[TYPO3-dev] Any security risk in creating links to files using path, provided by user?

[Jigal van Hemert]

Hi,

On 4-12-2010 0:28, Victor Livakovsky wrote:
> Currently I'm making filelinks absolute to prevent creation of links to
> some different server, but with same filenames. My code looks like this:
> $output .= '<a target="_blank" href="http://' . $this->domain . '/' .
> $this->correctPath($this->tsconfig['properties']['file.']['uploadPath'])
> . $value . '">' . $value . '</a>';
> $this->correctPath removes slash in the beginning of path and adds it to
> the end, if needed.

First of all, let TYPO3 create links for you. There is a series of 
functions in the API which can help you create <a>-tags:

- pi_getPageLink
- pi_linkToPage
- pi_linkTP
- pi_linkTP_keepPIvars
- pi_linkTP_keepPIvars_url
but in your case the general function would be more suitable:
- tslib_cObj::typoLink() this is the implementation of the TypoScript 
function typolink, so it will be easy for most people to configure it.

The same is true for displaying images:
- tslib_cObj::IMAGE()
- tslib_cObj::IMG_RESOURCE()
can be used to generate img-tags with all necessary options.

The other challenge you mention is to make sure the URLs point to your 
local installation. The system extension felogin has to make similar 
checks for the redirect URL. You can borrow some code from
typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php function 
validateRedirectUrl() (and the functions it calls) to make sure you have 
a local URL. There is one difference: your code is meant to be run in 
the backend, so some checks might not be possible.

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh