Skip to content

Commit

Permalink
[SECURITY] Deny pages' TSconfig and tsconfig_includes for non-admins
Browse files Browse the repository at this point in the history 
Fields `TSconfig` and `tsconfig_includes` of table `pages` can be
misused by restricted users to contain malicious instructions and
lead to cross-site scripting as well as arbitrary code execution.
Since user input cannot be sanitized properly, the field is now
available for admin users only. In addition directory traversal
in TSconfig static includes has been mitigated.

Resolves: #88565
Releases: master, 9.5, 8.7
Security-Commit: b4ab9cd1f0539b3af675b94aa01d26e5c4b3a1d9
Security-Bulletin: TYPO3-CORE-SA-2019-019
Change-Id: I712364fde6a76ad761a0b738756cb151dc5c22e1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61145
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@ohader
ohader committed Jun 25, 2019
1 parent 3a48bb6 commit 75cc3d6
Show file tree
Hide file tree
Showing 10 changed files with 229 additions and 9 deletions.
6 changes: 3 additions & 3 deletions typo3/sysext/backend/Classes/Utility/BackendUtility.php
View file
Expand Up @@ -742,9 +742,9 @@ public static function getRawPagesTSconfig($id, array $rootLine = null)
&& ExtensionManagementUtility::isLoaded($includeTsConfigFileExtensionKey)
&& (string)$includeTsConfigFilename !== ''
) {
$includeTsConfigFileAndPath = ExtensionManagementUtility::extPath($includeTsConfigFileExtensionKey) .
$includeTsConfigFilename;
if (file_exists($includeTsConfigFileAndPath)) {
$extensionPath = ExtensionManagementUtility::extPath($includeTsConfigFileExtensionKey);
$includeTsConfigFileAndPath = PathUtility::getCanonicalPath($extensionPath . $includeTsConfigFilename);
if (strpos($includeTsConfigFileAndPath, $extensionPath) === 0 && file_exists($includeTsConfigFileAndPath)) {
$tsDataArray['uid_' . $v['uid'] . '_static_' . $key] = file_get_contents($includeTsConfigFileAndPath);
}
}
Expand Down
42 changes: 42 additions & 0 deletions typo3/sysext/core/Classes/Hooks/PagesTsConfigGuard.php
View file
@@ -0,0 +1,42 @@
<?php
declare(strict_types = 1);
namespace TYPO3\CMS\Core\Hooks;

/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

use TYPO3\CMS\Core\DataHandling\DataHandler;

/**
* Guard to only allow modifications of pages.TSconfig for admin users.
*/
class PagesTsConfigGuard
{
/**
* @param array $incomingFieldArray
* @param string $table
* @param string $id
* @param DataHandler $dataHandler
*/
public function processDatamap_preProcessFieldArray(
array &$incomingFieldArray,
string $table,
string $id,
DataHandler $dataHandler
): void {
if ($table === 'pages' && !$dataHandler->admin) {
unset($incomingFieldArray['TSconfig']);
unset($incomingFieldArray['tsconfig_includes']);
}
}
}
2 changes: 2 additions & 0 deletions typo3/sysext/core/Configuration/TCA/pages.php
View file
Expand Up @@ -172,6 +172,7 @@
'exclude' => true,
'l10n_mode' => 'exclude',
'label' => 'LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:TSconfig',
'displayCond' => 'HIDE_FOR_NON_ADMINS',
'config' => [
'type' => 'text',
'cols' => 40,
Expand Down Expand Up @@ -884,6 +885,7 @@
'exclude' => true,
'l10n_mode' => 'exclude',
'label' => 'LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:pages.tsconfig_includes',
'displayCond' => 'HIDE_FOR_NON_ADMINS',
'config' => [
'type' => 'select',
'renderType' => 'selectMultipleSideBySide',
Expand Down
7 changes: 7 additions & 0 deletions ...s/Functional/DataHandling/Regular/Hooks/DataSet/pagesTsConfigIsConsideredForAdminUser.csv
View file
@@ -0,0 +1,7 @@
"pages",,,,,
,"uid","pid","title","TSconfig","tsconfig_includes"
,1,0,"FunctionalTest","",""
,88,1,"DataHandlerTest","",""
,89,88,"Relations","",""
,90,88,"Target","",""
,91,1,"New page","custom.setting = 1","EXT:package/file.tsconfig"
7 changes: 7 additions & 0 deletions ...s/Functional/DataHandling/Regular/Hooks/DataSet/pagesTsConfigIsIgnoredForNonAdminUser.csv
View file
@@ -0,0 +1,7 @@
"pages",,,,,
,"uid","pid","title","TSconfig","tsconfig_includes"
,1,0,"FunctionalTest","",""
,88,1,"DataHandlerTest","",""
,89,88,"Relations","",""
,90,88,"Target","",""
,91,1,"New page","",""
132 changes: 132 additions & 0 deletions typo3/sysext/core/Tests/Functional/DataHandling/Regular/Hooks/PagesTsConfigGuardTest.php
View file
@@ -0,0 +1,132 @@
<?php
declare(strict_types = 1);
namespace TYPO3\CMS\Core\Tests\Functional\DataHandling\Regular\Hooks;

/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Core\Bootstrap;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\DataHandling\DataHandler;
use TYPO3\CMS\Core\Type\Bitmask\Permission;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Core\Utility\StringUtility;
use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;

class PagesTsConfigGuardTest extends FunctionalTestCase
{
/**
* @var string
*/
private $scenarioDataSetDirectory = 'typo3/sysext/core/Tests/Functional/DataHandling/Regular/DataSet/';

/**
* @var string
*/
private $assertionDataSetDirectory = 'typo3/sysext/core/Tests/Functional/DataHandling/Regular/Hooks/DataSet/';

/**
* The fixture which is used when initializing a backend user
*
* @var string
*/
protected $backendUserFixture = 'typo3/sysext/core/Tests/Functional/Fixtures/be_users.xml';

protected function setUp(): void
{
parent::setUp();
Bootstrap::initializeLanguageObject();
$this->importScenarioDataSet('LiveDefaultPages');
$this->importDataSet(dirname($this->backendUserFixture) . '/be_groups.xml');
// define page create permissions for backend user group 9 on page 1
GeneralUtility::makeInstance(ConnectionPool::class)
->getConnectionForTable('pages')
->update(
'pages',
['perms_groupid' => 9, 'perms_group' => Permission::ALL],
['uid' => 1]
);
}

/**
* @test
*/
public function pagesTsConfigIsConsideredForAdminUser()
{
$backendUser = $this->setUpBackendUserFromFixture(1);
$identifier = StringUtility::getUniqueId('NEW');

$dataMap = [
'pages' => [
$identifier => [
'pid' => 1,
'title' => 'New page',
'TSconfig' => 'custom.setting = 1',
'tsconfig_includes' => 'EXT:package/file.tsconfig',
],
],
];

$this->assertProcessedDataMap($dataMap, $backendUser);
$this->assertAssertionDataSet('pagesTsConfigIsConsideredForAdminUser');
}

/**
* @test
*/
public function pagesTsConfigIsIgnoredForNonAdminUser()
{
$backendUser = $this->setUpBackendUserFromFixture(9);
$identifier = StringUtility::getUniqueId('NEW');

$dataMap = [
'pages' => [
$identifier => [
'pid' => 1,
'title' => 'New page',
'TSconfig' => 'custom.setting = 1',
'tsconfig_includes' => 'EXT:package/file.tsconfig',
],
],
];

$this->assertProcessedDataMap($dataMap, $backendUser);
$this->assertAssertionDataSet('pagesTsConfigIsIgnoredForNonAdminUser');
}

