[TYPO3-dev] Proposal: Sanitize GET/POST parameters
Reinhard Führicht
rf at typoheads.at
Mon Jul 5 14:06:15 CEST 2010
Hi,
TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it
to the extension authors or the writers of TypoScript to care about XSS
and SQLI.
This way, one can never be sure if a third party extension or even if
his own extension is safe.
Furthermore TypoScript-Code like this can be very dangerous:
lib.something = TEXT
lib.something.data = GPvar:myParam
I propose to let TYPO3 do some basic filtering which can be customized
globally via TypoScript.
The attached patch adds some filtering code to stdWrap. The first time
stdWrap is called, all GET/POST parameters get sanitized as configured
in TypoScript.
Sanitizing is divided into various tasks:
- Cast values to int if configured
- Remove bad words from value as configured
- Perform XSS filtering
The patch also adds a new script for XSS filtering because RemoveXSS is
not really reliable in my view. To make the new script work, there's a
need to do some basic charset detection to be able to handle UTF-8
correctly.
The TypoScript code could look similar to this:
config.sanitizegp {
intParams = param1, param4
badWords = select,union,delete
keepParams = param2, param3
}
intParams:
Will call intval() on each parameter in the list
badWords:
These words will be stripped out of the parameter content
keepParams:
These parameters will be passed through and remain untouched
This is just a proof of concept. There are certain issues like how to
process arrays (like: param1[param]) or the little TypoScript options
(Could be more, like disableXSS, ...).
The goal of this is to make it easier for admins, users to make their
TYPO3 website safer. It doesn't mean, that it is bullet proof, but it
should give a certain amount of security. Default url parameters like
id, type and L are set as intParams as a default setting.
I would like to hear your opinions about that. Is this a useful feature?
More information about the TYPO3-dev
mailing list