Index: classes/class.tx_templavoila_div.php =================================================================== --- classes/class.tx_templavoila_div.php (revision 0) +++ classes/class.tx_templavoila_div.php (revision 0) @@ -0,0 +1,119 @@ + + */ +final class tx_templavoila_div { + + /** + * Wrapper function for checking valid URL for redirect + * + * @param $url + */ + public static function sanitizeLocalUrl($url = '') { + if (t3lib_div::compat_version('4.3')) { + return t3lib_div::sanitizeLocalUrl($url); + } elseif (t3lib_div::compat_version('4.2') && method_exists('t3lib_div', 'sanitizeLocalUrl')) { + return t3lib_div::sanitizeLocalUrl($url); + } else { + return self::internalSanitizeLocalUrl($url); + } + + } + + + /** + * Checks if a given string is a valid frame URL to be loaded in the + * backend. + * + * @param string $url potential URL to check + * + * @return string either $url if $url is considered to be harmless, or an + * empty string otherwise + */ + private static function internalSanitizeLocalUrl($url = '') { + $sanitizedUrl = ''; + $decodedUrl = rawurldecode($url); + if (!t3lib_div::compat_version('4.1')) { + if ($decodedUrl !== t3lib_div::removeXSS($decodedUrl)) { + $decodedUrl = ''; + } + } + if (!empty($url) && $decodedUrl !== '') { + $testAbsoluteUrl = t3lib_div::resolveBackPath($decodedUrl); + $testRelativeUrl = t3lib_div::resolveBackPath( + t3lib_div::dirname(t3lib_div::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl + ); + + // Pass if URL is on the current host: + if (t3lib_div::isValidUrl($decodedUrl)) { + if (t3lib_div::isOnCurrentHost($decodedUrl) && strpos($decodedUrl, t3lib_div::getIndpEnv('TYPO3_SITE_URL')) === 0) { + $sanitizedUrl = $url; + } + // Pass if URL is an absolute file path: + } elseif (t3lib_div::isAbsPath($decodedUrl) && t3lib_div::isAllowedAbsPath($decodedUrl)) { + $sanitizedUrl = $url; + // Pass if URL is absolute and below TYPO3 base directory: + } elseif (strpos($testAbsoluteUrl, t3lib_div::getIndpEnv('TYPO3_SITE_PATH')) === 0 && substr($decodedUrl, 0, 1) === '/') { + $sanitizedUrl = $url; + // Pass if URL is relative and below TYPO3 base directory: + } elseif (strpos($testRelativeUrl, t3lib_div::getIndpEnv('TYPO3_SITE_PATH')) === 0 && substr($decodedUrl, 0, 1) !== '/') { + $sanitizedUrl = $url; + } + } + + if (!empty($url) && empty($sanitizedUrl)) { + t3lib_div::sysLog('The URL "' . $url . '" is not considered to be local and was denied.', 'Core', t3lib_div::SYSLOG_SEVERITY_NOTICE); + } + + return $sanitizedUrl; + } + + /** + * Checks if a given string is a Uniform Resource Locator (URL). + * + * @param string $url: The URL to be validated + * @return boolean Whether the given URL is valid + */ + private static function isValidUrl($url) { + return (filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED) !== false); + } + + + /** + * Checks if a given URL matches the host that currently handles this HTTP request. + * Scheme, hostname and (optional) port of the given URL are compared. + * + * @param string $url: URL to compare with the TYPO3 request host + * @return boolean Whether the URL matches the TYPO3 request host + */ + private static function isOnCurrentHost($url) { + return (stripos($url . '/', t3lib_div::getIndpEnv('TYPO3_REQUEST_HOST') . '/') === 0); + } + +} +?> \ No newline at end of file Index: cm1/index.php =================================================================== --- cm1/index.php (revision 28532) +++ cm1/index.php (working copy) @@ -89,6 +89,8 @@ require_once (PATH_t3lib.'class.t3lib_scbase.php'); +require_once (t3lib_extMgm::extPath('templavoila') . 'classes/class.tx_templavoila_div.php'); + require_once (t3lib_extMgm::extPath('templavoila').'cm1/class.tx_templavoila_cm1_dsedit.php'); require_once (t3lib_extMgm::extPath('templavoila').'cm1/class.tx_templavoila_cm1_etypes.php'); @@ -397,7 +399,7 @@ $this->displayTable = t3lib_div::_GP('table'); $this->displayUid = t3lib_div::_GP('uid'); $this->displayPath = t3lib_div::_GP('htmlPath'); - $this->returnUrl = t3lib_div::_GP('returnUrl'); + $this->returnUrl = tx_templavoila_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl')); // GPvars specific to the DS listing/table and mapping features: $this->_preview = t3lib_div::_GP('_preview'); Index: cm2/index.php =================================================================== --- cm2/index.php (revision 28532) +++ cm2/index.php (working copy) @@ -55,11 +55,11 @@ require_once (PATH_t3lib.'class.t3lib_tcemain.php'); require_once (PATH_t3lib.'class.t3lib_diff.php'); +require_once (t3lib_extMgm::extPath('templavoila') . 'classes/class.tx_templavoila_div.php'); - /** * Class for displaying color-marked-up version of FlexForm XML content. * @@ -92,7 +92,7 @@ $this->doc->backPath = $BACK_PATH; $this->doc->docType = 'xhtml_trans'; - $this->returnUrl = t3lib_div::_GP('returnUrl'); + $this->returnUrl = tx_templavoila_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl')); $this->content.=$this->doc->startPage($LANG->getLL('title')); $this->content.=$this->doc->header($LANG->getLL('title')); Index: mod2/index.php =================================================================== --- mod2/index.php (revision 28532) +++ mod2/index.php (working copy) @@ -88,9 +88,9 @@ $BE_USER->modAccess($MCONF,1); // This checks permissions and exits if the users has no permission for entry. +require_once (t3lib_extMgm::extPath('templavoila') . 'classes/class.tx_templavoila_div.php'); - /** * Module 'TemplaVoila' for the 'templavoila' extension. * @@ -623,7 +623,7 @@ // Links: $editLink = $lpXML.= 'doc->backPath,'gfx/edit2.gif','width="11" height="12"').' alt="" class="absmiddle" />'; - $dsTitle = ''.htmlspecialchars($dsR['title']).''; + $dsTitle = '' . htmlspecialchars($dsR['title']) . ''; if ($this->MOD_SETTINGS['set_details']) { $XMLinfo = $this->DSdetails($dsR['dataprot']); @@ -681,7 +681,7 @@ } else { // DS was a file: // XML file icon: - $onClick = 'document.location=\'' . $this->doc->backPath . 'file_edit.php?target=' . rawurlencode(PATH_site . $dsR['path']) . '&returnUrl=' . rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')) . '\';'; + $onClick = 'document.location=\'' . $this->doc->backPath . 'file_edit.php?target=' . rawurlencode(PATH_site . $dsR['path']) . '&returnUrl=' . rawurlencode(tx_templavoila_div::sanitizeLocalUrl(t3lib_div::getIndpEnv('REQUEST_URI'))) . '\';'; $recordIcon = 'doc->backPath,'gfx/fileicons/xml.gif','width="18" height="16"').' alt="" class="absmiddle" />'; // Preview icon: