[BUGFIX] Anonymize encoded tokens

Tokens in an encoded URL (where '=' is '%3D') now get anonymized. Resolves: #96858 Releases: main, 11.5 Change-Id: If07d122b2a5b89cb66fef3fff0790004c5d07eb1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73456 Tested-by: core-ci <typo3@b13.com> Tested-by: Stefan Bürk <stefan@buerk.tech> Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
TYPO3 · Feb 14, 2022 · 3704e20 · 3704e20
1 parent 85d0b4a
commit 3704e20
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -203,7 +203,7 @@ protected function getBackendUser(): ?BackendUserAuthentication
      */
     protected function anonymizeToken(string $requestedUrl): string
     {
-        $pattern = '/(?<=[tT]oken=)[0-9a-fA-F]{40}/';
+        $pattern = '/(?:(?<=[tT]oken=)|(?<=[tT]oken%3D))[0-9a-fA-F]{40}/';
         return preg_replace($pattern, '--AnonymizedToken--', $requestedUrl);
     }
 }
diff --git a/typo3/sysext/core/Tests/Unit/Error/DebugExceptionHandlerTest.php b/typo3/sysext/core/Tests/Unit/Error/DebugExceptionHandlerTest.php
@@ -72,6 +72,10 @@ public function exampleUrlsForTokenAnonymization(): array
                 'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36',
                 'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--',
             ],
+            'url with valid token and encoded token' => [
+                'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36&returnUrl=%2Ftypo3%2Findex%2Ephp%3FM%3Dfoo%26moduleToken%3D5f1f7d447f22886e8ea206693b0d530ccd6b2b36',
+                'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--&returnUrl=%2Ftypo3%2Findex%2Ephp%3FM%3Dfoo%26moduleToken%3D--AnonymizedToken--',
+            ],
             'url with valid token in the middle' => [
                 'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36&param=asdf',
                 'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--&param=asdf',

diff --git a/typo3/sysext/core/Tests/Unit/Error/ProductionExceptionHandlerTest.php b/typo3/sysext/core/Tests/Unit/Error/ProductionExceptionHandlerTest.php
@@ -105,6 +105,10 @@ public function exampleUrlsForTokenAnonymization(): array
                 'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36',
                 'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--',
             ],
+            'url with valid token and encoded token' => [
+                'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36&returnUrl=%2Ftypo3%2Findex%2Ephp%3FM%3Dfoo%26moduleToken%3D5f1f7d447f22886e8ea206693b0d530ccd6b2b36',
+                'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--&returnUrl=%2Ftypo3%2Findex%2Ephp%3FM%3Dfoo%26moduleToken%3D--AnonymizedToken--',
+            ],
             'url with valid token in the middle' => [
                 'http://localhost/typo3/index.php?M=foo&moduleToken=5f1f7d447f22886e8ea206693b0d530ccd6b2b36&param=asdf',
                 'http://localhost/typo3/index.php?M=foo&moduleToken=--AnonymizedToken--&param=asdf',