[SECURITY] Untrusted GP data is unserialized in old CSH handling
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 15 Aug 2012 10:18:27 +0000 (12:18 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 15 Aug 2012 10:18:32 +0000 (12:18 +0200)
Using the old and already deprecated CSH handling in TYPO3 backend,
untrusted GP data is unserialized. Validate the submitted data with
an hmac.

Change-Id: Ifc93c7d853c2b0df59dd12ab95a7ce1ee4a28a8e
Fixes: #33520
Releases: 6.0, 4.7, 4.6, 4.5
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13747
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tceforms.php
typo3/view_help.php

index af6f6eb..d39f9e4 100644 (file)
@@ -5210,6 +5210,8 @@ class t3lib_TCEforms {
                                                                                                           'field' => $field,
                                                                                                           'title' => $fieldTitle
                                                                                                  )));
+                               $hash = t3lib_div::hmac($params);
+                               $params .= $hash;
                                $aOnClick = 'vHWin=window.open(\'' . $this->backPath . 'view_help.php?ffID=' . $params . '\',\'viewFieldHelp\',\'height=400,width=600,status=0,menubar=0,scrollbars=1\');vHWin.focus();return false;';
                                return '<a href="#" class="typo3-csh-link" onclick="' . htmlspecialchars($aOnClick) . '">' .
                                           t3lib_iconWorks::getSpriteIcon('actions-system-help-open') . $hoverText .
index 11dd045..f2c3141 100644 (file)
@@ -118,8 +118,9 @@ class SC_view_help {
                        $this->tfID = '';
                }
                if (!$this->tfID) {
-                       if (($this->ffID = t3lib_div::_GP('ffID'))) {
-                               $this->ffID = unserialize(base64_decode($this->ffID));
+                       $ffID = t3lib_div::_GP('ffID');
+                       if (!empty($ffID)) {
+                               $this->ffID = unserialize(base64_decode($this->validateAndStripHmac($ffID)));
                        }
                }
                $this->back = t3lib_div::_GP('back');
@@ -161,6 +162,26 @@ class SC_view_help {
        }
 
        /**
+        * @param $string
+        * @return string
+        * @throws InvalidArgumentException
+        */
+       protected function validateAndStripHmac($string) {
+               if (!is_string($string)) {
+                       throw new InvalidArgumentException('A hash can only be validated for a string, but "' . gettype($string) . '" was given.', 1320829762);
+               }
+               if (strlen($string) < 40) {
+                       throw new InvalidArgumentException('A hashed string must contain at least 40 characters, the given string was only ' . strlen($string) . ' characters long.', 1320830276);
+               }
+               $stringWithoutHmac = substr($string, 0, -40);
+               if (t3lib_div::hmac($stringWithoutHmac) !== substr($string, -40)) {
+                       throw new InvalidArgumentException('The given string was not appended with a valid HMAC.', 1320830018);
+               }
+               return $stringWithoutHmac;
+
+       }
+
+       /**
         * Main function, rendering the display
         *
         * @return      void
@@ -890,4 +911,4 @@ $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
 
-?>
\ No newline at end of file
+?>