[TYPO3-dev] Any security risk in creating links to files using path, provided by user?
Victor Livakovsky
v-tyok at mail.ru
Sat Dec 4 00:28:50 CET 2010
Hello, list.
I was asking Google for it, but didn't get a 100% answer.
So, the situation is, that I'm developing a BE module, that is configurable
by Page TS. And BE user may specify a path to uploaded files and path to
some images, that should be displayed at BE, in this TS.
Is there any security risk by passing raw values of user-defined path in
'href' and 'src' params (let's assume, that some BE user wants to do
something bad on a website)?
Currently I'm making filelinks absolute to prevent creation of links to some
different server, but with same filenames. My code looks like this:
$output .= '<a target="_blank" href="http://' . $this->domain . '/' .
$this->correctPath($this->tsconfig['properties']['file.']['uploadPath']) .
$value . '">' . $value . '</a>';
$this->correctPath removes slash in the beginning of path and adds it to the
end, if needed.
Is there a better way to make such links? And do I still have security risks
with my current code?
Thank you in advance.
More information about the TYPO3-dev
mailing list