[TYPO3-dev] Any security risk in creating links to files using path, provided by user?
Steffen Müller
typo3 at t3node.com
Sat Dec 4 03:40:49 CET 2010
Hi.
On 04.12.2010 00:28 Victor Livakovsky wrote:
>
> Currently I'm making filelinks absolute to prevent creation of links to
> some different server, but with same filenames. My code looks like this:
> $output .= '<a target="_blank" href="http://' . $this->domain . '/' .
> $this->correctPath($this->tsconfig['properties']['file.']['uploadPath'])
> . $value . '">' . $value . '</a>';
> $this->correctPath removes slash in the beginning of path and adds it to
> the end, if needed.
>
> Is there a better way to make such links? And do I still have security
> risks with my current code?
>
Try this to find the weakness of your code:
$value = '<script>alert("XSS");</script>';
$value = '"><script>alert("XSS");</script><a href="foo';
http://en.wikipedia.org/wiki/Cross-site_scripting
You should at least filter $value using rawurlencode:
$value = rawurlencode($value);
An alternative and more "paranoid" way would be to allow only those
characters, which you desire to be valid and filter the rest with a
regex. This strict regex could for example allow only [a-zA-Z0-9\.\/]
The golden rule is to never trust user data. never.
--
cheers,
Steffen
TYPO3 Blog: http://www.t3node.com/
Microblog: http://twitter.com/t3node
More information about the TYPO3-dev
mailing list