[TYPO3-project-4-3] No page tree?

Tue Oct 27 08:32:50 CET 2009

Ernesto Baschny [cron IT] schrieb:
> Dan Osipov schrieb:
>> I was able to replicate the problem, and found the cause:
>> $MCONF['navFrameScriptParam']='&folderOnly=1';
>>
>> When the alt_mod_frameset.php tries to read the navigation URL in line:
>> $nav = t3lib_div::sanitizeBackEndUrl(t3lib_div::_GP('nav'));
>>
>> $nav ends up empty, since t3lib_div::_GP('nav') contains a '&' symbol.
>> I'll file it as a bug.
> 
> That is not the problem, since "&" is allowed in
> t3lib_div::sanitizeBackEndUrl:
> 
> 	$whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
> 
> meaning allowed are:
> 
> - letters and digits
> - underscore ("_")
> - slash ("/")
> - dot (".")
> - ampersand ("&")
> - equals ("=")
> - question mark ("?")

RFC 2396 allows the following characters:

uric     = reserved | unreserved | escaped

reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
                    "$" | ","

unreserved  = alphanum | mark

alphanum = alpha | digit

alpha    = lowalpha | upalpha

lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" |
           "j" | "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" |
           "s" | "t" | "u" | "v" | "w" | "x" | "y" | "z"

upalpha  = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" |
           "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" |

digit    = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
                 "8" | "9"

mark     = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"

This means missing are: ;:@+$,-!~+*'()

IIRC the comma is used sometimes to list multiple ids in URLs. So it shold be added.

Then there these characters:

unwise      = "{" | "}" | "|" | "\" | "^" | "[" | "]" | "`"

Of these the square brackets are used by TYPO3 and to be honest I wouldn't have hesitated to use a pipe.

We may think some of the allowed characters to be odd, but I would still allow all characters in a
URL that the RFC allows. If this is not the case then it must be properly documented that BE URLs
allow only a limited subset of the regular characters of a URL.

Masi

PS: I think it is a bad practice to escape . ? * / within a character class as it reduces the
readability.