Commit daa52f2c authored by Nicole Cordes's avatar Nicole Cordes Committed by Oliver Hader
Browse files

[SECURITY] Fix GeneralUtility::sanitizeLocalUrl to detect foreign schemes

This patch adds a check to be able to recognize arbitrary schemes which
have to be skipped. Furthermore a missing sanitation is added to
TYPO3\CMS\Backend\Controller\ContentElement\ElementInformationController

Resolves: #68825
Releases: master, 6.2
Security-Commit: de692804837ad0ddfdff194571dc8c786c717576
Security-Bulletin: TYPO3-CORE-SA-2015-009
Change-Id: Iddd54d241776a47f634c9ac2540e6a2e31801da7
Reviewed-on: http://review.typo3.org/43122

Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 86e0140b
......@@ -490,7 +490,7 @@ class ElementInformationController implements \TYPO3\CMS\Core\Http\ControllerInt
*/
protected function renderBackButton() {
$backLink = '';
$returnUrl = GeneralUtility::_GET('returnUrl');
$returnUrl = GeneralUtility::sanitizeLocalUrl(GeneralUtility::_GET('returnUrl'));
if ($returnUrl) {
$backLink .= '
<a class="btn btn-primary" href="' . htmlspecialchars($returnUrl) . '>
......
......@@ -3829,6 +3829,7 @@ Connection: close
$sanitizedUrl = '';
$decodedUrl = rawurldecode($url);
if (!empty($url) && self::removeXSS($decodedUrl) === $decodedUrl) {
$parsedUrl = parse_url($decodedUrl);
$testAbsoluteUrl = self::resolveBackPath($decodedUrl);
$testRelativeUrl = self::resolveBackPath(self::dirname(self::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl);
// Pass if URL is on the current host:
......@@ -3840,7 +3841,7 @@ Connection: close
$sanitizedUrl = $url;
} elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] === '/') {
$sanitizedUrl = $url;
} elseif (strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
} elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
$sanitizedUrl = $url;
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment