-
Specially crafted request could lead to anchors prefixed with URLs to domains controlled by the attacker on the domain root page (home page). No other pages are affected! Fix this by prefixing the anchors with a canonical URL to the current request. This could lead to the situation that the prefix does not match the current REQUEST_URI which leads to a page reload instead of just "jumping" to the page section. Additionally this change assures that REQUEST_URI always starts with a slash, which mitigates similar attack vectors when using getIndpEnv('REQUEST_URI') To mitigate the impact of this breaking change, the REQUEST_URI is used for anchor prefix if a backend user is logged in, to not disturb the preview functionality of the home page. In case prefixLocalAnchors is used in the HTML parser configuration with prefixLocalAnchors = 2, always the canonical URL is used as prefix. This change does *not* fix, that arbitrary (non functional) GET parameters will be included in the generated prefix URL. To fix this it is recommended to use absRefPrefix instead of baseUrl and prefixLocalAnchors. Resolves: #62723 Releases: 4.5, 6.2, master Security-Commit: 16003fd71982a9da3fde04c7cc298425d8b539dc Security-Bulletin: TYPO3-CORE-SA-2014-003 Change-Id: I120f7a0fa32e48644c88d54d65863a6ac96acf4c Reviewed-on: http://review.typo3.org/35222 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
63ae7ddd