Commit 5c9dc6ff authored by Oliver Hader's avatar Oliver Hader
Browse files

Fixed bug #15311: t3lib_div::sanitizeLocalUrl() leads to fatal error on PHP4 systems

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-1@8472 709f56b5-9817-0410-a4d7-c38de5d9e867
parent cfa8ae91
2010-08-03 Oliver Hader <oliver@typo3.org>
* Fixed bug #15311: t3lib_div::sanitizeLocalUrl() leads to fatal error on PHP4 systems
2010-08-02 Oliver Hader <oliver@typo3.org>
* Fixed bug #15289: Element-Browser page tree has HSC'ed <span> elements
......
......@@ -3578,8 +3578,10 @@ class t3lib_div {
* @access public
*/
function sanitizeBackEndUrl($url = '') {
$whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
if (!preg_match($whitelistPattern, $url)) {
$whitelistPattern = '/^[a-z0-9_\/\.&=\?\+~-]+$/i';
$charsetConversion = t3lib_div::makeInstance('t3lib_cs');
if (!preg_match($whitelistPattern, $charsetConversion->specCharsToASCII('utf-8', $url))) {
$url = '';
}
......@@ -3601,15 +3603,18 @@ class t3lib_div {
$decodedUrl = rawurldecode($url);
$decodedParts = @parse_url($decodedUrl);
$whitelistPattern = '/^(\p{Nd}|\p{L}|[_\/\.&=\?\+-~])+$/u';
$whitelistPattern = '/^[a-z0-9_\/\.&=\?\+~-]+$/i';
$charsetConversion = t3lib_div::makeInstance('t3lib_cs');
// Only http and https are allowed as scheme, and at least a path must be given:
if (isset($decodedParts['scheme']) && !t3lib_div::inList('http,https', $decodedParts['scheme']) || !isset($decodedParts['path'])) {
$url = '';
// Check all URL parts for invalid characters:
} else {
foreach ($decodedParts as $part) {
if (!preg_match($whitelistPattern, $part)) {
foreach ($decodedParts as $type => $part) {
$part = $charsetConversion->specCharsToASCII('utf-8', $part);
if ($type != 'host' && !preg_match($whitelistPattern, $part)) {
var_dump($part);
$url = '';
break;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment