From 08235fd9d6d85fe98600c8a07dfe18ea997ec86b Mon Sep 17 00:00:00 2001 From: Oliver Hader Date: Wed, 28 Jul 2010 09:14:36 +0000 Subject: [PATCH] Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann) git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@8411 709f56b5-9817-0410-a4d7-c38de5d9e867 --- ChangeLog | 1 + typo3/sysext/cms/tslib/class.tslib_content.php | 5 ++++- typo3/sysext/cms/tslib/class.tslib_fe.php | 6 ++++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index fa35abbab480..3b287e5a2414 100755 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,7 @@ * Follow-up to bug #14389: Added unit test * Fixed bug #1985: XSS vulnerability in wizard classes * Fixed bug #15223: Password request hash in felogin is created with not enough randomness (thanks to Helmut Hummel) + * Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann) 2010-07-27 Steffen Kamper diff --git a/typo3/sysext/cms/tslib/class.tslib_content.php b/typo3/sysext/cms/tslib/class.tslib_content.php index c74be97f5d3d..b352759d2788 100644 --- a/typo3/sysext/cms/tslib/class.tslib_content.php +++ b/typo3/sysext/cms/tslib/class.tslib_content.php @@ -4707,7 +4707,9 @@ class tslib_cObj { foreach ($mimeTypes as $v) { $parts = explode('=',$v,2); if (strtolower($fI['extension']) == strtolower(trim($parts[0]))) { - $mimetype = '&mimeType='.rawurlencode(trim($parts[1])); + $mimetypeValue = trim($parts[1]); + $mimetype = '&mimeType=' . rawurlencode($mimetypeValue); + break; } } } @@ -4716,6 +4718,7 @@ class tslib_cObj { $hArr = array( $jumpUrl, $locationData, + $mimetypeValue, $GLOBALS['TSFE']->TYPO3_CONF_VARS['SYS']['encryptionKey'] ); $juHash='&juHash='.t3lib_div::shortMD5(serialize($hArr)); diff --git a/typo3/sysext/cms/tslib/class.tslib_fe.php b/typo3/sysext/cms/tslib/class.tslib_fe.php index 86513ae73b6a..41b5d3b6793c 100644 --- a/typo3/sysext/cms/tslib/class.tslib_fe.php +++ b/typo3/sysext/cms/tslib/class.tslib_fe.php @@ -2629,13 +2629,16 @@ function jumpUrl() { if ($this->jumpurl) { if (t3lib_div::_GP('juSecure')) { + $locationData = t3lib_div::_GP('locationData'); + $mimeType = t3lib_div::_GP('mimeType'); + $hArr = array( $this->jumpurl, t3lib_div::_GP('locationData'), + t3lib_div::_GP('mimeType'), $this->TYPO3_CONF_VARS['SYS']['encryptionKey'] ); $calcJuHash=t3lib_div::shortMD5(serialize($hArr)); - $locationData = t3lib_div::_GP('locationData'); $juHash = t3lib_div::_GP('juHash'); if ($juHash == $calcJuHash) { if ($this->locDataCheck($locationData)) { @@ -2643,7 +2646,6 @@ // Deny access to files that match TYPO3_CONF_VARS[SYS][fileDenyPattern] and whose parent directory is typo3conf/ (there could be a backup file in typo3conf/ which does not match against the fileDenyPattern) if (t3lib_div::verifyFilenameAgainstDenyPattern($this->jumpurl) && basename(dirname($this->jumpurl)) !== 'typo3conf') { if (@is_file($this->jumpurl)) { - $mimeType = t3lib_div::_GP('mimeType'); $mimeType = $mimeType ? $mimeType : 'application/octet-stream'; header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Content-Type: '.$mimeType); -- 2.20.1