Commit 3726afad authored by Oliver Hader's avatar Oliver Hader
Browse files

Fixed bug #14712: The GET/POST variable mimeType is used to create the http...

Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-1@8407 709f56b5-9817-0410-a4d7-c38de5d9e867
parent dbdad096
......@@ -16,6 +16,7 @@
* Fixed bug #15254: Extension Manager allows to edit arbitrary files if noEdit flag is not set (thanks to Helmut Hummel)
* Fixed bug #14389: phtml is also PHP extension and should be denied editing / uploading via fileadmin (thanks to Ernesto Baschny)
* Fixed bug #1985: XSS vulnerability in wizard classes
* Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)
2010-05-17 Oliver Hader <oliver@typo3.org>
......
......@@ -3913,7 +3913,9 @@ class tslib_cObj {
while(list(,$v)=each($mimeTypes)) {
$parts = explode('=',$v,2);
if (strtolower($fI['extension']) == strtolower(trim($parts[0]))) {
$mimetype = '&mimeType='.rawurlencode(trim($parts[1]));
$mimetypeValue = trim($parts[1]);
$mimetype = '&mimeType=' . rawurlencode($mimetypeValue);
break;
}
}
}
......@@ -3922,6 +3924,7 @@ class tslib_cObj {
$hArr = array(
$jumpUrl,
$locationData,
$mimetypeValue,
$GLOBALS['TSFE']->TYPO3_CONF_VARS['SYS']['encryptionKey']
);
$juHash='&juHash='.t3lib_div::shortMD5(serialize($hArr));
......
......@@ -2317,13 +2317,16 @@
function jumpUrl() {
if ($this->jumpurl) {
if (t3lib_div::_GP('juSecure')) {
$locationData = t3lib_div::_GP('locationData');
$mimeType = t3lib_div::_GP('mimeType');
$hArr = array(
$this->jumpurl,
t3lib_div::_GP('locationData'),
t3lib_div::_GP('mimeType'),
$this->TYPO3_CONF_VARS['SYS']['encryptionKey']
);
$calcJuHash=t3lib_div::shortMD5(serialize($hArr));
$locationData = t3lib_div::_GP('locationData');
$juHash = t3lib_div::_GP('juHash');
if ($juHash == $calcJuHash) {
if ($this->locDataCheck($locationData)) {
......@@ -2331,7 +2334,6 @@
// Deny access to files that match TYPO3_CONF_VARS[SYS][fileDenyPattern] and whose parent directory is typo3conf/ (there could be a backup file in typo3conf/ which does not match against the fileDenyPattern)
if (t3lib_div::verifyFilenameAgainstDenyPattern($this->jumpurl) && basename(dirname($this->jumpurl)) !== 'typo3conf') {
if (@is_file($this->jumpurl)) {
$mimeType = t3lib_div::_GP('mimeType');
$mimeType = $mimeType ? $mimeType : 'application/octet-stream';
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Content-Type: '.$mimeType);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment