[SECURITY] Remove possible XSS from ActionController Error output 76/26176/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:50:43 +0000 (10:50 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:50:46 +0000 (10:50 +0100)
As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.
The offending output has been removed without substitution.

Change-Id: Ide28a2af395a0a9558153ff6465dc8ae946a8b29
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: f52d894b8adc385535ae0d3bc28700cd449e9f21
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26176
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/extbase/Classes/MVC/Controller/ActionController.php

index 13dae85..b48a0ec 100644 (file)
@@ -398,12 +398,6 @@ class Tx_Extbase_MVC_Controller_ActionController extends Tx_Extbase_MVC_Controll
                }
 
                $message = 'An error occurred while trying to call ' . get_class($this) . '->' . $this->actionMethodName . '().' . PHP_EOL;
-               foreach ($this->argumentsMappingResults->getErrors() as $error) {
-                       $message .= 'Error:   ' . $error->getMessage() . PHP_EOL;
-               }
-               foreach ($this->argumentsMappingResults->getWarnings() as $warning) {
-                       $message .= 'Warning: ' . $warning->getMessage() . PHP_EOL;
-               }
                return $message;
        }