Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer...
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:19:31 +0000 (09:19 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 09:19:31 +0000 (09:19 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@8430 709f56b5-9817-0410-a4d7-c38de5d9e867

28 files changed:
ChangeLog
typo3/alt_doc.php
typo3/class.db_list.inc
typo3/class.show_rechis.inc
typo3/classes/class.typo3_tcefile.php
typo3/db_new.php
typo3/file_edit.php
typo3/file_newfolder.php
typo3/file_rename.php
typo3/file_upload.php
typo3/index.php
typo3/logout.php
typo3/move_el.php
typo3/show_item.php
typo3/sysext/cms/layout/db_layout.php
typo3/sysext/cms/layout/db_new_content_el.php
typo3/sysext/cms/tslib/class.tslib_fe.php
typo3/sysext/em/mod1/class.em_index.php
typo3/sysext/install/mod/class.tx_install.php
typo3/sysext/list/mod1/db_list.php
typo3/sysext/version/cm1/index.php
typo3/tce_db.php
typo3/template.php
typo3/wizard_add.php
typo3/wizard_forms.php
typo3/wizard_list.php
typo3/wizard_rte.php
typo3/wizard_table.php

index 421e03c..1709486 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@
        * Fixed bug #14412: Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted (thanks to Helmut Hummel and Xavier Perseguers)
        * Fixed bug #14114: Core mailform is open to spam abuse (thanks to Lars Houmark)
        * Fixed bug #12294: Unchecked URL-Redirect parameter in Front-End logon (thanks to Steffen Kamper and Helmut Hummel)
+       * Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer and Marcus Krause)
 
 2010-07-27  Steffen Kamper  <steffen@typo3.org>
 
index 994e077..2ee1d16 100644 (file)
@@ -193,7 +193,7 @@ class SC_alt_doc {
                $this->defVals = t3lib_div::_GP('defVals');
                $this->overrideVals = t3lib_div::_GP('overrideVals');
                $this->columnsOnly = t3lib_div::_GP('columnsOnly');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->closeDoc = t3lib_div::_GP('closeDoc');
                $this->doSave = t3lib_div::_GP('doSave');
                $this->returnEditConf = t3lib_div::_GP('returnEditConf');
@@ -1189,7 +1189,7 @@ class SC_alt_doc {
                        if (is_array($localizedRecord)) {
                                        // Create parameters and finally run the classic page module for creating a new page translation
                                $params = '&edit['.$table.']['.$localizedRecord['uid'].']=edit';
-                               $returnUrl = '&returnUrl='.rawurlencode(t3lib_div::_GP('returnUrl'));
+                               $returnUrl = '&returnUrl='.rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl')));
                                $location = $GLOBALS['BACK_PATH'].'alt_doc.php?'.$params.$returnUrl;
 
                                t3lib_utility_Http::redirect($location);
index 9bdc97d..f791e91 100644 (file)
@@ -210,8 +210,8 @@ class recordList extends t3lib_recordList {
                        // Save modified user uc
                        $GLOBALS['BE_USER']->uc['moduleData']['db_list.php'] = $this->tablesCollapsed;
                        $GLOBALS['BE_USER']->writeUC($GLOBALS['BE_USER']->uc);
-                       if (t3lib_div::_GP('returnUrl')) {
-                               $location = t3lib_div::_GP('returnUrl');
+                       if (t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'))) {
+                               $location = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                                t3lib_utility_Http::redirect($location);
                        }
                }
index 245bdfc..decb719 100644 (file)
@@ -65,7 +65,7 @@ class recordHistory {
        function recordHistory()        {
                        // GPvars:
                $this->element = t3lib_div::_GP('element');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->lastSyslogId = t3lib_div::_GP('diff');
                $this->rollbackFields = t3lib_div::_GP('rollbackFields');
                        // resolve sh_uid if set
index f4e6b65..3158258 100644 (file)
@@ -84,7 +84,7 @@ class TYPO3_tcefile {
                $this->CB = t3lib_div::_GP('CB');
                $this->overwriteExistingFiles = t3lib_div::_GP('overwriteExistingFiles');
                $this->vC = t3lib_div::_GP('vC');
-               $this->redirect = t3lib_div::_GP('redirect');
+               $this->redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
 
                $this->initClipboard();
        }
index 0afff67..bdd5b03 100644 (file)
@@ -166,7 +166,7 @@ class SC_db_new {
                }
                        // Setting GPvars:
                $this->id = intval(t3lib_div::_GP('id'));       // The page id to operate from
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->pagesOnly = t3lib_div::_GP('pagesOnly');
 
                        // Create instance of template class for output
index 00e8116..1a4bf45 100644 (file)
@@ -97,7 +97,7 @@ class SC_file_edit {
 
                        // Setting target, which must be a file reference to a file within the mounts.
                $this->target = $this->origTarget = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                        // Creating file management object:
                $this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
index aa392cb..cc011a5 100644 (file)
@@ -120,7 +120,7 @@ class SC_file_newfolder {
                        // Initialize GPvars:
                $this->number = t3lib_div::_GP('number');
                $this->target = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                        // Init basic-file-functions object:
                $this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
index bcefd34..22f16f7 100644 (file)
@@ -108,7 +108,7 @@ class SC_file_rename {
 
                        // Initialize GPvars:
                $this->target = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                        // Init basic-file-functions object:
                $this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
index fdb8bf9..7d3c025 100644 (file)
@@ -112,7 +112,7 @@ class SC_file_upload {
                        // Initialize GPvars:
                $this->number = t3lib_div::_GP('number');
                $this->target = t3lib_div::_GP('target');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->returnUrl = $this->returnUrl ? $this->returnUrl : t3lib_div::getIndpEnv('TYPO3_SITE_URL') . TYPO3_mainDir . t3lib_extMgm::extRelPath('filelist') . 'mod1/file_list.php?id=' . rawurlencode($this->target);
 
                // set the number of input fields
index 44a0c5b..841c001 100644 (file)
@@ -121,7 +121,7 @@ class SC_index {
                        // We need a PHP session session for most login levels
                session_start();
 
-               $this->redirect_url = t3lib_div::_GP('redirect_url');
+               $this->redirect_url = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect_url'));
                $this->GPinterface = t3lib_div::_GP('interface');
 
                        // Grabbing preset username and password, for security reasons this feature only works if SSL is used
index f76fa84..1408644 100644 (file)
@@ -71,8 +71,8 @@ class SC_logout {
 
                $BE_USER->writelog(255,2,0,1,'User %s logged out from TYPO3 Backend',Array($BE_USER->user['username']));        // Logout written to log
                $BE_USER->logoff();
-
-               $redirectUrl = (t3lib_div::_GP('redirect') ? t3lib_div::_GP('redirect') : 'index.php');
+               $redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
+               $redirectUrl = $redirect ? $redirect : 'index.php';
                t3lib_utility_Http::redirect($redirectUrl);
        }
 }
index 6974652..4a8de9b 100644 (file)
@@ -255,7 +255,7 @@ class SC_move_el {
                $this->sys_language = intval(t3lib_div::_GP('sys_language'));
                $this->page_id=intval(t3lib_div::_GP('uid'));
                $this->table=t3lib_div::_GP('table');
-               $this->R_URI=t3lib_div::_GP('returnUrl');
+               $this->R_URI=t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->input_moveUid = t3lib_div::_GP('moveUid');
                $this->moveUid = $this->input_moveUid ? $this->input_moveUid : $this->page_id;
                $this->makeCopy = t3lib_div::_GP('makeCopy');
index 42c1ec1..d91118e 100644 (file)
@@ -221,7 +221,8 @@ class SC_show_item {
        function main() {
 
                if ($this->access)      {
-                       $returnLinkTag = t3lib_div::_GP('returnUrl') ? '<a href="'.t3lib_div::_GP('returnUrl').'" class="typo3-goBack">' : '<a href="#" onclick="window.close();">';
+                       $returnLink =  t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
+                       $returnLinkTag = $returnLink ? '<a href="' . $returnLink . '" class="typo3-goBack">' : '<a href="#" onclick="window.close();">';
 
                                // render type by user func
                        $typeRendered = false;
@@ -252,7 +253,7 @@ class SC_show_item {
                        }
 
                                // If return Url is set, output link to go back:
-                       if (t3lib_div::_GP('returnUrl'))        {
+                       if (t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl')))   {
                                $this->content = $this->doc->section('',$returnLinkTag.'<strong>'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:labels.goBack',1).'</strong></a><br /><br />').$this->content;
 
                                $this->content .= $this->doc->section('','<br />'.$returnLinkTag.'<strong>'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:labels.goBack',1).'</strong></a>');
index bbec374..2c9819a 100755 (executable)
@@ -250,7 +250,7 @@ class SC_db_layout {
                $this->search_field = t3lib_div::_GP('search_field');
                $this->search_levels = t3lib_div::_GP('search_levels');
                $this->showLimit = t3lib_div::_GP('showLimit');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->externalTables = $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['cms']['db_layout']['addTables'];
 
                        // Load page info array:
index 33d8b1c..095d2db 100644 (file)
@@ -185,7 +185,7 @@ class SC_db_new_content_el {
                        // Setting internal vars:
                $this->id = intval(t3lib_div::_GP('id'));
                $this->sys_language = intval(t3lib_div::_GP('sys_language_uid'));
-               $this->R_URI = t3lib_div::_GP('returnUrl');
+               $this->R_URI = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $this->colPos = t3lib_div::_GP('colPos');
                $this->uid_pid = intval(t3lib_div::_GP('uid_pid'));
 
index 41b5d3b..ebe4f18 100644 (file)
                                } else {
                                        $message = 'You logged out from Workspace preview mode. Click this link to <a href="%1$s">go back to the website</a>';
                                }
+                               
+                               $returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GET('returnUrl'));
                                die(sprintf($message,
-                                       htmlspecialchars(preg_replace('/\&?ADMCMD_prev=[[:alnum:]]+/','',t3lib_div::_GET('returnUrl')))
+                                       htmlspecialchars(preg_replace('/\&?ADMCMD_prev=[[:alnum:]]+/', '', $returnUrl))
                                        ));
                        }
 
index d15b979..e1e347f 100644 (file)
@@ -2568,7 +2568,7 @@ EXTENSION KEYS:
        function requestInstallExtensions($extList)     {
 
                        // Return URL:
-               $returnUrl = t3lib_div::_GP('returnUrl');
+               $returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
                $installOrImportExtension = t3lib_div::_POST('installOrImportExtension');
 
                        // Extension List:
index 2905a3e..508d25a 100755 (executable)
@@ -267,7 +267,7 @@ class tx_install extends t3lib_install {
                } else {
                        $this->step = intval(t3lib_div::_GP('step'));
                }
-               $this->redirect_url = t3lib_div::_GP('redirect_url');
+               $this->redirect_url = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect_url'));
 
                $this->INSTALL['type'] = '';
                if ($_GET['TYPO3_INSTALL']['type']) {
index b7f199b..10b405a 100644 (file)
@@ -139,7 +139,7 @@ class SC_db_list {
                $this->search_field = t3lib_div::_GP('search_field');
                $this->search_levels = t3lib_div::_GP('search_levels');
                $this->showLimit = t3lib_div::_GP('showLimit');
-               $this->returnUrl = t3lib_div::_GP('returnUrl');
+               $this->returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
 
                $this->clear_cache = t3lib_div::_GP('clear_cache');
                $this->cmd = t3lib_div::_GP('cmd');
index c1983b5..e37b934 100755 (executable)
@@ -818,7 +818,8 @@ class tx_version_cm1 extends t3lib_SCbase {
                        $table = '<table border="0" cellpadding="0" cellspacing="1" class="lrPadding workspace-overview">'.implode('',$tableRows).'</table>';
                } else $table = '';
 
-               $linkBack = t3lib_div::_GP('returnUrl') ? '<a href="' . htmlspecialchars(t3lib_div::_GP('returnUrl')) . '" class="typo3-goBack">' .
+               $returnUrl = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'));
+               $linkBack = t3lib_div::_GP('returnUrl') ? '<a href="' . htmlspecialchars($returnUrl) . '" class="typo3-goBack">' .
                                t3lib_iconWorks::getSpriteIcon('actions-view-go-back') . $GLOBALS['LANG']->getLL('goBack', TRUE) .
                        '</a><br /><br />' : '';
                $resetDiffOnly = $this->diffOnly ? '<a href="index.php?id=' . intval($this->id) . '" class="typo3-goBack">' . $GLOBALS['LANG']->getLL('showAllInformation') . '</a><br /><br />' : '';
index d05841c..e0d96fa 100644 (file)
@@ -117,7 +117,7 @@ class SC_tce_db {
                $this->cmd = t3lib_div::_GP('cmd');
                $this->mirror = t3lib_div::_GP('mirror');
                $this->cacheCmd = t3lib_div::_GP('cacheCmd');
-               $this->redirect = t3lib_div::_GP('redirect');
+               $this->redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
                $this->prErr = t3lib_div::_GP('prErr');
                $this->_disableRTE = t3lib_div::_GP('_disableRTE');
                $this->CB = t3lib_div::_GP('CB');
index 01d1bf8..f191579 100644 (file)
@@ -598,7 +598,7 @@ class template {
                ));
 
                $out ="
-       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::_GP('returnUrl')))."';
+       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'))))."';
        var T3_THIS_LOCATION = '".str_replace('%20','',rawurlencode($thisLocation))."';
                ";
                return $out;
index c6d25b2..5cefe82 100644 (file)
@@ -122,7 +122,7 @@ class SC_wizard_add {
 
