[TYPO3-dev] Pollution of Linkvars with undesired entries
christian reiter
cr at n-o-s-p-a-m-cxd.de
Mon Apr 3 18:14:11 CEST 2006
Hello,
I have come across the following phenomenon, which I wouldn´t call a bug,
but maybe an unnecessary susceptibility to pranksters. (in Typo3 3.8.1.) If
someone uses a nonsense URL like /{id}.{typenum}.html?L=Bullshit, the
unconventional L variable is passed through and written into all typolinks.
On following these links, it evaluates as 0, i.e. the default language is
rendered correctly. If someone tries to insert Cross-site scripting attempts
instead of "Bullshit", they fail because the characters are escaped, e.g.
?&L=%3Cscript...
However, if someone manages to call the page when the cache has been
cleared, the unconventional linkvars will be stored when the cache is
updated and he can succeed in manipulating the page so that for instance all
the links on the page are appended with undesirable comments like
"www.TheClientCompanyName.tld/{id}.{typenum}.html?L=ClientCompanySucksAndIsT
heRootOfAllEvil
which always evaluates as 0 but remains visible in the address bar of
followed links, the status bar etc, and causes a few good laughs but does
not amuse the suits at ClientCompany.
In the affected case there are no other linkvars than integers and for the
case in question the solution is simply to change in
/typo3/sysext/cms/tslib/class.tslib_pagegen.php the part dealing with
Linkvars so that it asks for a newly defined setting like for instance
$GLOBALS['TSFE']->config['config']['allowNonNumericLinkVars'] and if this is
NOT explicitly set, converts all linkvars to integers (also changing the
function implodeArrayForUrl accordingly).
Greetings,
Christian Reiter
More information about the TYPO3-dev
mailing list