[TYPO3-english] Typo3 4.5.4 update kills CoolUri

Helmut Hummel helmut.hummel at typo3.org
Thu Jul 28 17:05:38 CEST 2011


Hi Felix,

Felix Heller wrote:

> I think that I've found the problem. I inserted var_dump($params) at the
> beginning of the function params2cool in the file link.Translate.php of
> the CoolURI extension.
>
> The output in TYPO3 4.5.3 is:
> array(3) {
> ["id"]=>
> string(1) "1"
> ["tt_example[pointer]"]=>
> string(1) "1"
> }
>
> The output in TYPO3 4.5.4 is:
> array(3) {
> ["id"]=>
> string(1) "1"
> ["tt_example%5Bpointer%5D"]=>
> string(1) "1"
> }

Thanks for your investigation.

> Normal parameters without brackets were not affected by this change, but
> parameters of extensions like tt_news (which use brackets) are not
> translated correctly any more. This might be related to this entry in
> the changelog of TYPO3 4.5.4:
> 2011-07-27 8ebc512 #28189 [BUGFIX] XSS in TYPO3 core when using
> typolink.parameter JS-Popup Window (Marco Bresch)

Your observation is correct and TYPO3 behaves correctly here. This is a 
bug in cooluri which was not triggered before.

Realurl does a urldecode and encodes the (left over) parameters after 
that, which is what cooluri should also do.

> private function convertBracketsInParams(array &$params) {
> foreach ($params as $key => $param) {
> $keyDecoded = strtr(
> $key,
> array(
> '%5B' => '[',
> '%5D' => ']'
> )
> );

A simple rawurldecode would be correct and should do the job.

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org


More information about the TYPO3-english mailing list