[BUGFIX] Untrusted GP data is unserialized in wizard_colorpicker.php and view_help.php
authorChristian Kuhn <lolli@schwarzbu.ch>
Wed, 27 Jul 2011 10:50:40 +0000 (12:50 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:51:58 +0000 (12:51 +0200)
Change-Id: Ic905011dd568a4174e9aef24a4ab2bcefc100d36
Resolves: #24577
Reviewed-on: http://review.typo3.org/3776
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_lock.php
typo3/sysext/cms/tslib/showpic.php
typo3/wizard_colorpicker.php
typo3/wizard_tsconfig.php

index 64de373..a0b6ef1 100644 (file)
@@ -214,8 +214,10 @@ class t3lib_lock {
                $success = TRUE;
                switch ($this->method) {
                        case 'simple':
-                               if (unlink($this->resource) == FALSE) {
-                                       $success = FALSE;
+                               if (t3lib_div::isAllowedAbsPath($this->resource) && t3lib_div::isFirstPartOfStr($this->resource, PATH_site . 'typo3temp/locks/')) {
+                                       if (unlink($this->resource) == FALSE) {
+                                               $success = FALSE;
+                                       }
                                }
                        break;
                        case 'flock':
@@ -223,7 +225,9 @@ class t3lib_lock {
                                        $success = FALSE;
                                }
                                fclose($this->filepointer);
-                               unlink($this->resource);
+                               if (t3lib_div::isAllowedAbsPath($this->resource) && t3lib_div::isFirstPartOfStr($this->resource, PATH_site . 'typo3temp/locks/')) {
+                                       unlink($this->resource);
+                               }
                        break;
                        case 'semaphore':
                                if (@sem_release($this->resource)) {
index 0452bb4..ede1244 100644 (file)
@@ -162,7 +162,7 @@ class SC_tslib_showpic {
                        )
                );
 
-               if ($md5_value!=$this->md5) {
+               if ($md5_value !== $this->md5) {
                        die('Parameter Error: Wrong parameters sent.');
                }
 
index 484e028..60caf90 100644 (file)
@@ -448,7 +448,7 @@ class SC_wizard_colorpicker {
        protected function areFieldChangeFunctionsValid() {
                return (
                        $this->fieldChangeFunc && $this->fieldChangeFuncHash
-                       && $this->fieldChangeFuncHash == t3lib_div::hmac($this->fieldChangeFunc)
+                       && $this->fieldChangeFuncHash === t3lib_div::hmac($this->fieldChangeFunc)
                );
        }
 }
index ab407a4..50cc6d7 100644 (file)
@@ -640,7 +640,7 @@ class SC_wizard_tsconfig {
        protected function areFieldChangeFunctionsValid() {
                return (
                        isset($this->P['fieldChangeFunc']) && is_array($this->P['fieldChangeFunc']) && isset($this->P['fieldChangeFuncHash'])
-                       && $this->P['fieldChangeFuncHash'] == t3lib_div::hmac(serialize($this->P['fieldChangeFunc']))
+                       && $this->P['fieldChangeFuncHash'] === t3lib_div::hmac(serialize($this->P['fieldChangeFunc']))
                );
        }
 }