Commit b1810f8e authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[TASK] Switch to json_encode for tx_cms_showpic parameters

Scalar values sent via HTTP query parameters to ShowImageController
are using `json_encode` instead of `unserialize`. The parameter
stream is still secured with an HMAC before being deserialized.

Resolves: #91509
Releases: master, 10.4, 9.5
Change-Id: I81b8d5a10a79536592b105c838470238e14b7dca
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64608


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent e758457a
......@@ -1339,7 +1339,7 @@ class ContentObjectRenderer implements LoggerAwareInterface
$parameters[$parameterName] = $conf[$parameterName];
}
}
$parametersEncoded = base64_encode(serialize($parameters));
$parametersEncoded = base64_encode(json_encode($parameters));
$hmac = GeneralUtility::hmac(implode('|', [$file->getUid(), $parametersEncoded]));
$params = '&md5=' . $hmac;
foreach (str_split($parametersEncoded, 64) as $index => $chunk) {
......
......@@ -41,6 +41,8 @@ use TYPO3\CMS\Core\Utility\MathUtility;
*/
class ShowImageController
{
protected const ALLOWED_PARAMETER_NAMES = ['width', 'height', 'crop', 'bodyTag', 'title'];
/**
* @var \Psr\Http\Message\ServerRequestInterface
*/
......@@ -128,10 +130,13 @@ EOF;
throw new \InvalidArgumentException('hash does not match', 1476048456);
}
// decode the parameters Array
$parameters = unserialize(base64_decode($parametersEncoded));
// decode the parameters Array - `bodyTag` contains HTML if set and would lead
// to a false-positive XSS-detection, that's why parameters are base64-encoded
$parameters = json_decode(base64_decode($parametersEncoded), true);
foreach ($parameters as $parameterName => $parameterValue) {
$this->{$parameterName} = $parameterValue;
if (in_array($parameterName, static::ALLOWED_PARAMETER_NAMES, true)) {
$this->{$parameterName} = $parameterValue;
}
}
if (MathUtility::canBeInterpretedAsInteger($fileUid)) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment