[SECURITY] Fix GeneralUtility::sanitizeLocalUrl to detect foreign schemes 21/43121/2
authorNicole Cordes <typo3@cordes.co>
Tue, 8 Sep 2015 08:57:47 +0000 (10:57 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 8 Sep 2015 08:57:58 +0000 (10:57 +0200)
This patch adds a check to be able to recognize arbitrary schemes which
have to be skipped.

Resolves: #68825
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-009
Change-Id: I9f98c5730f255f9cb391f0d716457b56e5c3c3a3
Reviewed-on: http://review.typo3.org/43121
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php

index 0e3e136..6c19220 100755 (executable)
@@ -3922,6 +3922,7 @@ Connection: close
                $sanitizedUrl = '';
                $decodedUrl = rawurldecode($url);
                if (!empty($url) && self::removeXSS($decodedUrl) === $decodedUrl) {
+                       $parsedUrl = parse_url($decodedUrl);
                        $testAbsoluteUrl = self::resolveBackPath($decodedUrl);
                        $testRelativeUrl = self::resolveBackPath(self::dirname(self::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl);
                        // Pass if URL is on the current host:
@@ -3933,7 +3934,7 @@ Connection: close
                                $sanitizedUrl = $url;
                        } elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] === '/') {
                                $sanitizedUrl = $url;
-                       } elseif (strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
+                       } elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
                                $sanitizedUrl = $url;
                        }
                }
index ad2cdb2..cd829dd 100644 (file)
@@ -2117,7 +2117,8 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                        'empty string' => array(''),
                        'http domain' => array('http://www.google.de/'),
                        'https domain' => array('https://www.google.de/'),
-                       'relative path with XSS' => array('../typo3/whatever.php?argument=javascript:alert(0)')
+                       'relative path with XSS' => array('../typo3/whatever.php?argument=javascript:alert(0)'),
+                       'base64 encoded string' => array('data:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='),
                );
        }