If the TCEforms wizard "add" is used, the original opened document
is closed and a new one is created in which you then add a new
element to be related.
In order to "store" the originating document which has been
edited, the Wizard/AddController and EditDocumentController
exchange state data in an URL-parameter.
This state-array is serialized in the EditDocumentController
and again unserialized in the Wizard/AddController from that
GET parameter. Without any checks, every code can be injected
to be unserialized here - even though we just need an array
with some data.
This patch changes serialize/unserialize to json_encode and
json_decode. Since the GET parameter only is used in
conjunction of these two classes it is save to changes the
format how the URL parameters are serialized.
Change-Id: I6bac68bb724ba185f66e3ffb07593120f96ccb17
Fixes: #54073
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit:
23d28d4899b658f6a0646ad5cbbc1a4d4d0c22bd
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26175
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
// If ->returnEditConf is set, then add the current content of editconf to the ->retUrl variable: (used by other scripts, like wizard_add, to know which records was created or so...)
- if ($this->returnEditConf && $this->retUrl!='dummy.php') {
- $this->retUrl.='&returnEditConf='.rawurlencode(serialize($this->editconf));
+ if ($this->returnEditConf && $this->retUrl!='dummy.php') {
+ $this->retUrl .= '&returnEditConf=' . rawurlencode(json_encode($this->editconf));
}
// If code is NOT set OR set to 1, then make a header location redirect to $this->retUrl
// Else proceed:
if ($this->returnEditConf) { // If a new id has returned from a newly created record...
- $eC = unserialize($this->returnEditConf);
+ $eC = json_decode($this->returnEditConf, TRUE);
if (is_array($eC[$this->table]) && t3lib_div::testInt($this->P['uid'])) {
// Getting id and cmd from returning editConf array.
projects / Packages / TYPO3.CMS.git / commitdiff