Commit 45d7eef0 authored by Oliver Hader's avatar Oliver Hader
Browse files

Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg...

Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer and Marcus Krause)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-1@8426 709f56b5-9817-0410-a4d7-c38de5d9e867
parent 5eb60976
......@@ -19,6 +19,7 @@
* Fixed bug #14712: The GET/POST variable mimeType is used to create the http header content-type without verification (thanks to Rupert Germann)
* Fixed bug #14412: Field value added to foreign_table_where by replacing ###REC_FIELD_THE_FIELD_NAME### is not quoted (thanks to Helmut Hummel and Xavier Perseguers)
* Fixed bug #14114: Core mailform is open to spam abuse (thanks to Lars Houmark)
* Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer and Marcus Krause)
2010-05-17 Oliver Hader <oliver@typo3.org>
......
......@@ -189,7 +189,7 @@ class SC_alt_doc {
$this->defVals = t3lib_div::_GP('defVals');
$this->overrideVals = t3lib_div::_GP('overrideVals');
$this->columnsOnly = t3lib_div::_GP('columnsOnly');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$this->closeDoc = t3lib_div::_GP('closeDoc');
$this->doSave = t3lib_div::_GP('doSave');
$this->returnEditConf = t3lib_div::_GP('returnEditConf');
......@@ -1223,7 +1223,7 @@ class SC_alt_doc {
if (is_array($localizedRecord)) {
// Create parameters and finally run the classic page module for creating a new page translation
$params = '&edit['.$table.']['.$localizedRecord['uid'].']=edit';
$returnUrl = '&returnUrl='.rawurlencode(t3lib_div::_GP('returnUrl'));
$returnUrl = '&returnUrl='.rawurlencode(t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl')));
$location = $GLOBALS['BACK_PATH'].'alt_doc.php?'.$params.$returnUrl;
header('Location: '.t3lib_div::locationHeaderUrl($location));
......
......@@ -65,7 +65,7 @@ class recordHistory {
function recordHistory() {
// GPvars:
$this->element = t3lib_div::_GP('element');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$this->lastSyslogId = t3lib_div::_GP('diff');
$this->rollbackFields = t3lib_div::_GP('rollbackFields');
// resolve sh_uid if set
......
......@@ -137,7 +137,7 @@ class SC_db_list {
$this->search_field = t3lib_div::_GP('search_field');
$this->search_levels = t3lib_div::_GP('search_levels');
$this->showLimit = t3lib_div::_GP('showLimit');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$this->clear_cache = t3lib_div::_GP('clear_cache');
$this->cmd = t3lib_div::_GP('cmd');
......
......@@ -168,7 +168,7 @@ class SC_db_new {
}
// Setting GPvars:
$this->id = intval(t3lib_div::_GP('id')); // The page id to operate from
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$this->pagesOnly = t3lib_div::_GP('pagesOnly');
// Create instance of template class for output
......
......@@ -95,7 +95,7 @@ class SC_file_edit {
// Setting target, which must be a file reference to a file within the mounts.
$this->target = $this->origTarget = t3lib_div::_GP('target');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
// Creating file management object:
$this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
......
......@@ -104,7 +104,7 @@ class SC_file_newfolder {
// Initialize GPvars:
$this->number = t3lib_div::_GP('number');
$this->target = t3lib_div::_GP('target');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
// Init basic-file-functions object:
$this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
......
......@@ -98,7 +98,7 @@ class SC_file_rename {
// Initialize GPvars:
$this->target = t3lib_div::_GP('target');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
// Init basic-file-functions object:
$this->basicff = t3lib_div::makeInstance('t3lib_basicFileFunctions');
......
......@@ -106,7 +106,7 @@ class SC_file_upload {
// Initialize GPvars:
$this->number = t3lib_div::_GP('number');
$this->target = t3lib_div::_GP('target');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
if (empty($this->number)) {
$defaultFileUploads = $GLOBALS['BE_USER']->getTSConfigVal('options.defaultFileUploads');
......
......@@ -121,7 +121,7 @@ class SC_index {
global $BE_USER,$TYPO3_CONF_VARS;
// GPvars:
$this->redirect_url = t3lib_div::_GP('redirect_url');
$this->redirect_url = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('redirect_url'));
$this->GPinterface = t3lib_div::_GP('interface');
if(t3lib_div::getIndpEnv('TYPO3_SSL')) { // For security reasons this feature only works if SSL is used
......
......@@ -72,7 +72,10 @@ class SC_logout {
$BE_USER->writelog(255,2,0,1,'User %s logged out from TYPO3 Backend',Array($BE_USER->user['username'])); // Logout written to log
$BE_USER->logoff();
header('Location: '.t3lib_div::locationHeaderUrl(t3lib_div::_GP('redirect')?t3lib_div::_GP('redirect'):'index.php'));
$redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
$redirectUrl = $redirect ? $redirect : 'index.php';
header('Location: '.t3lib_div::locationHeaderUrl($redirectUrl));
}
}
......
......@@ -2132,7 +2132,7 @@ EXTENSION KEYS:
function requestInstallExtensions($extList) {
// Return URL:
$returnUrl = t3lib_div::_GP('returnUrl');
$returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$installOrImportExtension = t3lib_div::_POST('installOrImportExtension');
// Extension List:
......
......@@ -255,7 +255,7 @@ class SC_move_el {
$this->sys_language = intval(t3lib_div::_GP('sys_language'));
$this->page_id=intval(t3lib_div::_GP('uid'));
$this->table=t3lib_div::_GP('table');
$this->R_URI=t3lib_div::_GP('returnUrl');
$this->R_URI = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$this->input_moveUid = t3lib_div::_GP('moveUid');
$this->moveUid = $this->input_moveUid ? $this->input_moveUid : $this->page_id;
$this->makeCopy = t3lib_div::_GP('makeCopy');
......
......@@ -226,7 +226,8 @@ class SC_show_item {
global $LANG;
if ($this->access) {
$returnLinkTag = t3lib_div::_GP('returnUrl') ? '<a href="'.t3lib_div::_GP('returnUrl').'" class="typo3-goBack">' : '<a href="#" onclick="window.close();">';
$returnLink = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$returnLinkTag = $returnLink ? '<a href="' . $returnLink . '" class="typo3-goBack">' : '<a href="#" onclick="window.close();">';
// render type by user func
$typeRendered = false;
......@@ -257,7 +258,7 @@ class SC_show_item {
}
// If return Url is set, output link to go back:
if (t3lib_div::_GP('returnUrl')) {
if ($returnLink) {
$this->content = $this->doc->section('',$returnLinkTag.'<strong>'.$LANG->sL('LLL:EXT:lang/locallang_core.xml:labels.goBack',1).'</strong></a><br /><br />').$this->content;
$this->content .= $this->doc->section('','<br />'.$returnLinkTag.'<strong>'.$LANG->sL('LLL:EXT:lang/locallang_core.xml:labels.goBack',1).'</strong></a>');
......
......@@ -247,7 +247,7 @@ class SC_db_layout {
$this->search_field = t3lib_div::_GP('search_field');
$this->search_levels = t3lib_div::_GP('search_levels');
$this->showLimit = t3lib_div::_GP('showLimit');
$this->returnUrl = t3lib_div::_GP('returnUrl');
$this->returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
// Load page info array:
$this->pageinfo = t3lib_BEfunc::readPageAccess($this->id,$this->perms_clause);
......
......@@ -184,7 +184,7 @@ class SC_db_new_content_el {
// Setting internal vars:
$this->id = intval(t3lib_div::_GP('id'));
$this->sys_language = intval(t3lib_div::_GP('sys_language_uid'));
$this->R_URI = t3lib_div::_GP('returnUrl');
$this->R_URI = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$this->colPos = t3lib_div::_GP('colPos');
$this->uid_pid = intval(t3lib_div::_GP('uid_pid'));
......
......@@ -263,7 +263,7 @@ class tx_install extends t3lib_install {
} else {
$this->step = intval(t3lib_div::_GP('step'));
}
$this->redirect_url = t3lib_div::_GP('redirect_url');
$this->redirect_url = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('redirect_url'));
$this->INSTALL['type'] = '';
if ($_GET['TYPO3_INSTALL']['type']) {
......
......@@ -747,7 +747,8 @@ class tx_version_cm1 extends t3lib_SCbase {
$table = '<table border="0" cellpadding="0" cellspacing="1" class="lrPadding workspace-overview">'.implode('',$tableRows).'</table>';
} else $table = '';
$linkBack = t3lib_div::_GP('returnUrl') ? '<a href="'.htmlspecialchars(t3lib_div::_GP('returnUrl')).'" class="typo3-goBack"><img'.t3lib_iconWorks::skinImg($this->doc->backPath,'gfx/goback.gif','width="14" height="14"').' alt="" />Click here to go back</a><br/><br/>' : '';
$returnUrl = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'));
$linkBack = $returnUrl ? '<a href="'.htmlspecialchars($returnUrl).'" class="typo3-goBack"><img'.t3lib_iconWorks::skinImg($this->doc->backPath,'gfx/goback.gif','width="14" height="14"').' alt="" />Click here to go back</a><br/><br/>' : '';
$resetDiffOnly = $this->diffOnly ? '<a href="index.php?id='.intval($this->id).'" class="typo3-goBack">Show all information</a><br/><br/>' : '';
$versionSelector = $GLOBALS['BE_USER']->workspace ? $this->doc->getVersionSelector($this->id) : '';
......
......@@ -112,7 +112,7 @@ class SC_tce_db {
$this->cmd = t3lib_div::_GP('cmd');
$this->mirror = t3lib_div::_GP('mirror');
$this->cacheCmd = t3lib_div::_GP('cacheCmd');
$this->redirect = t3lib_div::_GP('redirect');
$this->redirect = t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('redirect'));
$this->prErr = t3lib_div::_GP('prErr');
$this->_disableRTE = t3lib_div::_GP('_disableRTE');
$this->CB = t3lib_div::_GP('CB');
......
......@@ -546,7 +546,7 @@ class template {
));
$out ="
var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::_GP('returnUrl')))."';
var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('returnUrl'))))."';
var T3_THIS_LOCATION = '".str_replace('%20','',rawurlencode($thisLocation))."';
";
return $out;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment