                                                       $cellString = '{';
-                                                       $cellData = array();
                                                        if (isset($column['colspan'])) {
-                                                               $cellData[] = 'colspan:' . intval($column['colspan']);
-                                                               $columnColSpan = intval($column['colspan']);
+                                                               $cellData['colspan'] = (int)$column['colspan'];
+                                                               $columnColSpan = (int)$column['colspan'];
                                                                if (isset($column['rowspan'])) {
                                                                        $columnRowSpan = intval($column['rowspan']);
                                                                        for ($spanRow = 0; $spanRow < $columnRowSpan; $spanRow++) {
@@ -146,7 +141,7 @@ class BackendLayoutWizardController {
                                                                        }
                                                                }
                                                        } else {
-                                                               $cellData[] = 'colspan:1';
+                                                               $cellData['colspan'] = 1;
                                                                if (isset($column['rowspan'])) {
                                                                        $columnRowSpan = intval($column['rowspan']);
                                                                        for ($spanRow = 0; $spanRow < $columnRowSpan; $spanRow++) {
@@ -155,38 +150,34 @@ class BackendLayoutWizardController {
                                                                }
                                                        }
                                                        if (isset($column['rowspan'])) {
-                                                               $cellData[] = 'rowspan:' . intval($column['rowspan']);
+                                                               $cellData['rowspan'] = (int)$column['rowspan'];
                                                        } else {
-                                                               $cellData[] = 'rowspan:1';
+                                                               $cellData['rowspan'] = 1;
                                                        }
                                                        if (isset($column['name'])) {
-                                                               $cellData[] = 'name:\'' . $column['name'] . '\'';
+                                                               $cellData['name'] = $column['name'];
                                                        }
                                                        if (isset($column['colPos'])) {
-                                                               $cellData[] = 'column:' . $column['colPos'];
+                                                               $cellData['column'] = (int)$column['colPos'];
                                                        }
-                                                       $cellString .= implode(',', $cellData) . '}';
-                                                       $cells[] = $cellString;
                                                }
                                        } else {
-                                               $cells[] = '{colspan:1,rowspan:1,spanned:1}';
+                                               $cellData = array('colspan' => 1, 'rowspan' => 1, 'spanned' => 1);
                                        }
+                                       $cells[] = $cellData;
                                }
-                               $rowString .= implode(',', $cells);
-                               if ($rowString) {
-                                       $rowString .= ']';
+                               $rows[] = $cells;
+                               if (!empty($spannedMatrix[$i]) && is_array($spannedMatrix[$i])) {
+                                       ksort($spannedMatrix[$i]);
                                }
-                               $rows[] = $rowString;
-                               ksort($spannedMatrix[$i]);
                        }
-                       $t3GridData .= implode(',', $rows) . ']';
                }
                $pageRenderer->enableExtJSQuickTips();
                $pageRenderer->addExtOnReadyCode('
                        t3Grid = new TYPO3.Backend.t3Grid({
-                               data: ' . $t3GridData . ',
-                               colCount: ' . $colCount . ',
-                               rowCount: ' . $rowCount . ',
+                               data: ' . json_encode($rows, JSON_HEX_QUOT | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS) . ',
+                               colCount: ' . (int)$colCount . ',
+                               rowCount: ' . (int)$rowCount . ',
                                targetElement: \'editor\'
                        });
                        t3Grid.drawTable();
index 7f22d85..dd424e8 100644 (file)
@@ -207,7 +207,7 @@ TYPO3.Backend.t3Grid = Ext.extend(Ext.Component, {
                                }
                                cellHtml += '</div>';
 
-                               cellHtml += '<div class="cell_data">' + TYPO3.l10n.localize('name') + ': ' + (cell.name ? cell.name : TYPO3.l10n.localize('notSet'))
+                               cellHtml += '<div class="cell_data">' + TYPO3.l10n.localize('name') + ': ' + (cell.name ? Ext.util.Format.htmlEncode(cell.name) : TYPO3.l10n.localize('notSet'))
                                                + '<br />' + TYPO3.l10n.localize('column') + ': '
                                                + (cell.column === undefined ? TYPO3.l10n.localize('notSet') : parseInt(cell.column, 10)) + '</div>';