[TYPO3-dev] Any security risk in creating links to files using path, provided by user?
Jigal van Hemert
jigal at xs4all.nl
Sat Dec 4 08:47:20 CET 2010
Hi,
On 4-12-2010 0:28, Victor Livakovsky wrote:
> Currently I'm making filelinks absolute to prevent creation of links to
> some different server, but with same filenames. My code looks like this:
> $output .= '<a target="_blank" href="http://' . $this->domain . '/' .
> $this->correctPath($this->tsconfig['properties']['file.']['uploadPath'])
> . $value . '">' . $value . '</a>';
> $this->correctPath removes slash in the beginning of path and adds it to
> the end, if needed.
First of all, let TYPO3 create links for you. There is a series of
functions in the API which can help you create <a>-tags:
- pi_getPageLink
- pi_linkToPage
- pi_linkTP
- pi_linkTP_keepPIvars
- pi_linkTP_keepPIvars_url
but in your case the general function would be more suitable:
- tslib_cObj::typoLink() this is the implementation of the TypoScript
function typolink, so it will be easy for most people to configure it.
The same is true for displaying images:
- tslib_cObj::IMAGE()
- tslib_cObj::IMG_RESOURCE()
can be used to generate img-tags with all necessary options.
The other challenge you mention is to make sure the URLs point to your
local installation. The system extension felogin has to make similar
checks for the redirect URL. You can borrow some code from
typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php function
validateRedirectUrl() (and the functions it calls) to make sure you have
a local URL. There is one difference: your code is meant to be run in
the backend, so some checks might not be possible.
--
Kind regards / met vriendelijke groet,
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-dev
mailing list