From: Oliver Hader <oliver@typo3.org>
Date: Tue, 25 Jun 2019 06:41:16 +0000 (+0200)
Subject: [SECURITY] Disallow javascript & data scheme in URL link handler
X-Git-Tag: v10.0.0~149
X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/4c003f80b8b25def173268b8b069446c4fcc313a

[SECURITY] Disallow javascript & data scheme in URL link handler

URLs defined using TYPO3's internal t3://url/?url=... notation are
now hardened against using `javascript:` and`data:` URL schemes.

Resolves: #88476
Releases: master, 9.5, 8.7
Security-Commit: 1a873c662524a62b192661da45d27e223e517d18
Security-Bulletin: TYPO3-CORE-SA-2019-015
Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---

diff --git a/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php b/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php
index 8a3ee7b79813..aa9e05cbc112 100644
--- a/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php
+++ b/typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php
@@ -51,9 +51,12 @@ class UrlLinkHandler implements LinkHandlingInterface
     protected function addHttpSchemeAsFallback(string $url): string
     {
         if (!empty($url)) {
-            $urlParts = parse_url($url);
-            if (empty($urlParts['scheme'])) {
+            $scheme = parse_url($url, PHP_URL_SCHEME);
+            if (empty($scheme)) {
                 $url = 'http://' . $url;
+            } elseif (in_array(strtolower($scheme), ['javascript', 'data'], true)) {
+                // deny using insecure scheme's like `javascript:` or `data:` as URL scheme
+                $url = '';
             }
         }
         return $url;
diff --git a/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php b/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php
index 4e8175ca2c25..36ffa35eebc0 100644
--- a/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php
+++ b/typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php
@@ -90,7 +90,22 @@ class UrlLinkHandlerTest extends UnitTestCase
                     'url' => 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
                 ],
                 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
-            ]
+            ],
+            'tel URL' => [
+                ['url' => 'tel:+1-2345-6789'],
+                ['url' => 'tel:+1-2345-6789'],
+                'tel:+1-2345-6789'
+            ],
+            'javascript URL (denied)' => [
+                ['url' => 'javascript:alert(\'XSS\')'],
+                ['url' => ''],
+                ''
+            ],
+            'data URL (denied)' => [
+                ['url' => 'data:text/html;base64,SGVsbG8sIFdvcmxkIQ%3D%3D'],
+                ['url' => ''],
+                ''
+            ],
         ];
     }
 
diff --git a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
index 1c843eef2382..32eea01e0303 100644
--- a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
+++ b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
@@ -4939,7 +4939,7 @@ class ContentObjectRenderer implements LoggerAwareInterface
                 return $linkText;
             }
         } elseif (in_array(strtolower(trim($linkHandlerKeyword)), ['javascript', 'data'], true)) {
-            // Disallow direct javascript: or data: links
+            // Disallow insecure scheme's like javascript: or data:
             return $linkText;
         } else {
             $linkParameter = $linkParameterParts['url'];