From: Ernesto Baschny Date: Thu, 22 Oct 2009 08:30:40 +0000 (+0000) Subject: * Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee) X-Git-Tag: TYPO3_4-3-0beta2~7 X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/7470486cd6005698efbdc2d302bda68475a74a9a * Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee) git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@6244 709f56b5-9817-0410-a4d7-c38de5d9e867 --- diff --git a/ChangeLog b/ChangeLog index de0526719d5..8e785a0da98 100755 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ * Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee) * Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to Oliver Klee) * Fixed bug #12306: XSS vulnerability in module dispatcher + * Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee) 2009-10-21 Sebastian Kurfuerst diff --git a/typo3/alt_palette.php b/typo3/alt_palette.php index a3317d16328..60a9115bf20 100644 --- a/typo3/alt_palette.php +++ b/typo3/alt_palette.php @@ -245,15 +245,19 @@ class SC_alt_palette { function init() { // Setting GPvars, etc. - $this->formName = t3lib_div::_GP('formName'); - $this->GPbackref = t3lib_div::_GP('backRef'); + $this->formName = $this->sanitizeHtmlName(t3lib_div::_GP('formName')); + $this->GPbackref = $this->sanitizeHtmlName(t3lib_div::_GP('backRef')); $this->inData = t3lib_div::_GP('inData'); - $this->prependFormFieldNames = t3lib_div::_GP('prependFormFieldNames'); + // safeguards the input with whitelisting + if (!preg_match('/^[a-zA-Z0-9\-_\:]+$/', $this->inData)) { + $this->inData = ''; + } + $this->prependFormFieldNames = + $this->sanitizeHtmlName(t3lib_div::_GP('prependFormFieldNames')); $this->rec = t3lib_div::_GP('rec'); // Making references: $this->backRef = $this->GPbackref ? $this->GPbackref : 'window.opener'; -# $this->backRef = 'top.content.list_frame.view_frame'; $this->formRef = $this->backRef.'.document.'.$this->formName; @@ -290,6 +294,24 @@ class SC_alt_palette { '); } + /** + * Sanitizes HTML names, IDs, frame names etc. + * + * @param string $input the string to sanitize + * + * @return string the unchanged $input if $input is considered to be harmless, + * an empty string otherwise + */ + protected function sanitizeHtmlName($input) { + $result = $input; + + if (!preg_match('/^[a-zA-Z][a-zA-Z0-9_\-\.]*$/', $result)) { + $result = ''; + } + + return $result; + } + /** * Main function, rendering the palette form *