[TYPO3-project-4-3] No page tree?
Ernesto Baschny [cron IT]
ernst at cron-it.de
Tue Oct 27 08:48:09 CET 2009
Martin Kutschker schrieb:
>> That is not the problem, since "&" is allowed in
>> t3lib_div::sanitizeBackEndUrl:
>>
>> $whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
>>
>> meaning allowed are:
>>
>> - letters and digits
>> - underscore ("_")
>> - slash ("/")
>> - dot (".")
>> - ampersand ("&")
>> - equals ("=")
>> - question mark ("?")
> RFC 2396 allows the following characters:
>
> uric = reserved | unreserved | escaped
>
> reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
> "$" | ","
>
> unreserved = alphanum | mark
>
> alphanum = alpha | digit
>
> alpha = lowalpha | upalpha
>
> lowalpha = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" |
> "j" | "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" |
> "s" | "t" | "u" | "v" | "w" | "x" | "y" | "z"
>
> upalpha = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" |
> "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" |
>
> digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
> "8" | "9"
>
> mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
>
> This means missing are: ;:@+$,-!~+*'()
>
> IIRC the comma is used sometimes to list multiple ids in URLs. So it shold be added.
>
> Then there these characters:
>
> unwise = "{" | "}" | "|" | "\" | "^" | "[" | "]" | "`"
>
> Of these the square brackets are used by TYPO3 and to be honest I wouldn't have hesitated to use a pipe.
>
> We may think some of the allowed characters to be odd, but I would still allow all characters in a
> URL that the RFC allows. If this is not the case then it must be properly documented that BE URLs
> allow only a limited subset of the regular characters of a URL.
>
> Masi
>
> PS: I think it is a bad practice to escape . ? * / within a character class as it reduces the
> readability.
Thanks for the list Masi! Would you mind to make a (TYPO3-Core-)RFC out
of your conclusion with the proper fix?
Cheers,
Ernesto
More information about the TYPO3-project-4-3
mailing list