[SECURITY] Mitigate phar stream wrapper 41/57541/2
authorChristian Kuhn <lolli@schwarzbu.ch>
Thu, 12 Jul 2018 09:31:21 +0000 (11:31 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:31:26 +0000 (11:31 +0200)
SoftReferenceIndex throws exceptions on phar streams
LegacyLinkNotationConverter throws exceptions on phar streams

Resolves: #85385
Releases: master, 8.7, 7.6
Security-Commit: 0311b6c0cc7fed584f59f34adba5b693e75797d8
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: Ic57514e1bcdb30ec612a39bcb3c49287cc0c5330
Reviewed-on: https://review.typo3.org/57541
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Database/SoftReferenceIndex.php
typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php [new file with mode: 0644]
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php

index 9dd6253..5fbb2df 100644 (file)
@@ -559,6 +559,13 @@ class SoftReferenceIndex
         // we define various keys below, "url" might be misleading
         unset($finalTagParts['url']);
 
+        if (stripos(rawurldecode(trim($link_param)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030672
+            );
+        }
+
         // Parse URL:
         $pU = @parse_url($link_param);
 
diff --git a/typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php b/typo3/sysext/core/Tests/Unit/Database/SoftReferenceIndexTest.php
new file mode 100644 (file)
index 0000000..4d0dc9e
--- /dev/null
@@ -0,0 +1,55 @@
+<?php
+namespace TYPO3\CMS\Core\Tests\Unit\Database;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+use TYPO3\CMS\Core\Database\SoftReferenceIndex;
+use TYPO3\CMS\Core\Tests\UnitTestCase;
+
+/**
+ * Test case
+ */
+class SoftReferenceIndexTest extends UnitTestCase
+{
+    /**
+     * @return array
+     */
+    public function getTypoLinkPartsThrowExceptionWithPharReferencesDataProvider()
+    {
+        return [
+            'URL encoded local' => [
+                'phar%3a//some-file.jpg',
+            ],
+            'URL encoded absolute' => [
+                'phar%3a///path/some-file.jpg',
+            ],
+            'not URL encoded local' => [
+                'phar://some-file.jpg',
+            ],
+            'not URL encoded absolute' => [
+                'phar:///path/some-file.jpg',
+            ],
+        ];
+    }
+
+    /**
+     * @test
+     * @dataProvider getTypoLinkPartsThrowExceptionWithPharReferencesDataProvider
+     */
+    public function getTypoLinkPartsThrowExceptionWithPharReferences($pharUrl)
+    {
+        $this->setExpectedException(\RuntimeException::class, '', 1530030672);
+        (new SoftReferenceIndex())->getTypoLinkParts($pharUrl);
+    }
+}
index 07f17da..ec8003b 100644 (file)
@@ -6345,6 +6345,13 @@ class ContentObjectRenderer
      */
     protected function detectLinkTypeFromLinkParameter($linkParameter)
     {
+        if (stripos(rawurldecode(trim($linkParameter)), 'phar://') === 0) {
+            throw new \RuntimeException(
+                'phar scheme not allowed as soft reference target',
+                1530030673
+            );
+        }
+
         // Parse URL:
         $scheme = parse_url($linkParameter, PHP_URL_SCHEME);
         // Detecting kind of link:
index 4d13e31..3d874ec 100644 (file)
@@ -4311,6 +4311,37 @@ class ContentObjectRendererTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
     }
 
     /**
+      * @return array
+      */
+     public function detectLinkTypeFromLinkParameterThrowExceptionWithPharReferencesDataProvider()
+     {
+         return [
+             'URL encoded local' => [
+                 'phar%3a//some-file.jpg',
+             ],
+             'URL encoded absolute' => [
+                 'phar%3a///path/some-file.jpg',
+             ],
+             'not URL encoded local' => [
+                 'phar://some-file.jpg',
+             ],
+             'not URL encoded absolute' => [
+                 'phar:///path/some-file.jpg',
+             ],
+         ];
+     }
+
+     /**
+      * @test
+      * @dataProvider detectLinkTypeFromLinkParameterThrowExceptionWithPharReferencesDataProvider
+      */
+     public function detectLinkTypeFromLinkParameterThrowExceptionWithPharReferences($pharUrl)
+     {
+         $this->setExpectedException(\RuntimeException::class, '', 1530030673);
+         $this->subject->_call('detectLinkTypeFromLinkParameter', $pharUrl);
+     }
+
+    /**
      * @return array
      */
     public function typolinkReturnsCorrectLinksForEmailsAndUrlsDataProvider()