Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Fix several cross-site scripting flaws #1

Merged
merged 1 commit into from
Jan 3, 2018
Merged

[SECURITY] Fix several cross-site scripting flaws #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Classes/Controller/Form.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1109,6 +1109,9 @@ protected function init()

$this->gp = $this->utilityFuncs->getMergedGP();

if (!$this->settings['uniqueFormID']) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand this correctly, if 'uniqueFormID' is set, we have the same issue.
So removing this if statement?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe move the preg_replace to line 1120 and sanitize $randomID unconditionally.

$this->gp['randomID'] = preg_replace('/[^0-9a-z]/', '', preg_quote($this->gp['randomID']));
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

preg_quote seems superfluous.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know it is deprecated, obsolete and unmaintained but would a backport fix of v.2.4.1 to the Formhandler v2.0.2 (last one available for T3 6.2ELTS) be to "preg_replace / quote" and "htmlspecialchars" the same lines in the corresponding files in the older version?

formhandler_2.0.2\Classes\Controller\Tx_Formhandler_Controller_Form.php
and
formhandler_2.0.2\Classes\View\Tx_Formhandler_View_Form.php

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Formhandler 2.0.2 released to TER should have them inside, or take a look by AoE https://github.com/AOEpeople/formhandler

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that's 2.0.2 but the old version with no fixes (like htmlspecialchars($name)) inside.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then check the forks ( https://github.com/KaffDaddy/formhandler )

Copy link

@gizmo21 gizmo21 Nov 9, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks opi99 for that one. That's at least exactly what I have done:
https://github.com/KaffDaddy/formhandler/commit/366e728b81d2a7c9c83bb29e8522a8eab736df33

So it seems that is best one can do on a 6.2ELTS release.

Also thanks tyll for discovering it 1year ago.

}
$randomID = $this->gp['randomID'];
if (!$randomID) {
if ($this->settings['uniqueFormID']) {
Expand Down
12 changes: 6 additions & 6 deletions Classes/View/Form.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -439,39 +439,39 @@ protected function fillDefaultMarkers()
}
$markers['###HIDDEN_FIELDS###'] = '
<input type="hidden" name="id" value="' . $GLOBALS['TSFE']->id . '" />
<input type="hidden" name="' . $name . '" value="1" />
<input type="hidden" name="' . htmlspecialchars($name) . '" value="1" />
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why hsc this? FormValuesPrefix is a formhandler setting and isn't influenced by post/get vars?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe @reinhardfuehricht can explain this. In some other places $name isn't getting escaped currently.

';

$name = 'randomID';
if ($this->globals->getFormValuesPrefix()) {
$name = $this->globals->getFormValuesPrefix() . '[randomID]';
}
$markers['###HIDDEN_FIELDS###'] .= '
<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($this->gp['randomID']) . '" />
<input type="hidden" name="' . htmlspecialchars($name) . '" value="' . htmlspecialchars($this->gp['randomID']) . '" />
';

$name = 'removeFile';
if ($this->globals->getFormValuesPrefix()) {
$name = $this->globals->getFormValuesPrefix() . '[removeFile]';
}
$markers['###HIDDEN_FIELDS###'] .= '
<input type="hidden" id="removeFile-' . htmlspecialchars($this->gp['randomID']) . '" name="' . $name . '" value="" />
<input type="hidden" id="removeFile-' . htmlspecialchars($this->gp['randomID']) . '" name="' . htmlspecialchars($name) . '" value="" />
';

$name = 'removeFileField';
if ($this->globals->getFormValuesPrefix()) {
$name = $this->globals->getFormValuesPrefix() . '[removeFileField]';
}
$markers['###HIDDEN_FIELDS###'] .= '
<input type="hidden" id="removeFileField-' . htmlspecialchars($this->gp['randomID']) . '" name="' . $name . '" value="" />
<input type="hidden" id="removeFileField-' . htmlspecialchars($this->gp['randomID']) . '" name="' . htmlspecialchars($name) . '" value="" />
';

$name = 'submitField';
if ($this->globals->getFormValuesPrefix()) {
$name = $this->globals->getFormValuesPrefix() . '[submitField]';
}
$markers['###HIDDEN_FIELDS###'] .= '
<input type="hidden" id="submitField-' . htmlspecialchars($this->gp['randomID']) . '" name="' . $name . '" value="" />
<input type="hidden" id="submitField-' . htmlspecialchars($this->gp['randomID']) . '" name="' . htmlspecialchars($name) . '" value="" />
';

$name = 'formToken';
Expand Down Expand Up @@ -517,7 +517,7 @@ protected function fillDefaultMarkers()
$markers['###formValuesPrefix###'] = $this->globals->getFormValuesPrefix();

if ($this->gp['generated_authCode']) {
$markers['###auth_code###'] = $this->gp['generated_authCode'];
$markers['###auth_code###'] = htmlspecialchars($this->gp['generated_authCode']);
}

$markers['###ip###'] = \TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('REMOTE_ADDR');
Expand Down