* Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks...
authorErnesto Baschny <ernst@cron-it.de>
Thu, 22 Oct 2009 08:12:22 +0000 (08:12 +0000)
committerErnesto Baschny <ernst@cron-it.de>
Thu, 22 Oct 2009 08:12:22 +0000 (08:12 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@6235 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_div.php
tests/t3lib/t3lib_div_testcase.php
typo3/alt_mod_frameset.php

index 7b11396..7208bb9 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
 
        * Fixed bug #11586: Potential SQL injection in frontend editing (thanks to Oliver Klee)
        * Fixed bug #12303: XSS vulnerability due to not proper sanitizing in function t3lib_div::quoteJSvalue (thanks to Oliver Klee)
+       * Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
 
 2009-10-21  Sebastian Kurfuerst  <sebastian@typo3.org>
 
index d0b3930..91bba6c 100644 (file)
@@ -4160,6 +4160,24 @@ final class t3lib_div {
        }
 
        /**
+        * Checks if a given string is a valid frame URL to be loaded in the
+        * backend.
+        *
+        * @param string $url potential URL to check
+        *
+        * @return string either $url if $url is considered to be harmless, or an
+        *                empty string otherwise
+        */
+       public static function sanitizeBackEndUrl($url = '') {
+               $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
+               if (!preg_match($whitelistPattern, $url)) {
+                       $url = '';
+               }
+
+               return $url;
+       }
+
+       /**
         * Moves $source file to $destination if uploaded, otherwise try to make a copy
         * Usage: 4
         *
index 08b6f24..9971f8c 100644 (file)
@@ -344,6 +344,77 @@ class t3lib_div_testcase extends tx_phpunit_testcase {
                $this->assertTrue(t3lib_div::isOnCurrentHost($testUrl));
        }
 
+
+       ////////////////////////////////////////
+       // Tests concerning sanitizeBackEndUrl
+       ////////////////////////////////////////
+
+       /**
+        * @test
+        */
+       public function sanitizeBackEndUrlForEmptyStringReturnsEmptyString() {
+               $this->assertEquals(
+                       '',
+                       t3lib_div::sanitizeBackEndUrl('')
+               );
+       }
+
+       /**
+        * @test
+        */
+       public function sanitizeBackEndUrlLeavesAbsoluteIntroUrlUnchanged() {
+               $this->assertEquals(
+                       '/typo3/alt_intro.php',
+                       t3lib_div::sanitizeBackEndUrl('/typo3/alt_intro.php')
+               );
+       }
+
+       /**
+        * @test
+        */
+       public function sanitizeBackEndUrlLeavesRelativeIntroUrlUnchanged() {
+               $this->assertEquals(
+                       'alt_intro.php',
+                       t3lib_div::sanitizeBackEndUrl('alt_intro.php')
+               );
+       }
+
+       /**
+        * @test
+        */
+       public function sanitizeBackEndUrlLeavesRelativeIntroUrlWithParameterUnchanged() {
+               $this->assertEquals(
+                       'alt_intro.php?foo=1&bar=2',
+                       t3lib_div::sanitizeBackEndUrl('alt_intro.php?foo=1&bar=2')
+               );
+       }
+
+       /**
+        * @test
+        */
+       public function sanitizeBackEndUrlForFullUrlReturnsEmptyString() {
+               $this->assertEquals(
+                       '',
+                       t3lib_div::sanitizeBackEndUrl('http://www.google.de/')
+               );
+       }
+
+       /**
+        * @test
+        */
+       public function sanitizeBackEndUrlForRelativeIntroUrlWithEncodedCharacterReturnsEmptyString() {
+               $this->assertEquals(
+                       '',
+                       t3lib_div::sanitizeBackEndUrl('alt_intro.php?%20')
+               );
+       }
+
+
+
+       //////////////////////////////////////
+       // Tests concerning removeDotsFromTS
+       //////////////////////////////////////
+
        /**
         * Tests whether removeDotsFromTS() behaves correctly.
         * @test
index 36ba4bf..4d87f82 100644 (file)
@@ -87,8 +87,8 @@ class SC_alt_mod_frameset {
                global $BE_USER,$TBE_TEMPLATE,$TBE_STYLES;
 
                        // GPvars:
-               $this->exScript = t3lib_div::_GP('exScript');
-               $this->id = t3lib_div::_GP('id');
+               $this->exScript = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('exScript'));
+               $this->id = intval(t3lib_div::_GP('id'));
                $this->fW = t3lib_div::_GP('fW');
 
                        // Setting resizing flag:
@@ -103,8 +103,8 @@ class SC_alt_mod_frameset {
                }
 
                        // Navigation frame URL:
-               $script = t3lib_div::_GP('script');
-               $nav = t3lib_div::_GP('nav');
+               $script = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('script'));
+               $nav = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('nav'));
                $URL_nav = htmlspecialchars($nav.'&currentSubScript='.rawurlencode($script));
 
                        // List frame URL: