Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Prevent urls starting with // to be used for redirects
A missing check in GeneralUtility::sanitizeLocalUrl() resulted in an url starting with `//` to be considered as a local url. This change ensures, that urls starting with `//` are not considered local. Corresponding unit tests are fixed and extended, since they need a full environment to process correctly. Resolves: #92891 Releases: master, 11.1, 10.4, 9.5 Change-Id: I41eb16776742b3e0d2cffd064dd0408e4faa7c78 Security-Bulletin: TYPO3-CORE-SA-2021-001 Security-References: CVE-2021-21338 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68426 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
2 changed files
with
42 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters