[TYPO3-english] Typo3 4.5.4 update kills CoolUri

Felix Heller felix.heller at aimcom.de
Thu Jul 28 15:05:07 CEST 2011 

Hello,


I think that I've found the problem. I inserted var_dump($params) at the  
beginning of the function params2cool in the file link.Translate.php of  
the CoolURI extension.

The output in TYPO3 4.5.3 is:
	array(3) {
		["id"]=>
			string(1) "1"
		["tt_example[pointer]"]=>
			string(1) "1"
	}

The output in TYPO3 4.5.4 is:
	array(3) {
		["id"]=>
			string(1) "1"
		["tt_example%5Bpointer%5D"]=>
			string(1) "1"
	}

Normal parameters without brackets were not affected by this change, but  
parameters of extensions like tt_news (which use brackets) are not  
translated correctly any more. This might be related to this entry in the  
changelog of TYPO3 4.5.4:
	2011-07-27  8ebc512  #28189    [BUGFIX] XSS in TYPO3 core when using  
typolink.parameter JS-Popup Window (Marco Bresch)


I programmed a small workaround for cooluri/link.Translate.php which fixes  
this problem:

	public function params2cool(array $params, $file = '', $entityampersand =  
true, $dontconvert = false, $forceUpdate = false) {
		$this->convertBracketsInParams($params);
	
		// ... Rest of the function ...
	}
	
	private function convertBracketsInParams(array &$params) {
		foreach ($params as $key => $param) {
			$keyDecoded = strtr(
				$key,
				array(
					'%5B' => '[',
					'%5D' => ']'
				)
			);
			$params[$keyDecoded] = $param;
			
			// Delete old key if it contained brackets
			if ($key != $keyDecoded) {
				unset($params[$key]);
			}
		}
	}

This works fine for me. Of course, the better solution would be to adapt  
the whole CoolURI logic to the new behaviour of TYPO3.

!!! WARNING !!! I cannot guarantee that this workaround is compatible with  
the fixes for the XSS bugs in former TYPO3 versions. Perhaps an XSS  
injection for the JS popup window is possible again if you use this  
workaround. As the parameters are changed in CoolURI only, I think that  
this is not a problem. Nevertheless, it would be nice if somebody else  
could verify if this workaround is dangerous or not. I didn't find  
information about the code changes made in #28189 so I cannot tell you  
more.


Regards
Felix
_____________________

TYPO3-Agentur München
TYPO3 agency Munich
http://www.aimcom.de


> Hi,
>
> have you tried to wrap it in CDATA?
>
> <![CDATA[
> 	Content
> ]]>
>
>
> http://en.wikipedia.org/wiki/CDATA
> http://de.wikipedia.org/wiki/CDATA
>
> Regards
> Kay
> Am 28.07.2011 14:07, schrieb Felix Heller:
>> Hello everybody,
>>
>>
>> it seems to me that the whole <uriparts> section is ignored. I don't
>> think that the problem is limited to parameters that execute a SQL query
>> because even this part doesn't work any more:
>>
>> <part>
>>     <parameter>tx_ttnews[pointer]</parameter>
>> </part>
>>
>> I will investigate this issue and inform you if I find something useful.
>>
>>
>> Greetings
>> Felix Heller
>> _____________________
>>
>> TYPO3-Agentur München
>> TYPO3 agency Munich
>> http://www.aimcom.de
>>
>>
>>> Hi J. Schaller, Hi list,
>>>
>>> I can confirm the problem mit TYPO3 4.5.4, Cooluri and tt_news.
>>>
>>> In 4.5.4 I get the URL
>>>
>>>
>>> http://www.my-domain.de/home/news.html?tx_ttnews[tt_news]=74
>>>
>>> In 4.5.3 I have the correct URL
>>>
>>> http://www.my-domain.de/home/news/my-site.html
>>>
>>>
>>>
>>> In my CoolUri config I use these simple lines:
>>>
>>> <uriparts>
>>> <part>
>>> <parameter>tx_ttnews[tt_news]</parameter>
>>> <lookindb>
>>> <to>SELECT title FROM tt_news WHERE (uid=$1 or l18n_parent=$1) AND
>>> sys_language_uid={L=0}</to>
>>> <translatetoif>
>>> <match>^[0-9]+$</match>
>>> </translatetoif>
>>> <t3conv>1</t3conv>
>>> </lookindb>
>>> </part>
>>> </uriparts>
>>>
>>>
>>> <predefinedparts>
>>> <part>
>>> <parameter>tx_ttnews[backPid]</parameter>
>>> </part>
>>> <part>
>>> <parameter>cHash</parameter>
>>> </part>
>>> </predefinedparts>
>>>
>>>
>>>
>>> Regards Joe
>>>
>>>
>>> ---------------------------------------
>>>
>>> Hello list,
>>>
>>> I've just a had a not so nice couple of hours troubleshooting why
>>> suddenly my speaking URLs were gone. It looks like the latest Typo3
>>> update somehow filters SQL in my CoolUri config file. With 4.5.3
>>> everything works fine, I've switched versions at least 5 times,
>>> cleared caches, the whole works, to be sure.
>>>
>>> (One of) The offending part in my CoolUri config seems to be this one:
>>>
>>>   <uriparts>
>>>     <part>
>>>       <parameter>tx_ttnews[tt_news]</parameter>
>>>       <lookindb>
>>>     <to>SELECT concat( CAST( DATE_FORMAT( FROM_UNIXTIME( datetime
>>> ) , GET_FORMAT( DATE, 'ISO' ) ) AS char( 10 ) ) , '_', title ) FROM
>>> tt_news WHERE uid =$1</to>
>>>         <translatetoif>
>>>             <match>^[0-9]+$</match>
>>>         </translatetoif>
>>>         <sanitize>1</sanitize>
>>>       </lookindb>
>>>     </part>
>>>
>>> In 4.5.3 I get a correct URL like
>>> http://www.mypage.com/2011-03-15_newstitle/
>>>
>>> whereas in 4.5.4 I get
>>> http://www.mypage.com/?tx_ttnews[tt_news]=999
>>>
>>> meaning, the SQL statement and consequently URL conversion is
>>> completely ignored. Any ideas?
>>>
>>> Cheers,
>>> J. Schaller
>>>
>
>


-- 
_____________________

TYPO3-Agentur München
TYPO3 agency Munich
http://www.aimcom.de

More information about the TYPO3-english mailing list