* Fixed bug #11586: Potential SQL injection in frontend editing (thanks to Oliver Klee)
* Fixed bug #12303: XSS vulnerability due to not proper sanitizing in function t3lib_div::quoteJSvalue (thanks to Oliver Klee)
+ * Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
2009-10-21 Sebastian Kurfuerst <sebastian@typo3.org>
return true;
}
+ /**
+ * Checks if a given string is a valid frame URL to be loaded in the
+ * backend.
+ *
+ * @param string $url potential URL to check
+ *
+ * @return string either $url if $url is considered to be harmless, or an
+ * empty string otherwise
+ */
+ public static function sanitizeBackEndUrl($url = '') {
+ $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
+ if (!preg_match($whitelistPattern, $url)) {
+ $url = '';
+ }
+
+ return $url;
+ }
+
/**
* Moves $source file to $destination if uploaded, otherwise try to make a copy
* Usage: 4
$this->assertTrue(t3lib_div::isOnCurrentHost($testUrl));
}
+
+ ////////////////////////////////////////
+ // Tests concerning sanitizeBackEndUrl
+ ////////////////////////////////////////
+
+ /**
+ * @test
+ */
+ public function sanitizeBackEndUrlForEmptyStringReturnsEmptyString() {
+ $this->assertEquals(
+ '',
+ t3lib_div::sanitizeBackEndUrl('')
+ );
+ }
+
+ /**
+ * @test
+ */
+ public function sanitizeBackEndUrlLeavesAbsoluteIntroUrlUnchanged() {
+ $this->assertEquals(
+ '/typo3/alt_intro.php',
+ t3lib_div::sanitizeBackEndUrl('/typo3/alt_intro.php')
+ );
+ }
+
+ /**
+ * @test
+ */
+ public function sanitizeBackEndUrlLeavesRelativeIntroUrlUnchanged() {
+ $this->assertEquals(
+ 'alt_intro.php',
+ t3lib_div::sanitizeBackEndUrl('alt_intro.php')
+ );
+ }
+
+ /**
+ * @test
+ */
+ public function sanitizeBackEndUrlLeavesRelativeIntroUrlWithParameterUnchanged() {
+ $this->assertEquals(
+ 'alt_intro.php?foo=1&bar=2',
+ t3lib_div::sanitizeBackEndUrl('alt_intro.php?foo=1&bar=2')
+ );
+ }
+
+ /**
+ * @test
+ */
+ public function sanitizeBackEndUrlForFullUrlReturnsEmptyString() {
+ $this->assertEquals(
+ '',
+ t3lib_div::sanitizeBackEndUrl('http://www.google.de/')
+ );
+ }
+
+ /**
+ * @test
+ */
+ public function sanitizeBackEndUrlForRelativeIntroUrlWithEncodedCharacterReturnsEmptyString() {
+ $this->assertEquals(
+ '',
+ t3lib_div::sanitizeBackEndUrl('alt_intro.php?%20')
+ );
+ }
+
+
+
+ //////////////////////////////////////
+ // Tests concerning removeDotsFromTS
+ //////////////////////////////////////
+
/**
* Tests whether removeDotsFromTS() behaves correctly.
* @test
global $BE_USER,$TBE_TEMPLATE,$TBE_STYLES;
// GPvars:
- $this->exScript = t3lib_div::_GP('exScript');
- $this->id = t3lib_div::_GP('id');
+ $this->exScript = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('exScript'));
+ $this->id = intval(t3lib_div::_GP('id'));
$this->fW = t3lib_div::_GP('fW');
// Setting resizing flag:
}
// Navigation frame URL:
- $script = t3lib_div::_GP('script');
- $nav = t3lib_div::_GP('nav');
+ $script = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('script'));
+ $nav = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('nav'));
$URL_nav = htmlspecialchars($nav.'¤tSubScript='.rawurlencode($script));
// List frame URL: