[SECURITY] Fix GeneralUtility::sanitizeLocalUrl to detect foreign schemes 22/43122/2
authorNicole Cordes <typo3@cordes.co>
Tue, 8 Sep 2015 08:58:06 +0000 (10:58 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 8 Sep 2015 08:58:15 +0000 (10:58 +0200)
This patch adds a check to be able to recognize arbitrary schemes which
have to be skipped. Furthermore a missing sanitation is added to
TYPO3\CMS\Backend\Controller\ContentElement\ElementInformationController

Resolves: #68825
Releases: master, 6.2
Security-Commit: de692804837ad0ddfdff194571dc8c786c717576
Security-Bulletin: TYPO3-CORE-SA-2015-009
Change-Id: Iddd54d241776a47f634c9ac2540e6a2e31801da7
Reviewed-on: http://review.typo3.org/43122
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Controller/ContentElement/ElementInformationController.php
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php

index 688e768..3fd5287 100644 (file)
@@ -490,7 +490,7 @@ class ElementInformationController implements \TYPO3\CMS\Core\Http\ControllerInt
         */
        protected function renderBackButton() {
                $backLink = '';
-               $returnUrl = GeneralUtility::_GET('returnUrl');
+               $returnUrl = GeneralUtility::sanitizeLocalUrl(GeneralUtility::_GET('returnUrl'));
                if ($returnUrl) {
                        $backLink .= '
                                <a class="btn btn-primary" href="' . htmlspecialchars($returnUrl) . '>
index 838c7b1..a7d077c 100755 (executable)
@@ -3829,6 +3829,7 @@ Connection: close
                $sanitizedUrl = '';
                $decodedUrl = rawurldecode($url);
                if (!empty($url) && self::removeXSS($decodedUrl) === $decodedUrl) {
+                       $parsedUrl = parse_url($decodedUrl);
                        $testAbsoluteUrl = self::resolveBackPath($decodedUrl);
                        $testRelativeUrl = self::resolveBackPath(self::dirname(self::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl);
                        // Pass if URL is on the current host:
@@ -3840,7 +3841,7 @@ Connection: close
                                $sanitizedUrl = $url;
                        } elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] === '/') {
                                $sanitizedUrl = $url;
-                       } elseif (strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
+                       } elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
                                $sanitizedUrl = $url;
                        }
                }
index 5536f20..c7c3bc6 100644 (file)
@@ -2080,7 +2080,8 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                        'empty string' => array(''),
                        'http domain' => array('http://www.google.de/'),
                        'https domain' => array('https://www.google.de/'),
-                       'relative path with XSS' => array('../typo3/whatever.php?argument=javascript:alert(0)')
+                       'relative path with XSS' => array('../typo3/whatever.php?argument=javascript:alert(0)'),
+                       'base64 encoded string' => array('data:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='),
                );
        }