From: Ernesto Baschny <ernst@cron-it.de>
Date: Thu, 22 Oct 2009 08:30:40 +0000 (+0000)
Subject: * Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee)
X-Git-Tag: TYPO3_4-3-0beta2~7
X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/7470486cd6005698efbdc2d302bda68475a74a9a

* Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@6244 709f56b5-9817-0410-a4d7-c38de5d9e867
---

diff --git a/ChangeLog b/ChangeLog
index de0526719d5..8e785a0da98 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@
 	* Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
 	* Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to Oliver Klee)
 	* Fixed bug #12306: XSS vulnerability in module dispatcher
+	* Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee)
 
 2009-10-21  Sebastian Kurfuerst  <sebastian@typo3.org>
 
diff --git a/typo3/alt_palette.php b/typo3/alt_palette.php
index a3317d16328..60a9115bf20 100644
--- a/typo3/alt_palette.php
+++ b/typo3/alt_palette.php
@@ -245,15 +245,19 @@ class SC_alt_palette {
 	function init()	{
 
 			// Setting GPvars, etc.
-		$this->formName = t3lib_div::_GP('formName');
-		$this->GPbackref = t3lib_div::_GP('backRef');
+		$this->formName = $this->sanitizeHtmlName(t3lib_div::_GP('formName'));
+		$this->GPbackref = $this->sanitizeHtmlName(t3lib_div::_GP('backRef'));
 		$this->inData = t3lib_div::_GP('inData');
-		$this->prependFormFieldNames = t3lib_div::_GP('prependFormFieldNames');
+			// safeguards the input with whitelisting
+		if (!preg_match('/^[a-zA-Z0-9\-_\:]+$/', $this->inData)) {
+			$this->inData = '';
+		}
+		$this->prependFormFieldNames =
+			$this->sanitizeHtmlName(t3lib_div::_GP('prependFormFieldNames'));
 		$this->rec = t3lib_div::_GP('rec');
 
 			// Making references:
 		$this->backRef = $this->GPbackref ? $this->GPbackref : 'window.opener';
-#		$this->backRef = 'top.content.list_frame.view_frame';
 
 		$this->formRef = $this->backRef.'.document.'.$this->formName;
 
@@ -290,6 +294,24 @@ class SC_alt_palette {
 		');
 	}
 
+	/**
+	 * Sanitizes HTML names, IDs, frame names etc.
+	 *
+	 * @param string $input the string to sanitize
+	 *
+	 * @return string the unchanged $input if $input is considered to be harmless,
+	 *                an empty string otherwise
+	 */
+	protected function sanitizeHtmlName($input) {
+		$result = $input;
+
+		if (!preg_match('/^[a-zA-Z][a-zA-Z0-9_\-\.]*$/', $result)) {
+			$result = '';
+		}
+
+		return $result;
+	}
+
 	/**
 	 * Main function, rendering the palette form
 	 *