Commit 6f17455d authored by Torben Hansen's avatar Torben Hansen Committed by Oliver Hader
Browse files

[SECURITY] Prevent urls starting with // to be used for redirects

A missing check in GeneralUtility::sanitizeLocalUrl() resulted in
an url starting with `//` to be considered as a local url.

This change ensures, that urls starting with `//` are not considered
local. Corresponding unit tests are fixed and extended, since they
need a full environment to process correctly.

Resolves: #92891
Releases: master, 11.1, 10.4, 9.5
Change-Id: I41eb16776742b3e0d2cffd064dd0408e4faa7c78
Security-Bulletin: TYPO3-CORE-SA-2021-001
Security-References: CVE-2021-21338
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68434


Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent de401b43
......@@ -2902,7 +2902,9 @@ class GeneralUtility
}
} elseif (self::isAbsPath($decodedUrl) && self::isAllowedAbsPath($decodedUrl)) {
$sanitizedUrl = $url;
} elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] === '/') {
} elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] === '/' &&
substr($decodedUrl, 0, 2) !== '//'
) {
$sanitizedUrl = $url;
} elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0
&& $decodedUrl[0] !== '/' && strpbrk($decodedUrl, '*:|"<>') === false && strpos($decodedUrl, '\\\\') === false
......
......@@ -1976,6 +1976,7 @@ class GeneralUtilityTest extends UnitTestCase
'empty string' => [''],
'http domain' => ['http://www.google.de/'],
'https domain' => ['https://www.google.de/'],
'domain without schema' => ['//www.google.de/'],
'XSS attempt' => ['" onmouseover="alert(123)"'],
'invalid URL, UNC path' => ['\\\\foo\\bar\\'],
'invalid URL, HTML break out attempt' => ['" >blabuubb'],
......@@ -1984,11 +1985,48 @@ class GeneralUtilityTest extends UnitTestCase
}
/**
* @param string $url
* @test
* @dataProvider sanitizeLocalUrlInvalidDataProvider
*/
public function sanitizeLocalUrlDeniesPlainInvalidUrls($url)
public function sanitizeLocalUrlDeniesPlainInvalidUrlsInBackendContext(string $url): void
{
Environment::initialize(
Environment::getContext(),
true,
false,
Environment::getProjectPath(),
Environment::getPublicPath(),
Environment::getVarPath(),
Environment::getConfigPath(),
Environment::getBackendPath() . '/index.php',
Environment::isWindows() ? 'WINDOWS' : 'UNIX'
);
$_SERVER['HTTP_HOST'] = 'localhost';
$_SERVER['SCRIPT_NAME'] = 'typo3/index.php';
self::assertEquals('', GeneralUtility::sanitizeLocalUrl($url));
}
/**
* @param string $url
* @test
* @dataProvider sanitizeLocalUrlInvalidDataProvider
*/
public function sanitizeLocalUrlDeniesPlainInvalidUrlsInFrontendContext(string $url): void
{
Environment::initialize(
Environment::getContext(),
true,
false,
Environment::getProjectPath(),
Environment::getPublicPath(),
Environment::getVarPath(),
Environment::getConfigPath(),
Environment::getPublicPath() . '/index.php',
Environment::isWindows() ? 'WINDOWS' : 'UNIX'
);
$_SERVER['HTTP_HOST'] = 'localhost';
$_SERVER['SCRIPT_NAME'] = 'index.php';
self::assertEquals('', GeneralUtility::sanitizeLocalUrl($url));
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment