From: Oliver Hader Date: Tue, 25 Jun 2019 06:41:16 +0000 (+0200) Subject: [SECURITY] Disallow javascript & data scheme in URL link handler X-Git-Tag: v10.0.0~149 X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/4c003f80b8b25def173268b8b069446c4fcc313a [SECURITY] Disallow javascript & data scheme in URL link handler URLs defined using TYPO3's internal t3://url/?url=... notation are now hardened against using `javascript:` and`data:` URL schemes. Resolves: #88476 Releases: master, 9.5, 8.7 Security-Commit: 1a873c662524a62b192661da45d27e223e517d18 Security-Bulletin: TYPO3-CORE-SA-2019-015 Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141 Tested-by: Oliver Hader Reviewed-by: Oliver Hader --- diff --git a/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php b/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php index 8a3ee7b79813..aa9e05cbc112 100644 --- a/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php +++ b/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php @@ -51,9 +51,12 @@ class UrlLinkHandler implements LinkHandlingInterface protected function addHttpSchemeAsFallback(string $url): string { if (!empty($url)) { - $urlParts = parse_url($url); - if (empty($urlParts['scheme'])) { + $scheme = parse_url($url, PHP_URL_SCHEME); + if (empty($scheme)) { $url = 'http://' . $url; + } elseif (in_array(strtolower($scheme), ['javascript', 'data'], true)) { + // deny using insecure scheme's like `javascript:` or `data:` as URL scheme + $url = ''; } } return $url; diff --git a/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php b/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php index 4e8175ca2c25..36ffa35eebc0 100644 --- a/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php +++ b/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php @@ -90,7 +90,22 @@ class UrlLinkHandlerTest extends UnitTestCase 'url' => 'sftp://nice:andsecret@www.have.you:23/ever?did=this' ], 'sftp://nice:andsecret@www.have.you:23/ever?did=this' - ] + ], + 'tel URL' => [ + ['url' => 'tel:+1-2345-6789'], + ['url' => 'tel:+1-2345-6789'], + 'tel:+1-2345-6789' + ], + 'javascript URL (denied)' => [ + ['url' => 'javascript:alert(\'XSS\')'], + ['url' => ''], + '' + ], + 'data URL (denied)' => [ + ['url' => 'data:text/html;base64,SGVsbG8sIFdvcmxkIQ%3D%3D'], + ['url' => ''], + '' + ], ]; } diff --git a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php index 1c843eef2382..32eea01e0303 100644 --- a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php +++ b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php @@ -4939,7 +4939,7 @@ class ContentObjectRenderer implements LoggerAwareInterface return $linkText; } } elseif (in_array(strtolower(trim($linkHandlerKeyword)), ['javascript', 'data'], true)) { - // Disallow direct javascript: or data: links + // Disallow insecure scheme's like javascript: or data: return $linkText; } else { $linkParameter = $linkParameterParts['url'];