/**
* @param string $dataSetName
*/
private function importScenarioDataSet($dataSetName): void
{
$fileName = rtrim($this->scenarioDataSetDirectory, '/') . '/' . $dataSetName . '.csv';
$fileName = GeneralUtility::getFileAbsFileName($fileName);
$this->importCSVDataSet($fileName);
}

private function assertAssertionDataSet($dataSetName): void
{
$fileName = rtrim($this->assertionDataSetDirectory, '/') . '/' . $dataSetName . '.csv';
$fileName = GeneralUtility::getFileAbsFileName($fileName);
$this->assertCSVDataSet($fileName);
}

private function assertProcessedDataMap(array $dataMap, BackendUserAuthentication $backendUser)
{
$dataHandler = GeneralUtility::makeInstance(DataHandler::class);
$dataHandler->start($dataMap, [], $backendUser);
$dataHandler->process_datamap();
static::assertEmpty($dataHandler->errorLog);
}
}
13 changes: 13 additions & 0 deletions typo3/sysext/core/Tests/Functional/Fixtures/be_groups.xml
View file
@@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<dataset>
<be_groups>
<uid>9</uid>
<pid>0</pid>
<title>editors</title>
<deleted>0</deleted>
<db_mountpoints>1</db_mountpoints>
<tables_select>pages,tt_content</tables_select>
<tables_modify>pages,tt_content</tables_modify>
<non_exclude_fields>pages:title,pages:TSconfig,tt_content:header,tt_content:CType,tt_content:bodytext</non_exclude_fields>
</be_groups>
</dataset>
22 changes: 19 additions & 3 deletions typo3/sysext/core/Tests/Functional/Fixtures/be_users.xml
View file
Expand Up @@ -2,20 +2,36 @@
<dataset>
<be_users>
<uid>1</uid>
<pid>1</pid>
<pid>0</pid>
<username>admin</username>
<deleted>0</deleted>
<admin>1</admin>
<disableIPlock>1</disableIPlock>
</be_users>
<be_users>
<uid>2</uid>
<pid>1</pid>
<pid>0</pid>
<username>test1</username>
<deleted>1</deleted>
<admin>0</admin>
<disableIPlock>1</disableIPlock>
</be_users>
<be_users>
<uid>3</uid>
<pid>1</pid>
<pid>0</pid>
<username>test1</username>
<deleted>0</deleted>
<admin>0</admin>
<disableIPlock>1</disableIPlock>
</be_users>
<be_users>
<uid>9</uid>
<pid>0</pid>
<username>editor</username>
<usergroup>9</usergroup>
<deleted>0</deleted>
<admin>0</admin>
<options>3</options>
<disableIPlock>1</disableIPlock>
</be_users>
</dataset>
1 change: 1 addition & 0 deletions typo3/sysext/core/ext_localconf.php
View file
Expand Up @@ -28,6 +28,7 @@
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tceforms_inline.php']['checkAccess'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class . '->isAllowedToShowEditForm';
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['checkModifyAccessList'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class;
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Hooks\DestroySessionHook::class;
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Hooks\PagesTsConfigGuard::class;

$signalSlotDispatcher->connect(
\TYPO3\CMS\Core\Resource\ResourceStorage::class,
Expand Down
6 changes: 3 additions & 3 deletions typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
View file
Expand Up @@ -3182,9 +3182,9 @@ public function getPagesTSconfig()
&& (string)$includeTsConfigFilename !== ''
&& ExtensionManagementUtility::isLoaded($includeTsConfigFileExtensionKey)
) {
$includeTsConfigFileAndPath = ExtensionManagementUtility::extPath($includeTsConfigFileExtensionKey)
. $includeTsConfigFilename;
if (file_exists($includeTsConfigFileAndPath)) {
$extensionPath = ExtensionManagementUtility::extPath($includeTsConfigFileExtensionKey);
$includeTsConfigFileAndPath = PathUtility::getCanonicalPath($extensionPath . $includeTsConfigFilename);
if (strpos($includeTsConfigFileAndPath, $extensionPath) === 0 && file_exists($includeTsConfigFileAndPath)) {
$TSdataArray[] = file_get_contents($includeTsConfigFileAndPath);
}
}
Expand Down

0 comments on commit 75cc3d6

Please sign in to comment.