                        // Return if new record as parent (not possibly/allowed)
                if (!strcmp($this->pid,''))     {
-                       t3lib_utility_Http::redirect($this->P['returnUrl']);
+                       t3lib_utility_Http::redirect(t3lib_div::sanitizeLocalUrl($this->P['returnUrl']));
                }
 
                        // Else proceed:
@@ -218,7 +218,7 @@ class SC_wizard_add {
                                }
                        }
                                // Return to the parent alt_doc.php record editing session:
-                       t3lib_utility_Http::redirect($this->P['returnUrl']);
+                       t3lib_utility_Http::redirect(t3lib_div::sanitizeLocalUrl($this->P['returnUrl']));
                } else {
                                // Redirecting to alt_doc.php with instructions to create a new record
                                // AND when closing to return back with information about that records ID etc.
index 6678eb5..44bc5d8 100644 (file)
@@ -290,7 +290,7 @@ class SC_wizard_forms {
                        $buttons['csh_buttons'] = t3lib_BEfunc::cshItem('xMOD_csh_corebe', 'wizard_forms_wiz_buttons', $GLOBALS['BACK_PATH'], '');
 
                        // Close
-                       $buttons['close'] = '<a href="#" onclick="' . htmlspecialchars('jumpToUrl(unescape(\'' . rawurlencode($this->P['returnUrl']) . '\')); return false;') . '">' .
+                       $buttons['close'] = '<a href="#" onclick="' . htmlspecialchars('jumpToUrl(unescape(\'' . rawurlencode(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])) . '\')); return false;') . '">' .
                                t3lib_iconWorks::getSpriteIcon('actions-document-close', array('title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:rm.closeDoc', TRUE))) .
                  '</a>';
 
@@ -401,7 +401,7 @@ class SC_wizard_forms {
 
                                        // If the save/close button was pressed, then redirect the screen:
                                if ($_POST['saveandclosedok_x']) {
-                                       t3lib_utility_Http::redirect($this->P['returnUrl']);
+                                       t3lib_utility_Http::redirect(t3lib_div::sanitizeLocalUrl($this->P['returnUrl']));
                                }
                        }
                } else {        // If nothing has been submitted, load the $bodyText variable from the selected database row:
index 2441e1c..b3cf040 100644 (file)
@@ -117,7 +117,7 @@ class SC_wizard_list {
 
                        // Make redirect:
                if (!strcmp($this->pid,'') || strcmp($this->id,''))     {       // If pid is blank OR if id is set, then return...
-                       $redirectUrl = $this->P['returnUrl'];
+                       $redirectUrl = t3lib_div::sanitizeLocalUrl($this->P['returnUrl']);
                } else {        // Otherwise, show the list:
                        $redirectUrl = t3lib_extMgm::createListViewLink(
                                $this->pid,
index 7f23795..f676c90 100644 (file)
@@ -250,7 +250,7 @@ class SC_wizard_rte {
                );
 
                if ($this->P['table'] && $this->P['field'] && $this->P['uid'] && $this->checkEditAccess($this->P['table'],$this->P['uid'])) {
-                       $closeUrl = $this->P['returnUrl'];
+                       $closeUrl = t3lib_div::sanitizeLocalUrl($this->P['returnUrl']);
 
                        // Getting settings for the undo button:
                        $undoButton = 0;
index fff5414..5407073 100644 (file)
@@ -209,7 +209,7 @@ class SC_wizard_table {
                        $buttons['csh_buttons'] = t3lib_BEfunc::cshItem('xMOD_csh_corebe', 'wizard_table_wiz_buttons', $GLOBALS['BACK_PATH'], '');
 
                        // Close
-                       $buttons['close'] = '<a href="#" onclick="' . htmlspecialchars('jumpToUrl(unescape(\'' . rawurlencode($this->P['returnUrl']) . '\')); return false;') . '">' .
+                       $buttons['close'] = '<a href="#" onclick="' . htmlspecialchars('jumpToUrl(unescape(\'' . rawurlencode(t3lib_div::sanitizeLocalUrl($this->P['returnUrl'])) . '\')); return false;') . '">' .
                                t3lib_iconWorks::getSpriteIcon('actions-document-close', array('title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:rm.closeDoc', TRUE))) .
                  '</a>';
 
@@ -319,7 +319,7 @@ class SC_wizard_table {
 
                                        // If the save/close button was pressed, then redirect the screen:
                                if ($_POST['saveandclosedok_x']) {
-                                       t3lib_utility_Http::redirect($this->P['returnUrl']);
+                                       t3lib_utility_Http::redirect(t3lib_div::sanitizeLocalUrl($this->P['returnUrl']));
                                }
                        }
                } else {        // If nothing has been submitted, load the $bodyText variable from the selected database row: