Skip to content

Commit fa29ffd

Browse files
committed
[SECURITY] Restrict file validation hash generation
Security-References: CVE-2020-15086
1 parent a06c3fd commit fa29ffd

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

Diff for: Resources/PHP/ValidateHashEID.php

+7-2
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,15 @@
1414

1515
call_user_func(function() {
1616
$value = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('value');
17-
$addition = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('addition');
1817
$scope = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('scope');
1918

20-
$content = \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($value, $addition);
19+
if (!is_string($value) || empty($value)) {
20+
\TYPO3\CMS\Core\Utility\HttpUtility::setResponseCodeAndExit(
21+
\TYPO3\CMS\Core\Utility\HttpUtility::HTTP_STATUS_400
22+
);
23+
}
24+
25+
$content = \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($value, 'flashvars');
2126

2227
if ($scope === 'flashvars') {
2328
header('Content-type: application/x-www-form-urlencoded');

0 commit comments

Comments
 (0)