-
Notifications
You must be signed in to change notification settings - Fork 638
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Avoid disclosing loaded extensions
Inline JavaScript settings for RequireJS and ajaxUrls disclose the existence of specific extensions in a TYPO3 installation. In case no backend user is logged in RequireJS settings are fetched using an according endpoint, ajaxUrls (for backend AJAX routes) are limited to those that are accessible without having a user session. Resolves: #83855 Releases: master, 9.5, 8.7 Security-Commit: a9b60d26597449fec46bd26e0b511bc6e423ef24 Security-Bulletin: TYPO3-CORE-SA-2019-001 Change-Id: Ifa4029340e750baaf216fa953bf41b6d06d3138b Reviewed-on: https://review.typo3.org/59534 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
6 changed files
with
443 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
109 changes: 109 additions & 0 deletions
109
typo3/sysext/core/Classes/Controller/RequireJsController.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| <?php | ||
| declare(strict_types = 1); | ||
| namespace TYPO3\CMS\Core\Controller; | ||
|
|
||
| /* | ||
| * This file is part of the TYPO3 CMS project. | ||
| * | ||
| * It is free software; you can redistribute it and/or modify it under | ||
| * the terms of the GNU General Public License, either version 2 | ||
| * of the License, or any later version. | ||
| * | ||
| * For the full copyright and license information, please read the | ||
| * LICENSE.txt file that was distributed with this source code. | ||
| * | ||
| * The TYPO3 project - inspiring people to share! | ||
| */ | ||
|
|
||
| use Psr\Http\Message\ResponseInterface; | ||
| use Psr\Http\Message\ServerRequestInterface; | ||
| use TYPO3\CMS\Core\Http\JsonResponse; | ||
| use TYPO3\CMS\Core\Page\PageRenderer; | ||
| use TYPO3\CMS\Core\Utility\GeneralUtility; | ||
|
|
||
| /** | ||
| * Handling requirejs client requests. | ||
| */ | ||
| class RequireJsController | ||
| { | ||
| /** | ||
| * @var PageRenderer | ||
| */ | ||
| protected $pageRenderer; | ||
|
|
||
| public function __construct() | ||
| { | ||
| $this->pageRenderer = GeneralUtility::makeInstance(PageRenderer::class); | ||
| } | ||
|
|
||
| /** | ||
| * Retrieves additional requirejs configuration for a given module name or module path. | ||
| * | ||
| * The JSON result e.g. could look like: | ||
| * { | ||
| * "shim": { | ||
| * "vendor/module": ["exports" => "TheModule"] | ||
| * }, | ||
| * "paths": { | ||
| * "vendor/module": "/public/web/path/" | ||
| * }, | ||
| * "packages": { | ||
| * [ | ||
| * "name": "module", | ||
| * ... | ||
| * ] | ||
| * } | ||
| * } | ||
| * | ||
| * Parameter name either could be the module name ("vendor/module") or a | ||
| * module path ("vendor/module/component") belonging to a module. | ||
| * | ||
| * @param ServerRequestInterface $request | ||
| * @return ResponseInterface | ||
| */ | ||
| public function retrieveConfiguration(ServerRequestInterface $request): ResponseInterface | ||
| { | ||
| $name = $request->getQueryParams()['name'] ?? null; | ||
| if (empty($name) || !is_string($name)) { | ||
| return new JsonResponse(null, 404); | ||
| } | ||
| $configuration = $this->findConfiguration($name); | ||
| return new JsonResponse($configuration, !empty($configuration) ? 200 : 404); | ||
| } | ||
|
|
||
| /** | ||
| * @param string $name | ||
| * @return array | ||
| */ | ||
| protected function findConfiguration(string $name): array | ||
| { | ||
| $relevantConfiguration = []; | ||
| $this->pageRenderer->loadRequireJs(); | ||
| $configuration = $this->pageRenderer->getRequireJsConfig(PageRenderer::REQUIREJS_SCOPE_RESOLVE); | ||
|
|
||
| $shim = $configuration['shim'] ?? []; | ||
| foreach ($shim as $baseModuleName => $baseModuleConfiguration) { | ||
| if (strpos($name . '/', $baseModuleName . '/') === 0) { | ||
| $relevantConfiguration['shim'][$baseModuleName] = $baseModuleConfiguration; | ||
| } | ||
| } | ||
|
|
||
| $paths = $configuration['paths'] ?? []; | ||
| foreach ($paths as $baseModuleName => $baseModulePath) { | ||
| if (strpos($name . '/', $baseModuleName . '/') === 0) { | ||
| $relevantConfiguration['paths'][$baseModuleName] = $baseModulePath; | ||
| } | ||
| } | ||
|
|
||
| $packages = $configuration['packages'] ?? []; | ||
| foreach ($packages as $package) { | ||
| if (!empty($package['name']) | ||
| && strpos($name . '/', $package['name'] . '/') === 0 | ||
| ) { | ||
| $relevantConfiguration['packages'][] = $package; | ||
| } | ||
| } | ||
|
|
||
| return $relevantConfiguration; | ||
| } | ||
| } |
Oops, something went wrong.
da6d0adThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hola,
i found a possible issue in file typo3/sysext/core/Classes/Page/PageRenderer.php
if (!empty($requireJsConfig['typo3BaseUrl'])) {
$html .= '<script src="' . $this->processJsFile($this->getAbsoluteWebPath( GeneralUtility::getFileAbsFileName( 'EXT:core/Resources/Public/JavaScript/requirejs-loader.js' ) )) . '" type="text/javascript"></script>' . LF;
}
This generate an absolute url of the file, but the generated url is wrong. Not exist. Return a 404 error when try to load this library.
Thanks,
Valentin Ruescas Camara