* Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@6244 709f56b5-9817-0410-a4d7-c38de5d9e867

diff --git a/ChangeLog b/ChangeLog
index de05267..8e785a0 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@
        * Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
        * Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to Oliver Klee)
        * Fixed bug #12306: XSS vulnerability in module dispatcher
        * Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
        * Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to Oliver Klee)
        * Fixed bug #12306: XSS vulnerability in module dispatcher

+       * Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee)

 
 2009-10-21  Sebastian Kurfuerst  <sebastian@typo3.org>
 
 
 2009-10-21  Sebastian Kurfuerst  <sebastian@typo3.org>
 

diff --git a/typo3/alt_palette.php b/typo3/alt_palette.php
index a3317d1..60a9115 100644 (file)
--- a/typo3/alt_palette.php
+++ b/typo3/alt_palette.php
@@ -245,15 +245,19 @@ class SC_alt_palette {
        function init() {
 
                        // Setting GPvars, etc.
        function init() {
 
                        // Setting GPvars, etc.

-               $this->formName = t3lib_div::_GP('formName');
-               $this->GPbackref = t3lib_div::_GP('backRef');
+               $this->formName = $this->sanitizeHtmlName(t3lib_div::_GP('formName'));
+               $this->GPbackref = $this->sanitizeHtmlName(t3lib_div::_GP('backRef'));

                $this->inData = t3lib_div::_GP('inData');
                $this->inData = t3lib_div::_GP('inData');

-               $this->prependFormFieldNames = t3lib_div::_GP('prependFormFieldNames');
+                       // safeguards the input with whitelisting
+               if (!preg_match('/^[a-zA-Z0-9\-_\:]+$/', $this->inData)) {
+                       $this->inData = '';
+               }
+               $this->prependFormFieldNames =
+                       $this->sanitizeHtmlName(t3lib_div::_GP('prependFormFieldNames'));

                $this->rec = t3lib_div::_GP('rec');
 
                        // Making references:
                $this->backRef = $this->GPbackref ? $this->GPbackref : 'window.opener';
                $this->rec = t3lib_div::_GP('rec');
 
                        // Making references:
                $this->backRef = $this->GPbackref ? $this->GPbackref : 'window.opener';

-#              $this->backRef = 'top.content.list_frame.view_frame';

 
                $this->formRef = $this->backRef.'.document.'.$this->formName;
 
 
                $this->formRef = $this->backRef.'.document.'.$this->formName;
 


@@ -290,6 +294,24 @@ class SC_alt_palette {
                ');
        }
 
                ');
        }
 

+       /**
+        * Sanitizes HTML names, IDs, frame names etc.
+        *
+        * @param string $input the string to sanitize
+        *
+        * @return string the unchanged $input if $input is considered to be harmless,
+        *                an empty string otherwise
+        */
+       protected function sanitizeHtmlName($input) {
+               $result = $input;
+
+               if (!preg_match('/^[a-zA-Z][a-zA-Z0-9_\-\.]*$/', $result)) {
+                       $result = '';
+               }
+
+               return $result;
+       }
+

        /**
         * Main function, rendering the palette form
         *
        /**
         * Main function, rendering the palette form
         *