Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-4@9770 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog

@@ -1,3 +1,7 @@
+2010-12-16  Oliver Hader  <oliver@typo3.org>
+
+	* Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
+
 2010-12-07  Christian Kuhn  <lolli@schwarzbu.ch>
 
 	* Fixed bug #16696: [Caching framework] unit tests: Fatal error in t3lib_cache_backend_dbbackendTest due to call to undefined method

typo3/sysext/install/mod/class.tx_install.php

@@ -912,8 +912,8 @@ function stepOutput() {
 					There is no connection to the database!
 				</strong>
 				<br />
-				(Username: <em>' . TYPO3_db_username . '</em>,
-				Host: <em>' . TYPO3_db_host . '</em>,
+				(Username: <em>' . htmlspecialchars(TYPO3_db_username) . '</em>,
+				Host: <em>' . htmlspecialchars(TYPO3_db_host) . '</em>,
 				Using Password: YES)
 				<br />
 				Go to Step 1 and enter a valid username and password!
@@ -922,7 +922,7 @@ function stepOutput() {
 		$error_missingDB = '
 			<p class="typo3-message message-error">
 				<strong>
-					There is no access to the database (<em>' . TYPO3_db . '</em>)!
+					There is no access to the database (<em>' . htmlspecialchars(TYPO3_db) . '</em>)!
 				</strong>
 				<br />
 				Go to Step 2 and select a valid database!
@@ -998,11 +998,11 @@ function stepOutput() {
 						'encryptionKey' => $this->createEncryptionKey(),
 						'branch' => TYPO3_branch,
 						'labelUsername' => 'Username',
-						'username' => TYPO3_db_username,
+						'username' => htmlspecialchars(TYPO3_db_username),
 						'labelPassword' => 'Password',
-						'password' => TYPO3_db_password,
+						'password' => htmlspecialchars(TYPO3_db_password),
 						'labelHost' => 'Host',
-						'host' => TYPO3_db_host ? TYPO3_db_host : 'localhost',
+						'host' => TYPO3_db_host ? htmlspecialchars(TYPO3_db_host) : 'localhost',
 						'continue' => 'Continue',
 						'llDescription' => 'If you have not already created a username and password to access the database, please do so now. This can be done using tools provided by your host.'
 					);
@@ -1149,11 +1149,11 @@ function stepOutput() {
 							$step4SubPartMarkers = array(
 								'llSummary' => 'Database summary:',
 								'llUsername' => 'Username:',
-								'username' => TYPO3_db_username,
+								'username' => htmlspecialchars(TYPO3_db_username),
 								'llHost' => 'Host:',
-								'host' => TYPO3_db_host,
+								'host' => htmlspecialchars(TYPO3_db_host),
 								'llDatabase' => 'Database:',
-								'database' => TYPO3_db,
+								'database' => htmlspecialchars(TYPO3_db),
 								'llNumberTables' => 'Number of tables:',
 								'numberTables' => count($whichTables),
 								'action' => htmlspecialchars($this->action),
@@ -3126,9 +3126,9 @@ function checkDatabase() {
 					<p>
 						You may need to enter data for these values:
 						<br />
-						Username: <strong>' . TYPO3_db_username . '</strong>
+						Username: <strong>' . htmlspecialchars(TYPO3_db_username) . '</strong>
 						<br />
-						Host: <strong>' . TYPO3_db_host . '</strong>
+						Host: <strong>' . htmlspecialchars(TYPO3_db_host) . '</strong>
 						<br />
 						<br />
 						Use the form below.
@@ -3142,13 +3142,13 @@ function checkDatabase() {
 							Username:
 						</dt>
 						<dd>
-							' . TYPO3_db_username . '
+							' . htmlspecialchars(TYPO3_db_username) . '
 						</dd>
 						<dt>
 							Host:
 						</dt>
 						<dd>
-							' . TYPO3_db_host . '
+							' . htmlspecialchars(TYPO3_db_host) . '
 						</dd>
 					</dl>
 				', -1, 1);
@@ -3165,7 +3165,7 @@ function checkDatabase() {
 				} elseif (!$GLOBALS['TYPO3_DB']->sql_select_db(TYPO3_db))  {
 					$this->message($ext, 'Database', '
 						<p>
-							\''.TYPO3_db.'\' could not be selected as database!
+							\'' . htmlspecialchars(TYPO3_db) . '\' could not be selected as database!
 							<br />
 							Please select another one or create a new database.
 						</p>
@@ -3174,7 +3174,7 @@ function checkDatabase() {
 				} else  {
 					$this->message($ext, 'Database', '
 						<p>
-							<strong>' . TYPO3_db . '</strong> is selected as
+							<strong>' . htmlspecialchars(TYPO3_db) . '</strong> is selected as
 							database.
 						</p>
 					', 1, 1);
@@ -3193,9 +3193,9 @@ function checkDatabase() {
 					<p>
 						Connecting to SQL database failed with these settings:
 						<br />
-						Username: <strong>' . TYPO3_db_username . '</strong>
+						Username: <strong>' . htmlspecialchars(TYPO3_db_username) . '</strong>
 						<br />
-						Host: <strong>' . TYPO3_db_host . '</strong>
+						Host: <strong>' . htmlspecialchars(TYPO3_db_host) . '</strong>
 					</p>
 					<p>
 						Make sure you\'re using the correct set of data.
@@ -4397,59 +4397,59 @@ function checkTheImageProcessing() {
 					ImageMagick enabled:
 				</dt>
 				<dd>
-					' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im'] . '
+					' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im']) . '
 				</dd>
 				<dt>
 					ImageMagick path:
 				</dt>
 				<dd>
-					' . $im_path . ' <span>(' . $im_path_version . ')</span>
+					' . htmlspecialchars($im_path) . ' <span>(' . htmlspecialchars($im_path_version) . ')</span>
 				</dd>
 				<dt>
 					ImageMagick path/LZW:
 				</dt>
 				<dd>
-					' . $im_path_lzw . ' <span>(' . $im_path_lzw_version . ')</span>
+					' . htmlspecialchars($im_path_lzw) . ' <span>(' . htmlspecialchars($im_path_lzw_version) . ')</span>
 				</dd>
 				<dt>
 					Version 5/GraphicsMagick flag:
 				</dt>
 				<dd>
-					' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] ? $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] : '&nbsp;') . '
+					' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] ? htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5']) : '&nbsp;') . '
 				</dd>
 			</dl>
 			<dl id="t3-install-imageprocessingother">
 				<dt>
 					GDLib enabled:
 				</dt>
 				<dd>
-					' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib'] ? $GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib'] : '&nbsp;') . '
+					' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib'] ? htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib']) : '&nbsp;') . '
 				</dd>
 				<dt>
 					GDLib using PNG:
 				</dt>
 				<dd>
-					' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png'] ? $GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png'] : '&nbsp;') . '
+					' . ($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png'] ? htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['gdlib_png']) : '&nbsp;') . '
 				</dd>
 				<dt>
 					IM5 effects enabled:
 				</dt>
 				<dd>
-					' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_v5effects'] . '
+					' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_v5effects']) . '
 					<span>(Blurring/Sharpening with IM 5+)</span>
 				</dd>
 				<dt>
 					Freetype DPI:
 				</dt>
 				<dd>
-					' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['TTFdpi'] . '
+					' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['TTFdpi']) . '
 					<span>(Should be 96 for Freetype 2)</span>
 				</dd>
 				<dt>
 					Mask invert:
 				</dt>
 				<dd>
-					' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_imvMaskState'] . '
+					' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_imvMaskState']) . '
 					<span>(Should be set for some IM versions approx. 5.4+)</span>
 				</dd>
 			</dl>
@@ -4458,7 +4458,7 @@ function checkTheImageProcessing() {
 					File Formats:
 				</dt>
 				<dd>
-					' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext'] . '
+					' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext']) . '
 				</dd>
 			</dl>
 		';
@@ -4481,8 +4481,8 @@ function checkTheImageProcessing() {
 			$msg .= '
 				<p>
 					Warning: Mismatch between the version of ImageMagick' .
-					' (' . $im_path_version.') and the configuration of ' .
-					'[GFX][im_version_5] (' . $GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5'] . ')
+					' (' . htmlspecialchars($im_path_version) . ') and the configuration of ' .
+					'[GFX][im_version_5] (' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['GFX']['im_version_5']) . ')
 				</p>
 			';
 			$etype=2;
@@ -5416,20 +5416,20 @@ function checkTheDatabase() {
 					Username:
 				</dt>
 				<dd>
-					' . TYPO3_db_username . '
+					' . htmlspecialchars(TYPO3_db_username) . '
 				</dd>
 				<dt>
 					Host:
 				</dt>
 				<dd>
-					' . TYPO3_db_host . '
+					' . htmlspecialchars(TYPO3_db_host) . '
 				</dd>
 			</dl>
 		', -1, 1);
 
 		$this->message($headCode, 'Database', '
 			<p>
-				<strong>' . TYPO3_db . '</strong> is selected as database.
+				<strong>' . htmlspecialchars(TYPO3_db) . '</strong> is selected as database.
 				<br />
 				Has <strong>' . count($whichTables) . '</strong> tables.
 			</p>

typo3/sysext/install/updates/class.tx_coreupdates_compatversion.php

@@ -98,7 +98,7 @@ function checkForUpdate(&$description)	{
 				<p>
 					Your current TYPO3 installation is configured to
 					<strong>behave like version
-					' . $TYPO3_CONF_VARS['SYS']['compat_version'] . '
+					' . htmlspecialchars($TYPO3_CONF_VARS['SYS']['compat_version']) . '
 					</strong> of TYPO3. If you just upgraded from this version,
 					you most likely want to <strong>use new features</strong> as
 					well.
@@ -153,7 +153,7 @@ function getUserInput($inputPrefix)	{
 		} else {
 			$content = '
 				<p>
-					TYPO3 output is currently compatible to version ' . $TYPO3_CONF_VARS['SYS']['compat_version'] . '.
+					TYPO3 output is currently compatible to version ' . htmlspecialchars($TYPO3_CONF_VARS['SYS']['compat_version']) . '.
 					To use all the new features in the current TYPO3 version,
 					make sure you follow the guidelines below to upgrade without
 					problems.