[SECURITY] Remove possible XSS from ActionController Error output 17/26217/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:54:29 +0000 (10:54 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:54:33 +0000 (10:54 +0100)
As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.

The offending output has been removed without substitution.

Change-Id: I01385c54bb384a86fc6428f67171e7010b821cc2
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7. 4,5
Security-Commit: ec947ba22bd673827899c5e82857b293dff8b4b0
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26217
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php

index 61380a1..8b57ab4 100644 (file)
@@ -522,11 +522,6 @@ class ActionController extends \TYPO3\CMS\Extbase\Mvc\Controller\AbstractControl
                                $this->forward($referringRequest->getControllerActionName(), $referringRequest->getControllerName(), $referringRequest->getControllerExtensionName(), $referringRequest->getArguments());
                        }
                        $message = 'An error occurred while trying to call ' . get_class($this) . '->' . $this->actionMethodName . '().' . PHP_EOL;
-                       foreach ($this->arguments->getValidationResults()->getFlattenedErrors() as $propertyPath => $errors) {
-                               foreach ($errors as $error) {
-                                       $message .= 'Error for ' . $propertyPath . ':  ' . $error->render() . PHP_EOL;
-                               }
-                       }
                        return $message;
                } else {
                        // @deprecated since Extbase 1.4.0, will be removed two versions after Extbase 6.1
@@ -545,12 +540,6 @@ class ActionController extends \TYPO3\CMS\Extbase\Mvc\Controller\AbstractControl
                                $this->forward($referrer['actionName'], $referrer['controllerName'], $referrer['extensionName'], $this->request->getArguments());
                        }
                        $message = 'An error occurred while trying to call ' . get_class($this) . '->' . $this->actionMethodName . '().' . PHP_EOL;
-                       foreach ($this->argumentsMappingResults->getErrors() as $error) {
-                               $message .= 'Error:   ' . $error->getMessage() . PHP_EOL;
-                       }
-                       foreach ($this->argumentsMappingResults->getWarnings() as $warning) {
-                               $message .= 'Warning: ' . $warning->getMessage() . PHP_EOL;
-                       }
                        return $message;
                }
        }