[SECURITY] Possible XSS in felogin messages 79/45279/2
authorGeorg Ringer <mail@ringerge.org>
Tue, 15 Dec 2015 10:37:16 +0000 (11:37 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:37:25 +0000 (11:37 +0100)
Change default TypoScript to encode messages in felogin
with htmlspecialchars.

Fix two occurences of _LOCAL_LANG messages where htmlspecialchars
was missing.

Resolves: #25243
Releases: master, 6.2
Security-Commit: 341a017859b2c3c99b675fb787b1c5a7af8cef6f
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Icddb2be90bced5ef51439630a5b47bf6bc04f624
Reviewed-on: https://review.typo3.org/45279
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
typo3/sysext/felogin/ext_typoscript_setup.txt

index ddafa75..395f855 100644 (file)
@@ -175,7 +175,7 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
         // Process the redirect
         if (($this->logintype === 'login' || $this->logintype === 'logout') && $this->redirectUrl && !$this->noRedirect) {
             if (!$this->frontendController->fe_user->isCookieSet() && $this->userIsLoggedIn) {
-                $content .= $this->cObj->stdWrap($this->pi_getLL('cookie_warning', '', true), $this->conf['cookieWarning_stdWrap.']);
+                $content .= $this->cObj->stdWrap($this->pi_getLL('cookie_warning'), $this->conf['cookieWarning_stdWrap.']);
             } else {
                 // Add hook for extra processing before redirect
                 if (
@@ -248,7 +248,7 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
                     $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap($error, $this->conf['forgotErrorMessage_stdWrap.']);
                 } else {
                     $markerArray['###STATUS_MESSAGE###'] = $this->cObj->stdWrap(
-                        $this->pi_getLL('ll_forgot_reset_message_emailSent', '', true),
+                        $this->pi_getLL('ll_forgot_reset_message_emailSent'),
                         $this->conf['forgotResetMessageEmailSentMessage_stdWrap.']
                     );
                 }
@@ -915,7 +915,7 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
      */
     protected function getDisplayText($label, $stdWrapArray = array())
     {
-        $text = $this->flexFormValue($label, 's_messages') ? $this->cObj->stdWrap($this->flexFormValue($label, 's_messages'), $stdWrapArray) : $this->cObj->stdWrap($this->pi_getLL('ll_' . $label, '', true), $stdWrapArray);
+        $text = $this->flexFormValue($label, 's_messages') ? $this->cObj->stdWrap($this->flexFormValue($label, 's_messages'), $stdWrapArray) : $this->cObj->stdWrap($this->pi_getLL('ll_' . $label), $stdWrapArray);
         $replace = $this->getUserFieldMarkers();
         return strtr($text, $replace);
     }
index ede72d3..ae32088 100644 (file)
@@ -38,66 +38,85 @@ plugin.tx_felogin_pi1 {
 
        welcomeHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        welcomeMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        successHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        successMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        logoutHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        logoutMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        errorHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        errorMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        forgotHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        forgotMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        forgotErrorMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        forgotResetMessageEmailSentMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordNotValidMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordTooShortMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordNotEqualMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
 
        changePasswordHeader_stdWrap {
                wrap = <h3>|</h3>
+               htmlSpecialChars = 1
        }
        changePasswordMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
        }
        changePasswordDoneMessage_stdWrap {
                wrap = <div>|</div>
+               htmlSpecialChars = 1
     }
 
        cookieWarning_stdWrap {
                wrap = <p style="color:red; font-weight:bold;">|</p>
+               htmlSpecialChars = 1
        }
 
        # stdWrap for fe_users fields used in Messages