[BUFIX] External URL regression by jumpurl security fix 53/18753/5
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 6 Mar 2013 14:47:57 +0000 (15:47 +0100)
committerHelmut Hummel <helmut.hummel@typo3.org>
Wed, 6 Mar 2013 21:17:55 +0000 (22:17 +0100)
With the jumpurl security fix, pages of type
'Link to external URL' throw a jumpurl
hash exception if called in the frontend. This typically
happens if a HMENU renders such page links.

The patch adapts the TSFE logic to write the required
hash dynamically to _GET to make the jumpurl check happy
that is called later on within the same process if
calling such a 'external url' link.

Change-Id: Ie73cd9710929c72aad4e75543f90c8618797997b
Fixes: #46071
Related: #28587
Releases: 6.1, 6.0, 4.7, 4.6, 4.5
Reviewed-on: https://review.typo3.org/18753
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Gregor Hermens
Tested-by: Gregor Hermens
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php

index 938c118..20e3724 100644 (file)
@@ -2786,6 +2786,7 @@ class TypoScriptFrontendController {
        public function setExternalJumpUrl() {
                if ($extUrl = $this->sys_page->getExtURL($this->page, $this->config['config']['disablePageExternalUrl'])) {
                        $this->jumpurl = $extUrl;
+                       \TYPO3\CMS\Core\Utility\GeneralUtility::_GETset(\TYPO3\CMS\Core\Utility\GeneralUtility::hmac($this->jumpurl, 'jumpurl'), 'juHash');
                }
        }