[SECURITY] Unsafe unserialize of GET parameter in Add-Wizard 75/26175/2
authorMarcus Krause <marcus.krause@typo3.org>
Tue, 10 Dec 2013 09:50:36 +0000 (10:50 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:50:42 +0000 (10:50 +0100)
If the TCEforms wizard "add" is used, the original opened document
is closed and a new one is created in which you then add a new
element to be related.
In order to "store" the originating document which has been
edited, the Wizard/AddController and EditDocumentController
exchange state data in an URL-parameter.
This state-array is serialized in the EditDocumentController
and again unserialized in the Wizard/AddController from that
GET parameter. Without any checks, every code can be injected
to be unserialized here - even though we just need an array
with some data.
This patch changes serialize/unserialize to json_encode and
json_decode. Since the GET parameter only is used in
conjunction of these two classes it is save to changes the
format how the URL parameters are serialized.

Change-Id: I6bac68bb724ba185f66e3ffb07593120f96ccb17
Fixes: #54073
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 23d28d4899b658f6a0646ad5cbbc1a4d4d0c22bd
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26175
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/alt_doc.php
typo3/wizard_add.php

index 3369d5d..67d2c59 100644 (file)
@@ -1444,8 +1444,8 @@ class SC_alt_doc {
 
 
                        // If ->returnEditConf is set, then add the current content of editconf to the ->retUrl variable: (used by other scripts, like wizard_add, to know which records was created or so...)
-               if ($this->returnEditConf && $this->retUrl!='dummy.php')        {
-                       $this->retUrl.='&returnEditConf='.rawurlencode(serialize($this->editconf));
+               if ($this->returnEditConf && $this->retUrl!='dummy.php') {
+                       $this->retUrl .= '&returnEditConf=' . rawurlencode(json_encode($this->editconf));
                }
 
                        // If code is NOT set OR set to 1, then make a header location redirect to $this->retUrl
index 4e01ca2..b875773 100644 (file)
@@ -127,7 +127,7 @@ class SC_wizard_add {
 
                        // Else proceed:
                if ($this->returnEditConf)      {       // If a new id has returned from a newly created record...
-                       $eC = unserialize($this->returnEditConf);
+                       $eC = json_decode($this->returnEditConf, TRUE);
                        if (is_array($eC[$this->table]) && t3lib_div::testInt($this->P['uid'])) {
 
                                        // Getting id and cmd from returning editConf array.