Skip to content

Commit

Permalink
[SECURITY] Disallow javascript & data scheme in URL link handler
Browse files Browse the repository at this point in the history 
URLs defined using TYPO3's internal t3://url/?url=... notation are
now hardened against using `javascript:` and`data:` URL schemes.

Resolves: #88476
Releases: master, 9.5, 8.7
Security-Commit: 1a873c662524a62b192661da45d27e223e517d18
Security-Bulletin: TYPO3-CORE-SA-2019-015
Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@ohader
ohader committed Jun 25, 2019
1 parent 8f79fe6 commit ea1df3f
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 3 deletions.
7 changes: 5 additions & 2 deletions Classes/LinkHandling/UrlLinkHandler.php
View file
Expand Up @@ -51,9 +51,12 @@ public function resolveHandlerData(array $data): array
protected function addHttpSchemeAsFallback(string $url): string
{
if (!empty($url)) {
$urlParts = parse_url($url);
if (empty($urlParts['scheme'])) {
$scheme = parse_url($url, PHP_URL_SCHEME);
if (empty($scheme)) {
$url = 'http://' . $url;
} elseif (in_array(strtolower($scheme), ['javascript', 'data'], true)) {
// deny using insecure scheme's like `javascript:` or `data:` as URL scheme
$url = '';
}
}
return $url;
Expand Down
17 changes: 16 additions & 1 deletion Tests/Unit/LinkHandling/UrlLinkHandlerTest.php
View file
Expand Up @@ -90,7 +90,22 @@ public function resolveParametersForNonFilesDataProvider()
'url' => 'sftp://nice:andsecret@www.have.you:23/ever?did=this'
],
'sftp://nice:andsecret@www.have.you:23/ever?did=this'
]
],
'tel URL' => [
['url' => 'tel:+1-2345-6789'],
['url' => 'tel:+1-2345-6789'],
'tel:+1-2345-6789'
],
'javascript URL (denied)' => [
['url' => 'javascript:alert(\'XSS\')'],
['url' => ''],
''
],
'data URL (denied)' => [
['url' => 'data:text/html;base64,SGVsbG8sIFdvcmxkIQ%3D%3D'],
['url' => ''],
''
],
];
}

Expand Down

0 comments on commit ea1df3f

Please sign in to comment.