[SECURITY] Untrusted GP data is unserialized in old CSH handling

Using the old and already deprecated CSH handling in TYPO3 backend,
untrusted GP data is unserialized. Validate the submitted data with
an hmac.

Change-Id: Ifc93c7d853c2b0df59dd12ab95a7ce1ee4a28a8e
Fixes: #33520
Releases: 6.0, 4.7, 4.6, 4.5
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13747
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

diff --git a/t3lib/class.t3lib_tceforms.php b/t3lib/class.t3lib_tceforms.php
index af6f6eb..d39f9e4 100644 (file)
--- a/t3lib/class.t3lib_tceforms.php
+++ b/t3lib/class.t3lib_tceforms.php
@@ -5210,6 +5210,8 @@ class t3lib_TCEforms {
                                                                                                           'field' => $field,
                                                                                                           'title' => $fieldTitle
                                                                                                  )));
+                               $hash = t3lib_div::hmac($params);
+                               $params .= $hash;
                                $aOnClick = 'vHWin=window.open(\'' . $this->backPath . 'view_help.php?ffID=' . $params . '\',\'viewFieldHelp\',\'height=400,width=600,status=0,menubar=0,scrollbars=1\');vHWin.focus();return false;';
                                return '<a href="#" class="typo3-csh-link" onclick="' . htmlspecialchars($aOnClick) . '">' .
                                           t3lib_iconWorks::getSpriteIcon('actions-system-help-open') . $hoverText .

diff --git a/typo3/view_help.php b/typo3/view_help.php
index 11dd045..f2c3141 100644 (file)
--- a/typo3/view_help.php
+++ b/typo3/view_help.php
@@ -118,8 +118,9 @@ class SC_view_help {
                        $this->tfID = '';
                }
                if (!$this->tfID) {
-                       if (($this->ffID = t3lib_div::_GP('ffID'))) {
-                               $this->ffID = unserialize(base64_decode($this->ffID));
+                       $ffID = t3lib_div::_GP('ffID');
+                       if (!empty($ffID)) {
+                               $this->ffID = unserialize(base64_decode($this->validateAndStripHmac($ffID)));
                        }
                }
                $this->back = t3lib_div::_GP('back');
@@ -161,6 +162,26 @@ class SC_view_help {
        }
 
        /**
+        * @param $string
+        * @return string
+        * @throws InvalidArgumentException
+        */
+       protected function validateAndStripHmac($string) {
+               if (!is_string($string)) {
+                       throw new InvalidArgumentException('A hash can only be validated for a string, but "' . gettype($string) . '" was given.', 1320829762);
+               }
+               if (strlen($string) < 40) {
+                       throw new InvalidArgumentException('A hashed string must contain at least 40 characters, the given string was only ' . strlen($string) . ' characters long.', 1320830276);
+               }
+               $stringWithoutHmac = substr($string, 0, -40);
+               if (t3lib_div::hmac($stringWithoutHmac) !== substr($string, -40)) {
+                       throw new InvalidArgumentException('The given string was not appended with a valid HMAC.', 1320830018);
+               }
+               return $stringWithoutHmac;
+
+       }
+
+       /**
         * Main function, rendering the display
         *
         * @return      void
@@ -890,4 +911,4 @@ $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
 
-?>
\ No newline at end of file
+?>