[SECURITY] Prevent possible XSS in Fluid templates 93/51893/2
authorNicole Cordes <typo3@cordes.co>
Tue, 28 Feb 2017 10:23:37 +0000 (11:23 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 28 Feb 2017 10:23:58 +0000 (11:23 +0100)
This patch ensures proper encoding of the output of if-ViewHelpers when
using in inline notation.

The regular expression to find possibly affected usages is:
\{\s*f:if\s*\(.+,\s*(?:then|else):(?>\s*)[^']

Resolves: #79911
Releases: master, 7.6
Security-Commit: 25113a810a8b9203f61ef694e0ef0a42dc349a72
Security-Bulletin: TYPO3-CORE-SA-2017-003
Change-Id: I09fea4c7d9dc845d1be23a34627dcc277da089f9
Reviewed-on: https://review.typo3.org/51893
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Private/Templates/ToolbarItems/ClearCacheToolbarItemDropDown.html
typo3/sysext/fluid_styled_content/Resources/Private/Templates/Uploads.html
typo3/sysext/install/Resources/Private/Partials/Action/Tool/ImportantActions/SystemInformation.html

index 8601fdf..4af3caa 100644 (file)
@@ -11,7 +11,7 @@
                 </div>
                 <div class="dropdown-table-column dropdown-table-column-top dropdown-table-text">
                     {cacheAction.title}
-                    <br><small class="text-muted">{f:if(condition: cacheAction.description,then: cacheAction.description,else: cacheAction.title)} </small>
+                    <br><small class="text-muted">{f:if(condition: cacheAction.description,then: cacheAction.description,else: cacheAction.title) -> f:format.htmlspecialchars()} </small>
                 </div>
             </f:link.typolink>
         </div>
index bf2b769..3d52c6c 100644 (file)
@@ -23,7 +23,7 @@
                                        </f:if>
                                        <div>
                                                <a href="{file.publicUrl}" {f:if(condition:data.target,then: ' target="{data.target}"')}>
-                                                       <span class="ce-uploads-fileName">{f:if(condition: file.properties.title, then: file.properties.title, else: file.name)}</span>
+                                                       <span class="ce-uploads-fileName">{f:if(condition: file.properties.title, then: file.properties.title, else: file.name) -> f:format.htmlspecialchars()}</span>
                                                </a>
                                                <f:if condition="{file.properties.description}">
                                                        <f:if condition="{data.uploads_description}">
index d7e3de2..1743821 100644 (file)
@@ -35,7 +35,7 @@
                                                <f:else>
                                                        <li>
                                                                <strong>Socket:</strong>
-                                                               {f:if(condition:connection.socket, then:connection.socket, else:'<em>PHP default</em>')}
+                                                               {f:if(condition:connection.socket, then: '{connection.socket}', else:'<em>PHP default</em>')}
                                                        </li>
                                                </f:else>
                                        </f:if>