[TYPO3-dev] New 4.6.17 leads to #1359987599: jumpurl: Calculated juHash did not match the submitted juHash.

Roland Hager roland.hager at tu-berlin.de
Wed Mar 6 15:41:46 CET 2013 

Hi Alexander,


Having the same issue here with 4.5.24. Pages of type "external link" 
seems to go through the jumpurl processing without getting an juHash. 
Thus the URLs are blocked. The provided extension didn't helped, because 
it is searching for the whole URL starting with "http(s)://" but the 
external links are stored without the protocol.

I added the following two lines at the beginning of the function 
allowUrlsUsedInSiteContent

     $url=ltrim($url, 'http://');
     $url=ltrim($url, 'https://');

Without the protocol the extensions recognizes links to internal pages 
correctly.


best regards
Roland Hager

On 06.03.2013 15:37, Alexander Bigga wrote:
> Hi Søren,
>
> thank you. I found it and I understand it.
>
> But don't use directmail newsletter modules or whatever.
>
> I use only the feature "External Link" as page type setting to point to
> an external page (which might be in the same installation but with a
> different domain).
>
> Without this jumpurl-redirect extension this doesn't work anymore. Is
> this really the intended behaviour of TYPO3 now? I cannot... really
> believe it.
>
> Best,
>
> Alexander
> Am 06.03.2013 15:31, schrieb Søren Malling:
>> Hi Alexander,
>>
>>  From the security bulletin
>>
>> =====
>>
>> If it is important that already distributed links  (e.g. by directmail
>> newsletter module) are still working, you have to additionally:
>>
>>     - Install the provided extension
>> (t3x<http://typo3.org/fileadmin/security-team/sa2013-01/jumpurl_redirect.t3x>
>>
>>     ,
>> zip<http://typo3.org/fileadmin/security-team/sa2013-01/jumpurl_redirect.zip>)
>>
>> which
>>     covers the following cases:
>>        - URLs which are present in pages or content elements are
>> allowed to
>>        be redirected to, even if the validation hash is missing or wrong.
>>        - URLs which are present in newletters sent using the third party
>>        module "directmail" are allowed to be redirected to, even if the
>> validation
>>        hash is missing or wrong.
>>     - =====
>>
>> Regards
>>
>> Søren
>> _______________________________________________
>> TYPO3-dev mailing list
>> TYPO3-dev at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-dev
>>
>

More information about the TYPO3-dev mailing list